Thank you dear subscribers, we are overwhelmed with your response.
Your Turn is a unique section from ThePrint featuring points of view from its subscribers. If you are a subscriber, have a point of view, please send it to us. If not, do subscribe here: https://theprint.in/subscribe/
One fine evening, Dr Kumar, a retired professor in his 60s, got an SMS on his phone. The brief message contained a forewarning of a challenging three-month experience that lay ahead. The SMS read, and I am paraphrasing, “Rs 10,000 is deducted from your account via AePS”. Mr Kumar, being unaware of this transaction, reached out to the branch manager of this PSU bank (let us call it Bank S). The bank manager seemed unaware of the term AePS and suggested it may have something to do with the Atal Pension Yojana Scheme. Dr Kumar was perplexed since he had never applied for the Atal Pension Yojana. The following day, he got a similar SMS from another PSU company (let us call it Bank P) informing him of the Rs 10,000 deduction from his account. Over the next few hours, he got numerous messages from UIDAI, notifying him that his Aadhaar had been used to access banking information on different banks, even those where he never had a bank account. Dr Kumar understood that he had been a victim of cybercrime.
As per the NPCI website, AePS or Aadhaar Enabled Payment System “is a payment service empowering a bank customer to use Aadhaar as his/her identity to access his/ her respective Aadhaar-enabled bank account and perform basic banking transactions like balance enquiry, cash deposit, cash withdrawal, remittances through a Business Correspondent.” Launched in 2010, AePS aimed to empower a bank customer to engage with their bank using Aadhaar, to further electronification of retail payments, to facilitate disbursements of Government social support payments, to facilitate inter-operability across banks, etc. AePS would allow a person to bank certain transactions using an Aadhaar number and biometrics. AePS would facilitate banking services in rural and unbanked areas. However, without their knowledge, many bank customers like Dr Kumar had AePS enabled in their bank accounts. A financial ecosystem that relies only on digital information is vulnerable to hacking or data leaks. It became clear that someone had acquired and used Dr Kumar’s Aadhaar and biometrics information to make fraudulent financial transactions.
Dr Kumar blocked his Aadhaar biometrics access online, as suggested by the UIDAI customer helpdesk. Next, he visited the cybercrime desk at the regional police station, only to meet more than a dozen fellow citizens already there to report similar incidents. The problem was more widespread than he thought, and he knew he was on for a long ride. Braving through arthritic knee pain, Dr Kumar approached another (local area) police station to submit an FIR, hoping that he could recover the money that he rightfully earned as a pension after years of working as a university professor. The next day, he submitted FIR copies to both banks and demanded an enquiry. After a month of multiple email exchanges, Bank S, as they credited the amount back to his account, informed him that the fraudulent transaction happened at an ATM facility in Thane, Maharastra. The interaction with Bank P could have been more optimistic. After Bank P unequivocally placed the burden of fraud on Dr Kumar, it took another three months for him to reach out to the RBI Ombudsman and finally get a refund.
In January 2024, The Hindu reported that of all the complaints received on the government’s cybercrime portal, 11% were related to AePS. The news organisation also reported that scamsters use silicone thumbprints to pass through biometrics. Sharing an Aadhaar number has almost become a norm in any formal transaction. The avenues to tap into an online repository with a not-so-secure database are plentiful for anyone intending to scam the system. Leaked biometrics remains a significant concern. NPCI seems to have implemented a two-factor authentication to combat such frauds with additional safety checks and balances. We shall know how much of that will lead to fruition over time.
My conversation with a few local bank officials revealed that most have never heard of AePS. They do not know how to check the status of AePS for a particular customer or how to turn it on or off. Online banking does not offer any help in this regard either. A search on HDFC’s online personal banking account only shows a link to report AePS fraudulent transactions. Another primary concern that remains to be answered is how AePS is activated for individual accounts, particularly since many customers can not recall opting in for this feature. Whether banks are keeping AePS on by default is unknown. While using the Aadhaar as a document for KYC, banks like HDFC automatically turn the AePS on without giving the customer an option to opt out. More so, the fine print on HDFC’s act of turning AePS on is embedded deep into the terms and conditions, which I am sure many users would never read. This Aadhar-KYC-AePS may be a backdoor through which many customers unknowingly get their AePS activated.
Numerous bank web pages describe steps to prevent AePS misuse. The first step seems to be blocking biometrics authorisation, as Dr Kumar did once he became a victim. While this works, users must unblock it whenever they make any Aadhaar-mediated transaction requiring biometric authentication.
If AePS is to continue, it is crucial that banking systems educate their officials about this feature and its potential risks. The status of AePS should be prominently displayed on the online banking page, and customers should be given the option to opt in or out of this feature voluntarily. For the initial activation of AePS, banks should obtain dedicated informed consent from the customer, not the hidden consent buried in the terms and conditions of KYC, as is currently the case with banks like HDFC.
These pieces are being published as they have been received – they have not been edited/fact-checked by ThePrint