New Delhi: The Ministry of Home Affairs (MHA) has written to states and Union territories (UTs) flagging concerns about the “misuse” of the Aadhaar Enabled Payment System (AePS) by cybercriminals to commit financial fraud, ThePrint has learnt.
In a letter dated 21 February, the Indian Cyber Crime Coordination Centre (I4C) — the MHA’s nodal agency to tackle matters related to cybercrime — wrote that cybercriminals are “cloning” the biometric data of Aadhaar users uploaded on states’ registry websites that host sale deeds and agreements. ThePrint has seen a copy of the letter.
This data is “cloned” with the intention of carrying out unauthorised withdrawals through AePS, the I4C wrote. The agency asked the state and UT governments to direct their revenue and registration departments to “mask” the fingerprints on documents while uploading them on the registry websites.
The I4C also advised state agencies to investigate complaints about such crimes, sensitise victims, and organise awareness campaigns. “Cyber criminals are misusing Aadhaar Enabled Payment System (AePS) to conduct financial frauds, as the system allows any user to deposit cash, withdraw cash, transfer funds and check statement using Aadhaar number and biometrics,” read the letter.
The Print reached the MHA spokesperson for comment via text message but had not received a response by the time of publication. This report will be updated when a response is received.
Also Read: UPI to Aadhaar, Modi govt showcases ‘India Stack’ of digital goodies for global adoption
Modus operandi
According to the letter, the I4C analysed the nature of complaints and related data, and interacted with police organisations and investigative agencies to understand the pattern adopted by cybercriminals.
“Analysis of modus operandi of AePS cyber financial frauds reveals that biometrics information uploaded on states’ registry websites (registration of various deeds like sale deed, agreement to sale, etc) are downloaded by criminals, which is then further ‘cloned’ to carry out unauthorised withdrawals using AePS. Revenue and registration authorities may be requested to mask the fingerprints on the documents publicly available,” said the letter.
Multiple serving and retired IPS officers well versed in the nature of cybercrime said these issues were also discussed at the three-day All India Conference of Director Generals of Police (DGPs) held in January this year.
According to sources in the MHA, the I4C in a presentation at the conference identified 20 districts across six states and a UT — Rajasthan, Jharkhand, Bihar, Uttar Pradesh, Haryana, West Bengal, and Delhi— which account for 70 per cent of total cybercrime complaints registered in India.
The agency in its presentation also suggested that the MHA introduce legal amendments to classify cyber offences as organised crimes and sought the intervention of the Ministry of Finance to frame regulations to oversee the policies of loan apps and payment aggregators.
What experts say
On the concerns flagged by the I4C in its letter to states and UTs, former IPS officer Nandkumar Saravade told ThePrint, “Aadhaar was supposed to be secure data, but security is a complex area and it is not static. It keeps changing depending on the circumstances.”
“But in this case, why are fingerprints being uploaded? Can there be any substitute for how to verify an individual? And what about existing data? Can that be removed? These are some of the relevant issues the government may consider now,” said Saravade, who has also served as director, cyber security and compliance at NASSCOM.
Saying that there are mechanisms available to secure government sites that hold bulk sensitive data, he added, “In fact, there should be some system that will send alerts when such data is being downloaded in bulk.”
Former IPS officer Rajan Medhekar who retired as director-general (DG) of the National Security Guard (NSG), said, “If Aadhaar data is being cloned, it can be detrimental to national security. There are several critical components of national security. Servers of sensitive installations, banks and health facilities are some of them. We have already been facing cyber attacks since 2017.”
He added, “I also feel that why do departments need to upload someone’s biometric data on a public website? They can generate a unique identification number and use that for the verification.”
(Edited by Amrtansh Arora)
Also Read: Govt’s information wing cautions against sharing Aadhaar copy, retracts note 48 hours later