Gaps in Aadhaar-enabled Payment System (AePS) are being abused by cybercriminals
What is AePS and how does it remove the need for an OTP?
- AePS is a bank-led model which allows online financial transactions at Point-of-Sale (PoS) and Micro ATMs through the business correspondent of any bank using Aadhaar authentication.
- The model removes the need for OTPs, bank account details, and other financial details.
- It allows fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment, according to the National Payments Corporation of India (NCPI).
- For AePs, these are the only inputs required for certain types of transactions, including cash deposit, cash withdrawal, balance inquiry, mini statement, Aadhaar to Aadhaar fund transfer, authentication, and BHIM Aadhaar pay.
Are AePS transactions enabled by default?
- Neither Unique Identification Authority of India (UIDAI) nor NPCI mentions clearly whether AePS is enabled by default. Cashless India, a website managed and run by MeitY, says the service does not require any activation, with the only requirement being that the user’s bank account should be linked with their Aadhaar number.
- Users who wish to receive any benefit or subsidy under schemes notified under section 7 of the Aadhaar Act, have to mandatorily submit their Aadhaar number to the banking service provider, according to UIDAI. Aadhaar is also the preferred method of KYC for banking institutions, thus enabling AePS by default for most bank account holders.
Q1) How does UIDAI work?
“Aadhaar Authentication” is a process by which the Aadhaar number along with demographic information (such as name, date of birth, gender etc) or biometric information (Fingerprint or Iris) of an individual is submitted to UIDAI's Central Identities Data Repository (CIDR) for its verification