Like a predator, cyber-crime masterminds are in the hunt of a new prey every day. Hacker these days siphon off money from bank accounts by cloning fingerprint and eventually withdrawing the money via Adhaar Enabled Payment System(AEPS).
This revelation came after the Noida police arrested the mastermind behind fingerprint cloning and withdrawing money via AEPS. The AEPS is a kind of payment system which is based on the Unique Identification Number and allows Adhaar card holders to make financial transactions seamlessly through Adhaar-based authentication. The AEPS system of payment aims to empowering all sections of the society, especially people from the rural areas for using financial activities through the Adhaar card.
The Noida police’s investigation reveals that the AEPS system are being misused by the cybercriminals.
Explaining the case, the Superintendent of Police cyber cell, Triveni Singh said, “During our investigation, we found that the money was withdrawn using AEPS. We found that victims’ never used their thumb impression to withdraw the money it was a gang of hackers who had cloned the fingerprints and Aadhar numbers of victims to carry out illegal transactions.”
Further investigation by the Noida Police revealed that the main accused Rohit Tyagi had allegedly stolen the Adhaar numbers and the fingerprints of his victims from the registrar office, and made clones of the thumb impressions, after he learnt the hacking and cloning technique through the internet.
Tyagi allegedly bought the equipments for fingerprint cloning from popular online shopping sites like Flipkart, Amazon and eBay. The police found a biometric machine, rubber thumb impression printer, temperature modulator, gelatin, and a number of other chemicals with the accused, using which he allegedly made the clones. After getting the Adhaar number and the cloned fingerprint, Tyagi used this money to buy cryptocurrency to remain untracked.
Triveni Singh said that the biggest setback for the AEPS is that only fingerprint and Adhaar number is required for transaction through this mode, and the customer does not receive any OTP(One Time Password), which is mandatory for any card-based payment. “It is advised that two-factor authentication is followed for such transactions. This will only increase the security and it becomes difficult to bypass two-layer of security,” Triveni said.
According to a senior IT official in a leading bank, the AEPS is activated by default if a customers’ bank account is linked with Aadhar and the customer can withdraw Rs 10,000. Although the RBI has not set any limit on transfer between accounts, the banks have proviso of transferring Rs 25,000- Rs 50,000 through AEPS.
Banking experts suggest that using of face recognition and retina scan for payment rather than that of using fingerprints is a safer way, as they are tough to replicate.