The Aadhaar-enabled Payment System (AePS) is an Indian initiative designed to facilitate accessible financial transactions for socio-economically marginalized groups. Following its implementation, however, the system has recently become a target of cybercriminals who exploit its vulnerabilities to gain unauthorized access to users’ bank accounts. These scams primarily involve leaked biometric details used to override One Time Passwords (OTPs), leading to illegal extraction of funds.
About the AePS
The AePS is a National Payments Corporation of India (NPCI) project that allows for online interoperable financial transactions via any bank’s Business Correspondent (BC) using the customer’s Aadhaar-authenticated details. It negates the need for OTPs or specific bank account information, with transactions requiring only the name of the bank, the Aadhaar number, and a fingerprint taken during Aadhaar enrollment.
Pros and Cons of AePS
The AePS offers several benefits, such as deepening social security and enabling interoperability among different banks and financial institutions. However, it has notable drawbacks. Both the Unique Identification Authority of India (UIDAI) and NPCI do not clearly indicate if AePS is automatically enabled.
Techniques Used to Exploit AePS
There are various methods used by cybercriminals to exploit AePS. Some use stolen biometric information to operate devices without needing two-factor authentication or OTPs, while others use silicone thumbs to trick biometric devices into approving fraudulent transactions. Additionally, some victims do not receive any transaction alerts from their banks, leaving them unaware of the unauthorized activities until they notice discrepancies in their bank balance.
Steps to Prevent AePS Frauds
Several measures can help secure one’s AePS transactions. The UIDAI suggests an amendment to the Aadhaar (Sharing of Information) Regulations, 2016, which would require entities with possession of an Aadhaar number to not disclose details unless the numbers are redacted or blacked out. Users can also lock their Aadhaar information using the UIDAI website or mobile app to prevent unauthorized use of biometric data.
Challenges Faced While Using AePS
While the AePS brings a range of benefits, it also presents various challenges. Many customers lack awareness of the system’s features and its usage procedures, and inadequate infrastructure and connectivity, particularly in remote areas, hinder access to its services. Additionally, regulatory and policy issues such as the legal status of Aadhaar authentication and the privacy of biometric data also pose difficulties.
Improving AePS Security and User Awareness
Enhancement of AePS’s security includes implementing encryption, digital signatures, and biometric liveness detection. Increasing user awareness about potential risks and practicing safe behaviors like not sharing personal information can also significantly reduce vulnerability to scams.
Collaboration among Stakeholders
To effectively tackle these cybercrime challenges, there needs to be better cooperation among various stakeholders such as UIDAI, NPCI, RBI, banks, fintech companies, law enforcement agencies, and civil society organizations. A concerted effort is needed to develop strategies that address these challenges and build capacity among all stakeholders. This could include establishing a reporting platform for AePS-related grievances.