AePS frauds using dummy fingers on rise: MHA tells Parliamentary panel

The Ministry of Home Affairs (MHA) has informed the parliamentary standing committee on communications and information technology that the use of “dummy fingers or rubber fingers” to fraudulently withdraw money using Aadhaar-enabled Payment System (AePS) was on the rise.

“Biometrics cloning: We are seeing this also. They use dummy fingers or rubber fingers to take out money through the Aadhaar-enabled Payment System. This has been enhanced. We are working with Aadhaar and NPCI (National Payments Corporation of India) to put an end to this. We should see some reduction in the coming weeks,” the MHA submitted.

The committee had specifically asked the Ministry of Electronics and Information Technology (MeitY) if Aadhaar data had been linked when AePS was misused and what actions had been taken to prevent leakage of Aadhaar data in misuse of AePS. MeitY in its submission, denied any data leakage. “As reported by UIDAI (Unique Identification Authority of India), no breach of Aadhaar card holders’ data has occurred from the Central Identities Data Repository (CIDR) maintained by the UIDAI in which the database of biometric and demographic information of Aadhaar is maintained”

The committee was also informed that NPCI, in a circular dated October 26, 2023, had instructed banks to disable AePS services in accounts which hadn’t had any debit transactions in the preceding 12 months by November 30, 2023. This circular exempted accounts which had received direct benefit transfer (DBT) credits, and PM Jan Dhan Yojana (PMJDY) and basic savings bank deposit account (BSBDA) accounts. HT could not find this NPCI circular on the NPCI website.

MeitY told the committee that to prevent AePS frauds, UIDAI had “asked acquirer banks to enforce stringent guidelines/checks for on-boarding of Business Correspondent (BC) agents and Corporate BCs (CBCs) and to ensure the use of verifiable and reliable identity to be used for on-boarding BC, mechanism to obtain police verification during BC on boarding”.

“UIDAI suggested the mandatory need of reporting of frauds to law enforcement agencies by the issuer and acquirer bank for every case of AePS fraudulent transaction reported and Acquirer banks to file FIR for frauds reports on BC agents after expeditiously investigating the same and issuer banks to file mandatory a complaint on the I4C National Cybercrime Reporting Portal,” MeitY told the committee.

MeitY questioned over ICMR data breach

The committee also questioned MeitY over reports of Aadhaar data of more than 800 million Indians being leaked. MeitY said that the data in question was not from the UIDAI database as the data fields in the leaked sample data “do not exist in the UIDAI database or is different from that of UIDAI database”. Since there were reports that this data was compromised from an Indian Council of Medical Research (ICMR) database, the MeitY said, “UIDAI has neither made available Aadhaar data to ICMR nor authenticated any Aadhaar data held by ICMR.” “The source of data is unrelated to UIDAI and there is no leakage of data from UIDAI database,” MeitY told the committee.

“CERT-In received threat intelligence reports regarding sale of personal data with samples claiming to be of Indian Council of Medical Research (ICMR) and notified ICMR of the same and suggested remedial measures. CERT-In is coordinating incident analysis with law enforcement agency,” MeitY told the committee.

“Regarding intelligence reports received by CERT-In with regard to sale of personal data, the Committee may be apprised about the outcome of the measures suggested and the finding of the analysis by CERT-In,” the committee said in its report.