By Shashank Shekhar in Noida

Like a predator, cybercriminals are looking for new prey every day. Hackers are now siphoning off money from your bank account by cloning fingerprint and withdrawing money through Aadhaar Enabled Payment System (AEPS).

The revelation was made after the Noida police arrested the mastermind behind cloning fingerprint and withdrawing money through Aadhaar Enabled Payment System (AEPS).
Aadhaar Enabled Payment System (AEPS) is a type of payment system that is based on the Unique Identification Number and allows Aadhaar cardholders to seamlessly make financial transactions through Aadhaar-based authentication. The AEPS system aims to empower all sections of the society, especially people from rural areas for using financial and banking services through Aadhaar.

Equipment seized by Noida Police which was used by gang to clone fingerprint
Equipment seized by Noida Police which was used by gang to clone fingerprint

Modus-Operandi

The investigation by the Noida police reveals that AEPS which allows customers to make payments using their Aadhaar number and by providing Aadhaar verification at point of Sale (PoS) or micro ATMs were being misused by the cybercriminals.

Explaining the case, Triveni Singh, superintendent of Police cyber cell said, “During our investigation, we found that the money was withdrawn using AEPS. We found that victims’ never used their thumb impression to withdraw the money it was a gang of hackers who had cloned the fingerprints and Aadhar numbers of victims to carry out illegal transactions.”

Equipment seized by Noida Police which was used by gang to clone fingerprint
Equipment seized by Noida Police which was used by gang to clone fingerprint

Further investigation revealed that the main accused Rohit Tyagi stole aadhar numbers and fingerprints of his victims from the registrar office. He had learned the hacking and cloning technique through YouTube and the internet by which he made clones of thumb impression. Tyagi had bought equipment for making cloned fingerprint from popular online shopping websites like Amazon, Flipkart and eBay. He had a biometric machine, rubber thumb impression printer, gelatin, temperature modulator and other chemicals through which he used to make a clone. After getting Aadhar number and cloning fingerprint, Tyagi used this money to buy cryptocurrency to remain untraceable.

Main accused Rohit Tyagi
Main accused Rohit Tyagi

Triveni Singh explained that for AEPS only fingerprints and Aadhar number is required. Customer does not receive an OTP, which is mandatory for any card-based payment.
“It is advised that two-factor authentication is followed for such transactions. This will only increase the security and it becomes difficult to bypass two-layer of security,” Singh said.
The breakthrough by the Noida police has increased the trouble for UIDAI and banking industry, which will have to look for more stringent security features to stop the misuse of fingerprints and Aadhar number.

“AEPS is activated by default if a customers’ bank account is linked with Aadhar. A customer can withdraw Rs 10,000. RBI has not set any limit on transfer between accounts, but banks have proviso of transferring Rs 25,000- Rs 50,000 through AEPS,” said Satyendra Sharma, senior manager IT, PNB.

Banking experts are also suggesting to use face recognition and retina scan for payment instead of fingerprints which is tough to replicate.

Related posts