ForumIAS announcing GS Foundation Program for UPSC CSE 2025-26 from 10th August. Click Here for more information.
Source: The post is based on the article “What are the gaps in the AePS transaction model?” published in The Hindu on 16th May 2023.
Syllabus: GS – 3: basics of cyber security.
Relevance: About issues with the Aadhaar-enabled Payment System (AePS).
News: Cybercriminals are now using silicone thumbs to operate biometric POS devices and biometric ATMs to drain users’ bank accounts.
What is an Aadhaar-enabled Payment System (AePS)?
The AePS is a bank-led model which allows online financial transactions at Point-of-Sale (PoS) devices and micro ATMs of any bank using Aadhaar authentication. The model removes the need for OTPs, bank accounts and other financial details.
Under section 7 of the Aadhaar Act, users who wish to receive any benefit or subsidy under schemes have to mandatorily submit their Aadhaar number to the banking service provider.
According to a website managed and run by MeitY, the AePS service does not require any activation. The only requirement is that the user’s bank account should be linked with their Aadhaar number.
According to the National Payments Corporation of India (NPCI), this allows fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment.
| Read more: How loopholes in Aadhaar-enabled payments are putting poor people at risk of being swindled |
How have cybercriminals exploited the AePS ecosystem?
The UIDAI said that the Aadhaar data, including biometric information, is fully safe and secure. UIDAI’s database is not the only source from where data can be leaked.
Aadhaar’s numbers are readily available in the form of photocopies, and soft copies, and criminals are using Aadhaar-enabled payment systems to breach user information.
How UIDAI is planning to improve AePS ecosystem?
The UIDAI is proposing an amendment to the Aadhaar (Sharing of Information) Regulations, 2016. The amendment will require entities in possession of an Aadhaar number to not share details unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and electronic form.
UIDAI will require entities in possession of an Aadhaar number to not share details unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and electronic form.
The UIDAI has implemented a new two-factor authentication mechanism. This uses a machine-learning-based security system, combining finger minutiae and finger image capture to check the ‘liveness’ of a fingerprint.
UIDAI also advised users to lock their Aadhaar information by visiting the UIDAI website or using the mobile app. . It can be unlocked when the need for biometric authentication arises, such as for property registration, passport renewals, etc.
Timely reporting will ensure any money transferred using fraudulent means is returned to the victim.
| Read more: Failure Of Aadhar Based Payment System |
