Aadhaar Enabled Payment System(AePS) fraud – All you need to know

Sujatha works in a government office, last monday she got 2 sms messages talking about a deduction of 10000 and another transaction of 36 rupees. She did not remember making any transaction nor scheduling any bill payment for that value. On checking the account statement online, she found out that in the description it was mentioned that first one was a AEPS transaction and the second one was fees. She did not remember making any such transaction and she was in office from morning. When checked with the bank, they mentioned that its a AEPS fraud, someone had misused her biometric data and aadhaar number to make this withdrawal.

AePS, or Aadhaar-enabled payment system, is a service developed by the National Payments Corporation of India. It allows users to conduct transactions like cash withdrawal, balance enquiry, mini statement and fund transfer by providing their Aadhaar number and biometric information. The AePS in India has recently faced exploitation by cybercriminals, leading to unauthorized access to users’ bank accounts by :

• Using leaked biometric details to bypass the need for One Time Passwords (OTPs) and steal funds.
• Stealing thumb impression and transferring that to silicone thumbs and using it for fraudulent transactions.
• Gaps in the AePS system’s security protocols, such as inadequate identity verification or authentication processes, provide opportunities for cybercriminals to carry out their fraudulent activities.
• AePS also faces issues such as biometric mismatches, poor connectivity, weaker systems of certain banking partners, etc. where the transactions fail due to these reasons but the money gets debited from the customers’ accounts.

I had previously written about various other Aadhaar frauds, please check that at http://cybermithra.in/2023/04/18/aadhaar-frauds/

How to protect oneself from AePS frauds :-

• Lock your Aadhaar biometric check on the Aadhaar website(www.uidai.gov.in) or on mAadhaar app and unlock when you need to perform biometric verification.
• Never share your aadhaar details unless its absolutely needed, then also share only black and white photocopy and mention date and why you are sharing.
• For Name, Age and Address verification please use voter id or driving license instead of Aadhaar.
• Provide masked aadhaar(where some part of aadhaar number is masked) or virtual aadhaar(temporary revocable number) instead of actual aadhaar card.
• Regularly check the balance and transaction alerts of the bank account linked to the mobile number.
• When you are providing biometric (finger print or iris) scan, check if the device is tampered with or if the agency is authorized to collect it.

If you are a victim of AePS fraud:-

Immediately call 1930 cyber helpline or file a complaint at cybercrime.gov.in website or at nearby police station. Lock your Aadhaar card at uidai.gov.in and file a complaint there. File a complaint at the bank on this fraudulent transaction and disable AePS feature for your account.

Legal(Indian) remedies available to the victim :-

You can register a criminal case at your nearest cyber or regular police station, under the following legal sections or under the Acts and Sections as prescribed by the police as per your case :

• Section 378(Theft), Section 405/406(Criminal breach of trust), Section 415/416/417(Cheating),section 419 (punishment for cheating by impersonation),  Section 420 (cheating and dishonestly inducing delivery of property), Section 424(extract data illegally), Section 441(criminal trespass) of Indian Penal Code (IPC).
• Section 43 (Penalty and compensation for damage to computer, computer system, etc.), section 66 (punishment for computer related offences – a person committing data theft, transmitting virus into a system, destroying data, hacking, or denying access to the computer or network to an authorized person), section 66C(which prescribes penalties for identity theft and states that anyone who fraudulently or dishonestly uses a person’s identity information) and Section 66D (punishment for fraud by impersonation using computer resources), Section 66E(Violation of privacy) of The Information Technology Act 2000/08.
• Section 36 – Penalty for impersonation, Section 37 – Penalty for disclosing identity information or section 40 – Penalty for unauthorised use by requesting entity or offline verification-seeking entity under Aadhaar Act 2016, carrying punishment of imprisonment up to 3 years or a fine of Rs. 10,000/1,00,000 or both may be awarded.