Vajram-And-RaviVajram-And-Ravi
hamburger-icon

Gaps in Aadhaar-enabled Payment System (AePS)

26-08-2023

12:31 PM

timer
1 min read
Mains GS-II: Governance
Gaps in Aadhaar-enabled Payment System (AePS) Blog Image

What’s in today’s article?

  • Why in news?
  • Aadhaar-enabled Payment System (AePS)
  • What is AePS?
  • How does AePS remove the need for an OTP?
  • Are AePS transactions enabled by default?
  • How is biometric information leaked?
  • Securing Aadhaar biometric information

 

Why in news?

  • Cybercriminals are now using silicone thumbs to operate biometric POS devices and biometric ATMs to drain users’ bank accounts.
  • Recently, a popular YouTuber shared how his mother’s bank account was drained using an Aadhaar-linked fingerprint without needing two-factor authentication.


 

Aadhaar-enabled Payment System (AePS)

What is AePS?

  • AePS is a payment system that allows customers to carry out financial transactions using their Aadhaar number and biometric authentication.
    • Aadhaar is a 12-digit unique identification number issued by the Indian government to residents of India.
  • It is a bank-led model which allows online financial transactions at Point-of-Sale (PoS) and Micro ATMs through the business correspondent of any bank using Aadhaar authentication.

 

How does AePS remove the need for an OTP?

  • AePS model removes the need for OTPs, bank account details, and other financial details. 
  • It allows fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment.
    • These are the only inputs required for certain types of transactions including cash deposit, cash withdrawal, balance inquiry, mini statement, Aadhaar to Aadhaar fund transfer, authentication, and BHIM Aadhaar pay.

 

Are AePS transactions enabled by default?

  • Neither Unique Identification Authority of India (UIDA)I nor NPCI mentions clearly whether AePS is enabled by default.
  • However, many experts claim that the service does not require any activation.
    • The only requirement being that the user’s bank account should be linked with their Aadhaar number.
  • Aadhaar is also the preferred method of KYC for banking institutions, thus enabling AePS by default for most bank account holders.

 

How is biometric information leaked?

  • Media reports had alleged data breaches in Aadhaar in 2018, 2019, and 2022. 
    • UIDAI has categorically denied that any Aadhaar data was breached.
  • However, UIDAI’s database alone is not the only location where data can be leaked.
  • Aadhaar numbers are readily available in the form of photocopies, and soft copies, and criminals are using Aadhaar-enabled payment systems to breach user information.

 

Securing Aadhaar biometric information

  • Sharing redacted or blacked out Aadhaar numbers
    • The UIDAI is proposing an amendment to the Aadhaar (Sharing of Information) Regulations, 2016.
    • This amendment will require entities in possession of an Aadhaar number to not share details unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and electronic form.
  • Two-factor authentication mechanism
    • The UIDAI has also implemented a new two-factor authentication mechanism.
    • This mechanism uses a machine-learning-based security system, combining finger minutiae and finger image capture to check the liveness of a fingerprint.
  • Locking Aadhaar information
    • Users have been asked to lock their Aadhaar information by visiting the UIDAI website or using the mobile app.
    • This will ensure that their biometric information, even if compromised, cannot be used to initiate financial transactions. 
    • Aadhaar can be unlocked when the need for biometric authentication arises, such as for property registration and passport renewals, after which it can again be locked.

 

Q1) What is Aadhar?

Aadhaar is a 12-digit unique identification number issued to residents of India. It is a biometric-based identification system that was introduced by the Indian government in 2009. The Unique Identification Authority of India (UIDAI) is responsible for the management and administration of Aadhaar. Aadhaar serves as a proof of identity and address for individuals residing in India. It is designed to be a universal identification number that can be used for various purposes, including availing government subsidies and benefits, opening bank accounts, obtaining a mobile phone connection, and participating in various government schemes.

 

Q2) What is National Payments Corporation of India (NPCI)?

NPCI an umbrella organization for operating retail payments and settlement systems in India. NPCI was established in 2008 under the guidance and support of the Reserve Bank of India (RBI) and the Indian Banks' Association (IBA). NPCI plays a crucial role in promoting digital payments and facilitating the adoption of electronic funds transfer in India.

 

Source: Explained | Gaps in Aadhaar-enabled Payment System (AePS) abused by cybercriminals

logo

© 2024 Vajiram & Ravi. All rights reserved