The online transactions have picked up. So have the frauds. Getting more creative and sophisticated.
Recently, I came across a bizarre method of fraudulently withdrawing money from bank accounts.
A victim posted shared the following incident on LinkedIn.
The money was withdrawn through Aadhaar enabled payment system (AEPS).
Going by the victim’s account, he is simply NOT at fault. He didn’t share account details, card number, CVV, or OTP. Still, the money was withdrawn.
If biometric verification is not safe, what else is?
Note: I understand we can’t take anything we read on social media at face value. I have not verified the victim’s claim independently. However, the post does raise some valid concerns and issues around the Aadhaar payment system.
Are you at risk too?
Unfortunately yes. Given the way AEPS works, your money may be at risk too.
The good part is that, irrespective of whether this fraud happened due to customer negligence or due to a system flaw, preventive action is available to prevent such frauds from your bank account. It is a simple one and does not cause any inconvenience.
However, before we get there, let’s find out more about Aadhaar enabled payment system (AEPS) and how the money could be fraudulently withdrawn despite the safety of biometric verification.
What is Aadhar Enabled Payment System (AEPS)?
This system allows you to access/transact in your bank account using your Aadhaar credentials.
Using this system, you can withdraw/deposit cash, perform balance enquiry, access mini statement, and perform an Aadhaar-to-Aadhaar bank transfer, and make Aadhaar Pay merchant payments.
The most important part. You don’t have to sign up for this.
You are auto enrolled for this feature. Since you have seeded your Aadhaar number in your bank account, this facility is already live for you.
How to withdraw cash using Aadhar Enabled Payment System (AEPS)?
Since the post is about cash withdrawal using AEPS, let’s focus on cash withdrawals only. For cash withdrawals, you need 3 elements.
- Your Aadhaar number
- Bank name
- Biometric verification
And a micro-ATM or any AEPS enabled terminal (available with banking correspondents) to transact. I have never used one.
Bank name (2) is where the magic happens. And this also poses risk. You do not need the bank account number. Just need the bank name. Your Aadhaar number must be seeded in your bank account. Hence, the system can find out the bank account number on its own. If you have multiple bank accounts with the same bank, the withdrawal will happen from the primary bank account.
What are the transaction limits for Aadhaar Enabled Payment System (AEPS)?
Cash withdrawal limit: Rs 10,000 per transaction. This limit is set by NPCI. Note this is per transaction limit.
Fund transfer: RBI does not impose any limit. The limit is set by respective banks.
How can AEPS be used for frauds?
Any system that requires biometric verification should be quite safe, right?
However, it seems, in this case, the perpetrator was able to fingerprint impression from the property registration documents. Please note this is a conjecture.
At the same time, we can’t ignore that cash has been withdrawn after biometric verification. The account holder has mentioned that he didn’t withdraw. This means the scammer has somehow managed to fake past the biometric verification and managed to withdraw.
Remember you need Aadhaar number, bank name, and biometric verification to withdraw.
The registration documents may have the Aadhaar number too.
What about the bank account number?
Well, you don’t need the bank account number for AEPS withdrawal. You only need the bank name. Hence, the fraudster can find out the bank name by simple hit-and-trial. Keep selecting different banks until you select the right one. That’s what happened in this case too because there were multiple successful/failed verification attempts in victim’s Aadhaar authentication history.
We cannot rule out connivance of the banking correspondent either.
What should you do to prevent Aadhaar Payment related frauds?
To address, we must see what you need in order to transact under AEPS and then try to plug gaps there.
#1 Your Aadhaar Number
That shouldn’t be difficult. After all, some of us share a copy of Aadhaar cards with almost everyone. For almost anything. Not safe. This information can fall into the wrong hands.
Exercise caution while sharing your Aadhaar number or a copy of Aadhaar number with others.
Aadhaar and PAN card are the most important documents when it comes to financial investments. Do not share a copy of Aadhaar card (or PAN) with anyone unless it is mandatory.
You can use other forms of identity proof. For instance, you can share driving license, Voter id card, or even passport. While scammers can find ways to defraud using these documents too, I am still more comfortable sharing copies of these documents than sharing copies of my Aadhaar or PAN card.
If you must share a copy of Aadhaar card, share a masked copy of Aadhar card. In the masked copy of Aadhaar, the first 8 digits are masked. Only the last 4 digits are visible. The masked copy of Aadhaar is also legally acceptable. You can easily download the masked copy of e-Aadhaar from UIDAI website.
