Aadhaar-enabled payment scam hits citizens registering properties in Karnataka; police suspect intermediaries’ role

The amounts reported to be lost in the AEPS linked cyber crimes is less than Rs 10,000 in every case due to a cap on AEPS transactions, but several cases have been reported in Karnataka over the past few months, according to sources in the State Level Bankers’ Committee (SLBC) and the cybercrime police.

AEPS allows a person to remove Rs 10,000 per day from banks with biometric data (in the form of the thumb impression) and the Aadhaar number as authentication.

Four members of a family in Bengaluru fell victim this October to the fraud after they used Aadhaar data while registering a property in the Tumkur region of the state.

“It was first detected in my wife Asha’s account on October 6. Subsequently, we discovered that money was debited from the account of my brother-in-law Ramamurthy, his son Shreyas and sister-in-law Vijayalakshmi,” the victim Rajgopal Sharma told The Indian Express.

Sharma, who has filed a complaint at the Seshadripuram police station in central Bengaluru, said less than Rs 10,000 was debited from each of the accounts to unknown accounts. “After my wife locked her biometric in the UIDAI portal, we received messages that her fingerprints were used twice, albeit unsuccessfully, on October 8 and October 13,” he said.

The only place that his wife used her biometric was with her other relatives when they registered a property at a sub-registrar office at Tumakuru in May, Sharma noted.

Similar cases have been reported in Mangaluru, where more than 15 people have lost money after registering properties in the sub-registrar’s office.

Among them was Vinod Pinto, president of the Mangaluru unit of the Confederation of Real Estate Developers’ Association of India (CREDAI). Pinto said he had sold a property in April, during which biometric was used. “Money was debited from my account in August. I came to know after the buyer of the property alerted me. He also fell victim to the same scam. The question is how safe is it to use Aadhaar for KYC,” he said.

The police suspect fraudsters are taking advantage of circumstances where Aadhaar biometrics are not locked, allowing them to use it without the cardholder’s knowledge. The lack of alert messages sent to Aadhaar card holders when biometrics are used successfully for transactions is also seen as a loophole being exploited by fraudsters.

These alerts are issued only when biometric authentication fails. In cases where authentication is successful, no messages are sent keeping cardholders in the dark on their biometric being used.

Anupam Agarwal, City Police Commissioner, Mangaluru, said it was a “complicated case”. “We have collected some details. We are questioning the service provider,” he said.

The service provider is an intermediary between UIDAI and other government agencies. The police are also in touch with UIDAI in connection with the case, said Agarwal.

Though such frauds are being reported after property registration, senior officials in the Department of Stamps and Registration maintain the department was not at fault and have blamed banks and UIDAI. “This has happened in states like Bihar too, indicating that some agency was misusing the biometric data,” said a senior official requesting anonymity.

Biometric data is not stored at sub-registrar offices. Only if the data was stored could it be used to withdraw money at a later date, as is in these cases.

An official in the Department of Stamps and Registration added that a private vendor authorised by public sector banks to carry out Aadhaar authentication on their behalf was being questioned by police in connection with the case.

According to SLBC sources, the issue was discussed during a meeting of the Committee as cases of this nature were reported from different banks. “The best safety measure for Aadhaar card holders is to lock their biometrics, as it prevents any misuse. Biometric data can be locked using the UIDAI portal,” the source added.