Unlike other phishing scams, frauds related to the unauthorised use of Aadhar biometrics neither involve clicking on unknown links nor sharing One Time Passwords (OTPs). The victims only become aware when they receive a debit message from their banks.
In late October, the city’s North-East Cyber Economic and Narcotics Crime (CEN) police arrested two men from Bihar who downloaded publicly available registration papers with Aadhaar numbers and thumb impressions from the state government’s Kaveri portal for property registration and used them to siphon off money in two cases.
On November 2 and 3, three more such cases were registered by the same police. Bengaluru police commissioner B Dayananda had said on October 31 that the city had reported 116 such cases in the last three to four months.
Ramesh Naik (name changed), 41, a contractor, and Shankar Jain (name changed), 67, a retiree, had filed the complaints on November 2, while Lakshmi R (name changed), 38, a teacher, filed a complaint on November 3. In all three cases, the victims claimed that they did not share their bank details, click on any unknown links or share the OTPs.
Naik lost Rs 32,700 from his Axis Bank account between September 17 and October 22, while Jain lost Rs 15,000 from his Canara Bank account between October 23 and October 25, the First Information Reports (FIRs) noted. Laksmi’s SBI account, the FIR noted, was debited by Rs 15,000 between October 26 and November 1.
Police officials DH spoke with believe that the suspects operate from out of the state and obtain the details through publicly available registration papers on the land registration portals.
A senior officer with expertise in investigating cyber crime cases said that one of the ways the scamsters use to clone biometrics involves butter paper sheets.
“They place the thumb impression on the registration sheets on the butter paper, place a silicone sheet on it and heat it for around five minutes using ultraviolet lamps,” the officer said. “This transfers the biometric to the silicone sheets.”
Another officer said that the thumb impressions would be transferred to photopolymer sheets through thermal print. “They also use scanners with high-resolution and then take a printout on photographic films. When they try 100 such scans and prints around 10 work.”
The scamsters then use apps like Spice Money, Ezeepay and others, which provide Aadhaar Enabled Payment System (AEPS) services and also withdraw money through micro ATMs.
Tracking AEPS fraud
A senior officer stated, “It normally takes at least eight to ten days to get some idea and formulate a case involving other states. Many people across the country are engaging in these activities. Some YouTube videos even guide them in learning how to commit these offences.”
A cybercrime investigator informed DH that acquiring transaction details in Aadhaar Enabled Payment System (AEPS) frauds is challenging, and investigations are time-consuming.
“In some instances, victims may receive a reference ID, while in others, they just get a message confirming an AEPS withdrawal,” the officer explained.
“Our access is limited to the agent ID; we do not get the suspects’ bank account information. We use the agent ID to trace the linked bank account. Sometimes, the stolen funds are transferred to a digital wallet, and we must then investigate which bank accounts are associated with those wallets, retrieve the Know Your Customer (KYC) details, and proceed with the investigation.”
The senior officer, an expert in cybercrime, recommended that biometrics be locked on the Unique Identification Authority of India (UIDAI) website to prevent unauthorized use.
"National Payments Corporation of India's (NPCI) maximum transaction limit of Rs 10,000 for single AEPS financial transactions prevents large withdrawals," he said.