For online e-KYC services, you can use Virtual Identifier (VID) instead of Aadhaar number. VID is a 16-digit temporary and revocable number mapped to your Aadhaar number. You can’t find Aadhaar number using VID.
#2 Bank name
This won’t really save you.
Remember you only need the bank name to transact (not the bank account number).
A fraudster can simply use hit-and-trial method. Keep on trying with different bank names until he/she hits the bank where you have a bank account.
#3 Biometric Verification
This should be foolproof, shouldn’t it?
How can anyone fudge your fingerprints? But it seems fraudsters have found a way around this.
A good part is that you can disable biometric verification for your Aadhar. If the biometric verification is disabled for your Aadhaar card, then such frauds can’t happen.
Hence, if you do not foresee any use of Aadhaar biometric verification in the near term, you can simply lock biometric verification for your Aadhaar.
How to lock/unlock biometric verification for Aadhaar?
You can instantly lock/unlock biometric verification in 2 ways.
- Through mAadhaar app
- Through UIDAI website.
From the website, you just need to log into your Aadhaar account using Aadhaar number and OTP.
After logging in, you will get an option to lock/unlock your Aadhaar for biometric verification. This can be done instantly.
Most of us don’t use/need biometric verification on a regular basis. In such cases, the default state should be Biometric Verification-Locked.
When you need to complete biometric verification, you can temporarily enable/unlock biometric verification and then lock again once your work is done.
Both locking and unlocking can be done instantly.
Note: There is an option to lock your Aadhar card as well. When you lock biometric verification, you can still do OTP based verification. When you lock Aadhaar, both biometric and OTP verification are disabled.
Don’t stop at just this
Follow safe digital practices. If you don’t, there is no dearth of scammers trying to make quick bucks out of your recklessness.
Keep your mobile number and email address updated in your Aadhaar records. As you can see, you need OTP to log in to your Aadhaar account. Without OTP, you can’t access your Aadhaar account.
Updating email in your Aadhaar records is also important. Whenever you use biometric or OTP verification, you get a notification over email (and not mobile number) about the success or failure of such authentication.
In the incident shared above, the victim claims that he did not get any notification emails. When he checked the authentication history in his Aadhaar account (can do that from UIDAI website), there were many successful and failed authentication attempts. There can be 2 reasons for this.
#1 The victim did not have e-mail address updated in Aadhaar records. Or the primary email address (that he checks regularly) was not updated in records. OR
#2 The system didn’t send notification to the victim. Can happen due to tech issues.
More inclined to go with the first option.
If the victim had received notifications about such failed/successful verification attempts, he could have acted and prevented such fraud attempts.
And yes, do check your SMSes and emails regularly.
What are RBI guidelines for online frauds?
In the year 2017, RBI released a circular limiting the liability of customers in Unauthorized Electronic Banking Transactions.
Note: I am not sure if this will be considered an online (Electronic banking fraud).
Online banking frauds can happen due to 3 broad reasons. The customer’s liability will depend on the type of fraud and the time he/she takes to report the fraudulent transaction to the bank.
#1 If the customer is at fault
You share OTP/CVV or payment credentials with the fraudster.
You take the full hit until the fraudulent transaction is reported to the bank.
Any loss that happens after the transaction is reported will be borne by the bank.
#2 If the bank is at fault (due to their negligence)
You have zero liability. This is irrespective of whether you report the transaction to the bank or not.
#3 If the fraud happens due to a third party breach
Neither the customer, nor the bank is at fault.
In this case, the customer has no liability if the fraudulent transaction is reported to the bank within 3 days of the transaction. Beyond that, there is a matrix that determines customer liability.
Now, in my opinion, AEPS related fraud should be construed as a third-party breach. The customer is not at fault or guilty of negligence of any kind. The bank is obviously not at fault since it rightly honoured the withdrawal request through biometric verification.
Of course, the customer will have to prove to the bank that he/she did not do biometric verification. The bank would obviously contest that. After all, the biometric verification was used for withdrawal. It won’t be that easy.
You can never be sure how the bank will respond to your request. However, it clearly makes sense to report the fraudulent transaction to the bank as soon as possible.
And you won’t report unless you get to know about the fraudulent transaction. Thus, get your mobile number and email address updated in the bank accounts.
Also, this is not the last innovative way of defrauding people like you and me. These charlatans will keep finding new ways. You need to be alert. A little bit of paranoia does not harm.
Image Credit: Unsplash