As I have repeatedly warned in this column, corporates, especially those in the finance and technology sectors, who want to find ways for rapid on-boarding of customers, lobbied hard to push the linking of Aadhaar to just about every identity, benefit and even returns on our own income.
Successive governments gave in to these corporates and created an ‘expressway’ for using Aadhaar for a host of purposes never mentioned or envisaged initially. People have forgotten that Aadhaar was created primarily to provide an identity (ID) to economically backward people, migrants and nomads who did not have any ID. The creators, in their hurry to launch it, ignored aspects of security, privacy, ease of updation, and issues with biometrics that continue to afflict the Aadhaar ecosystem. Add to this, the problems such as wrong data entry, unreadable biometrics and the need for frequent updation of addresses, especially by younger people who change jobs often, and you realise the many issues with asking for Aadhaar everywhere. The worst sufferers are the poor and less literate. You would see hapless people standing in queues at Aadhaar service centres to pay money and rectify mistakes in their Aadhaar documents. In the process, some of them have their personal details stolen and sold by those who offer the service.
Later in this column, I will also tell you what would happen if you install a mobile app shared or downloaded from anywhere other than the official Playstore of Google. Several instances have come to light where such fake gaming or loan apps are found stealing confidential data and emptying users’ bank accounts.
Online Financial Fraud Using AePS
The over-dependence on a flawed Aadhaar system continues to cause difficulties for people. A few days ago, the national cyber crime reporting portal of the Union ministry of home affairs (MHA) warned about online financial fraud using the Aadhaar-enabled payment system (AePS) without the need for a one-time passcode (OTP).
A few months ago, I met a senior citizen who had two bank accounts in the same bank but in different cities. She wanted to close one account and went to the bank branch in that city. However, the branch was too crowded. In the meantime, she considered withdrawing some money from her bank account before closing. But even that counter had several people standing in a long queue. Someone told her that she could withdraw money using the service offered by a banking correspondent sitting outside the branch. She went there, and after much effort, her thumb impression was recorded for Aadhaar authentication, and she received the money. The serious part is that this money was withdrawn from her bank account in another city, not the one she wanted to close.
This raises a serious question about why and how the money was withdrawn from an account whose details she never shared with the banking correspondent. One possible explanation is that the money was withdrawn from the account linked with Aadhaar. However, the senior citizen had linked her Aadhaar with both accounts. Yet, money from her account was withdrawn from only one account whose details she never shared with the banking correspondent.
This is a flaw in Aadhaar systems which takes into account only the recently linked bank account as valid for transactions.
AePS enables a person to withdraw money from their bank account using a local business correspondent anywhere in the country, and this also makes it easy to cheat people.
Last year in August, we wrote about how, during the scrutiny of suspicious bank accounts, HDFC Bank Ltd discovered that 33 savings accounts were opened with the photographs of just two individuals, while the name in each account was different. The Bank filed a complaint with the IFSO (Intelligence Fusion and Strategic Operations) unit of Delhi police which busted a gang engaged in creating fake documents, especially Aadhaar cards and opening bank accounts.
According to the police, the fraudsters used silicon fingerprints and printouts of the iris scan of the authorised agent to log in to the UIDAI database. “Whenever any illiterate came to them for any Aadhaar updation, Navneet Prajapati captured the biometrics of that person but updated the photograph and address as suitable to him.”
The warning issued by the national cybercrime portal also cautions about the misuse of Aadhaar biometrics. It advises Aadhaar-holders to lock their biometrics on the official site of UIDAI or the Aadhaar app.
Remember, once your biometrics are locked, you cannot use them again for authentication without unlocking them. This may pose a different kind of issue for Aadhaar holders. So, think twice before enabling or disabling the biometrics of your Aadhaar.
A few days ago, the Telangana police suggested that one should disable the biometric link from Aadhaar if the holder has lost money in an AePS fraud. It asked people not to share Aadhaar details with anyone and to be aware of fraudulent transactions carried out using fake biometrics.
The main reason for AePS fraud using Aadhaar biometrics is the ease with which fraudsters can create clones of fingerprints. Cloning of fingerprints is very easy; several video tutorials are readily available online and Moneylife Foundation even demonstrated it at a webinar in October 2016!
There are hundreds of apps available on Google Playstore. Many Android application package (.apk) files are readily available for download at several unofficial portals. The biggest issue with all of these apps downloaded from unofficial places is they collect all data and information available on the device and send it to the fraudsters hiding in the garb of app developers.
In the case of bogus loan apps, if the borrower does not pay the loan on time, the app company badgers the borrowers’ contacts, including sending messages for payment, as well as abusive and defamatory messages and even morphed nude images of the person. They also use social media like WhatsApp to shame borrowers over not repaying a loan.