New Delhi: The Ministry of Home Affairs (MHA) has written to states and union territories (UTs) expressing concern about the “misuse” of the Aadhaar Enabled Payment System (AEPS) by cybercriminals to commit financial frauds, ThePrint has learnt. Is.
In a letter dated February 21, the Indian Cyber Crime Coordination Center (I4C) – the MHA’s nodal agency for dealing with matters related to cybercrime – wrote that cybercriminals are using biometric data of Aadhaar users uploaded on state registry websites. are “cloning” those that host the sale. Deeds and Agreements. ThePrint has seen a copy of the letter.
I4C wrote that this data has been “cloned” with the intention of making unauthorized withdrawals through AePS. The agency asked state and union territory governments to instruct their revenue and registration departments to “mask” fingerprints on documents while uploading them on registry websites.
I4C also advised state agencies to investigate complaints about such crimes, sensitize victims and organize awareness campaigns. “Cyber criminals are misusing the Aadhaar Enabled Payment System (AePS) to commit financial frauds, as the system allows any user to deposit cash, withdraw cash, transfer funds and verify details using Aadhaar number and biometrics. allows.”
The Print reached out to the Home Ministry spokesperson for comment via text message, but did not receive a response till the time of publication. This report will be updated when a response is received.
Read also: From UPI to Aadhaar, Modi govt showcases ‘India Stack’ of digital gifts for global adoption
modus operandi
According to the letter, I4C analyzed the nature of complaints and related data and interacted with police organizations and investigative agencies to understand the patterns adopted by cyber criminals.
“Analysis of the modus operandi of AePS cyber financial frauds reveals that biometrics information (registration of various deeds like sale deed, agreement for sale, etc.) uploaded on the registry websites of states are downloaded by criminals, Which is ‘cloned’ to be carried forward. Unauthorized withdrawal using AePS. Revenue and registration officers may be requested not to put fingerprints on publicly available documents,” the letter said.
Several serving and retired IPS officers, well-versed with the nature of cybercrime, said these issues were also discussed in the three-day All India Conference of Directors General of Police (DGPs) held in January this year.
In a presentation at the conference, I4C identified 20 districts in six states and one union territory — Rajasthan, Jharkhand, Bihar, Uttar Pradesh, Haryana, West Bengal and Delhi — which is 70 percent of the total, according to home ministry sources. . Cyber crime complaints filed in India.
The agency in its presentation also suggested that the MHA introduce legal amendments to classify cybercrimes as organized crimes and seek the intervention of the finance ministry to frame regulations to monitor policies of loan apps and payment aggregators. demands.
what the experts say
On the concerns raised by the former IPS officer in his letter to the States and Union Territories by I4C Nandkumar Sarvade told ThePrint, “Aadhaar was supposed to be secure data, but security is a complex area and is not static. It varies depending on the circumstances.
“But in this case, why are the fingerprints being uploaded? Can there be an alternative to verify a person? And what about existing data? Can it be removed? These are some relevant issues that the government can now consider,” said Sarwade, who has also served as director, cyber security and compliance, at NASSCOM.
Stating that there are mechanisms available to secure government sites that hold bulk sensitive data, he said, “In fact, there should be some system that sends alerts when such data is downloaded in bulk.”
Former IPS officer Rajan Medhekar, who retired as the Director General (DG) of the National Security Guard (NSG), said, “If Aadhaar data is being cloned, it can be detrimental to national security.” There are many critical components of security. Servers of sensitive establishments, banks and healthcare facilities are some of them. We are already facing cyber attacks in 2017.”
He said, “I also feel that why do departments need to upload one’s biometric data on a public website? They can generate a unique identification number and use it for verification.”
(Editing by Amritansh Arora)
Read also: Govt’s information wing warns against sharing Aadhaar copy, withdraws note after 48 hours