The fraudsters keep finding new ways of tricking people. A few days back, I came across a post where money was withdrawn from the victim’s account using the Aadhar enabled payment system (AEPS).
In this post, let’s find out what is AEPS, how the fraud happened, and how you can prevent such frauds.
What Is Aadhaar Enabled Payment System (AEPS)?
As the name suggests, it is a system to transact in your bank account by using your Aadhaar credentials.
You don’t really have to sign up for this feature. Since your bank account is linked to your Aadhaar, consider yourself auto enrolled. Since account holders are unlikely to be aware of this risk and won’t guard against this risk, the odds of fraud go up automatically.
AEPS can be used for cash withdrawals, cash deposit, balance enquiry, mini statements, Aadhaar to Aadhaar bank transfer and BHIM Aadhaar Pay.
How to Use Aadhaar Enabled Payment System (AEPS)?
To withdraw money from your bank account, only 3 inputs are needed.
- Your Aadhaar number
- Bank name (You do not need the bank account number. Just the bank name is needed. Your Aadhaar number must be seeded in your bank account).
- Biometric verification
And a micro-ATM (available with banking correspondents) to transact. Never used one.
Further Reading on AEPS
- https://www.npci.org.in/what-we-do/aeps/product-overview
- https://paytm.com/blog/aadhaar-card/aadhaar-enabled-payment-system/
What Are Transaction Limits for Aadhaar Enabled Payment System (AEPS)?
- Cash withdrawal: Rs 10,000 per transaction (set by NPCI)
- Fund transfer: Rs 50,000 per day (RBI does not impose any limit. Limit is set by banks)
How Can AEPS Be Used for Frauds?
AEPS is technically quite safe since you need biometric verification for transfer.
However, apparently, the fraudsters have found a way around biometric verification.
In the incident above, these people were able to get fingerprint impression of the victim from property registration documents and used the impression to withdraw money. By the way, this is just a conjecture. At the same time, it is true that AEPS was used for unauthorized access to the bank account of the victim. So, they found a way around biometric verification.
I don’t know how this can be done but this has been done. The complicity of the banking correspondent can’t be ruled out either.
Note that the property records may not have details about the bank you have an account with. However, the fraudster can play hit-and-trial. Remember you only need the name of the bank, not the bank account number.
Hence, a fraudster can just keep trying with different banks until he/she finds the bank where you have a bank account. And that’s exactly what the scammer did in this case too.
From what I have observed, UIDAI sends Success or failure notification (OTP or biometric) over an email. Hence, the victim should have ideally received notifications about previous unsuccessful attempts at withdrawal but did not. It is possible that his email id was not updated in Aadhaar records. Quite possible. Or the authentication emails were not sent (that’s not impossible either).
How to Prevent Frauds through AEPS?
The money was withdrawn using biometric verification. A simple way is to simply disallow biometric verification for your Aadhaar. Yes, you can do it. If you don’t use Aadhaar biometric verification frequently (highly unlikely that you do), it is better to lock biometric verification for your Aadhaar.
How Do You Lock/Unlock Biometric Verification for Your Aadhaar?
Two ways to do it.
- Through mAadhaar app
- Through UIDAI website
You can visit UIDAI website. Log in using Aadhaar and OTP. After logging in, you will find an option to block biometrics. Quick and simple.
By the way, the locking of biometrics is not permanent. You can unlock biometric verification instantly whenever you want. You must follow the same process for unlocking the biometrics.
Hence, in case you need to perform any transaction that requires biometric verification (property registration, signing agreements, mobile number porting, or any other purpose), you can instantly unlock biometric verification.
In fact, keep the biometric locked by default. As and when you need, you can temporarily unlock the biometrics, complete your work, and then lock the biometrics again.
By the way, there is also an option to lock Aadhaar (and not just biometrics). The process is very similar. If you lock biometrics, you can still do OTP based verification. Only biometrics are locked. However, if you lock Aadhar, neither biometric nor OTP verification is possible.
A Little Bit of Paranoia Does No Harm
Since everything is now linked to Aadhaar, be careful while sharing your Aadhaar number with anyone. Not everyone cares about your documents or your data. Your Aadhaar card copy can easily find its way into the wrong hands.
I am quite uncomfortable sharing Aadhaar number and PAN with anyone. These are the most important documents as far as your financial investments and savings are concerned.
With Aadhaar getting linked to almost everything, there is risk that such information can be misused to access your investments. Today, one form of fraud has come to light. Tomorrow, there will be another. The charlatans will keep finding new ways of defrauding people. Will always be a step ahead of people like you and me.
Hence, if you must share identity or address proof, use other documents such as driving license or passport. Not Aadhaar. Yes, other documents can be misused too. However, the other documents are at least not linked to your investments. Hence, there is some comfort.
If you must share Aadhaar, share the masked version of Aadhaar. It is legally acceptable. You can download the masked version from UIDAI website.
For e-KYC, you can use Virtual ID (VID) instead of actual Aadhaar number. VID is a 16-digit temporary, revocable, and random number linked with your Aadhaar number. Again, you can generate VID from UIDAI website.
Protect your Aadhaar details. These are quite precious.
Additionally, do not keep a lot of money in the savings account. Make a bank fixed deposit. Not only will you earn a higher rate of interest, but your money will also be slightly safer. The remote payments (UPI/AEPS) grant access to only the savings account. If you do not keep much money in the savings account, much less of your money is at risk to such frauds.
Please note that sweep-in accounts won’t help here. With in sweep-in facility, any excess cash in the savings account gets transferred to a bank fixed deposit. Later, if your savings account does not have sufficient money at the time of withdrawal, the FD will be automatically broken, and the cash comes in to the savings account. Hence, a sweep-in FD facility wouldn’t provide any protection.
Apart from this, follow safe digital practices.
And yes, enable email and SMS alerts for any debit/credits to the bank account. In case of a fraud, you will get to know quickly and can prevent further damage. Additionally, in this case, you are technically not at fault. I would assume that such a transaction would be considered third party breach. And you have no liability if you report such fraudulent transaction to the bank within 3 days.
And yet another point. Update your mobile and email address in Aadhaar records. While OTP comes on mobile, the authentication status messages are sent over email. With email id and mobile number updated, you will get any updates about any activity on your Aadhaar card.