Earlier this year, Urmila Kumari, a resident of Nawada district in Bihar, lost 57,900 rupees to a scam where her fingerprints were cloned.
Kumari was able to locate the receiver, who admitted to his crime and promised to return the scammed money, pleading her to not file an FIR.
It’s not just Kumari. The Bihar police is tired of frauds through the AePS (Aadhaar Enabled Payment System).
In July this year, the Nawada police formed a special investigating team (SIT) to arrest two people and recovered 512 cloned thumb impressions made of plastic- like substances. A scam has been brewing in the state of Bihar, and it targets the poor who are semi-literate and use the AePS for banking.
The AePS was launched in 2014 by the Indian government to empower people of villages with few or no bank branches but it has now become an easy way for scammers to dupe them. All that the scammers need are Aadhaar card numbers and cloned fingerprints.
"People easily fall victim to the fraud because it is unimaginable that one can be duped via just thumb impressions and Aadhaar details," SP, cyber crime division of Bihar, Sushil Kumar told Decode.
What Is AePS?
AePS is a Unique Identification Number (UID) based payment system where bank account holders can perform financial transactions using Aadhaar based authentication and biometric information which includes iris scan or thumb impression.
In simple terms, AePS is a banking system where customers need not visit a bank or have an ATM card to withdraw or deposit money. A customer has to just visit any customer service point (CSP) or business correspondent. CSP or business correspondent is a retail agent which is engaged by banks to provide limited banking services.
Under this system, a bank account holder has to give their 12 digit Aadhaar number and bank account number to CSP or business correspondent. After giving these details, the retail agent will then ask the bank account holder to put his/her thumb impression on PoS (point of sale) machine. If the thumb impression is verified then the customer can withdraw or deposit cash.
The two people that the police arrested would roam around villages promising instant loans and ration cards. And in lieu of those promises they obtained the unsuspecting villagers’ thumb impressions.
But the police are yet to identify the people whose thumb impressions were recovered from the accused as they have no supporting documents.
"The main problem is that we lack evidence of this fraud. Though we locate the place where transactions have taken place, we can't identify who did this until the scammers have transferred money instead of withdrawing the cash amount," a police officer at the cyber unit told Decode.
A top police official told Decode that the exact volume of financial frauds through Aadhaar Enabled Payment System (AePS) is unknown. "Many victims do not lodge FIRs because they don't have mobile phones to get instant bank transaction messages. They only come to know about the fraud when they visit the banks," he added.
Something similar happened to Indradev Yadav, a resident of Pararia village of Nawada district. Between March 1 to August 5 this year, scammers siphoned off 3.07 lakh rupees from his State Bank Of India account, but he was unaware of it. "I came to know when I visited the bank to withdraw my money," he says.
"I have a mobile phone but I am not educated to read the message so I didn't know that the fraud was happening since March," Indradev Yadav says.
He said that he has been withdrawing money from two CSPs and the operators are responsible for the scam. Although he has named them in his complaint to the police, the CSPs are still operating.
On June 19 this year Vinod Kumar Chaudhary sent 8,000 rupees to his wife Seema Devi’s bank account from Surat in Gujarat where he does embroidery work. Seema immediately left for the bank to withdraw the money.
She was on the staircase of the bank when she received a message on her phone that the money she was to withdraw has been debited from her bank account leaving her with an available balance of just 5.12 rupees.
She was shocked. “We are poor. I belong to the Pasi community (scheduled caste) and I have just one room to live. The 8000 rupees was big money for us,” Seema Devi, resident of Nadsena village in Nawada district of Bihar, told Decode.
More shocks followed. When she informed the bank, the bank officials told her that the money was withdrawn through AePS using her thumb impression and Aadhaar details.
"We know that every person has a different fingerprint, then how do scammers get another person's fingerprints?" she asked.
The confusion is seen among the police officers too. "We are training our officers, so that we can get the cases investigated effectively and in a time bound manner," Cyber SP Sushil Kumar said.
"The Aadhaar enabled payment system (AePS) is enabling financial inclusion for those at the bottom of the income pyramid. In April 2023, more than 200.6 million last mile banking transactions were made possible through AePS and the network of micro ATMs (also called PoS), a press note issued by Press Information Bureau (PIB) on 22nd May, 2023 reads.
The state of Bihar which has about 45000 villages has just 7713 bank branches and 6944 ATMs as of 31st March 2022. If this growth is compared with 2021 data then bank branch opening data reported negligible growth whereas opening new ATMs reported just two percent increase, according to the Bihar economic survey 2022-23.
The economic survey report says that the state has 40,842 CSPs as of 31st March 2022 which is 30.2 percent higher compared to 31st March 2021, when there were 31095 CSPs.
The data clearly indicates that a large number of the rural population is using AePS for money for banking transactions.
In May this year, John Brittas, Rajya Sabha MP of CPI (M) had written a letter to Prime Minister Narendra Modi to take cognizance of cyber financial fraud through Aadhaar Enabled Payment System. He wrote, “Though intended as a bank-led model to promote financial inclusion in rural areas using Aadhaar authentication to allow online interoperable financial inclusion transactions, AePS has been deftly exploited to deceive the very people it was designed to assist.”
“While AePS may not enjoy the same level of popularity as Unified Payments Interface (UPI), it is still pertinent to note that an average cash withdrawal of around Rs.1000 crores is being carried out using this system every day,” he wrote.
The Many Ways To Get Fingerprints
An investigating officer at the Nawada cyber police station told Decode that scammers are taking thumb impressions and Aadhaar details of villagers through various methods. It ranges from posing as government employees by luring them to get benefits of government schemes. Apart from this, they often take biometric details offering instant loans at cheaper rates, the officer said.
The scammers then get the unsuspecting villagers' thumb impressions deceitfully on M-seal, a multi-purpose sealant mostly used to stop leakages in pipes or filling up holes. It is like dough. So when a person puts his thumb on it, their fingerprint gets imprinted.
In the recovery of 512 cloned thumb impressions investigators have found the same modus operandi.
A police officer who is investigating the case says, "They would put glue on the M-seal where the thumb impression was put. After the glue dries, the imprint gets on that. This way they would withdraw money from people's bank accounts."
Nawada DSP Priya Jyoti says, "We are sending the seized fingerprints to a forensic lab to ascertain if these fingerprints are real. We will also investigate how many people were scammed by them."
The scammers are using thumb impressions from land registry papers as well.
"They connivance with the lower level employees of the Land Records Department and extract documents related to land registry, where people's thumb impressions and information related to Aadhaar card is mandatory," the police officer says.
The scammers who siphoned off money from Urmila Kumari's account had extracted her thumb impression and Aadhaar related information from the documents submitted to the land record department.
Sudhir Kumar, husband of Urmila Devi told Decode, "In May this year I had bought a piece of land and made my wife the owner of the land. We had submitted documents to the registry office. The documents had my wife's thumb impression and photocopy of her Aadhaar card."
The couple lodged an FIR in Nawada cyber police station on July 5. The police initiated the investigation and arrested two persons.
Police recovered 314 bundles of land related documents which contained thumb impressions, two fingerprint scanning machines, ATM cards, bank passbooks and photocopies of Aadhaar cards from their possession.
"Police informed us that scammers had got my fingerprints, Aadhaar details from land documents," Urmila says.
The accused were using different techniques to make cloned fingerprints from paper.
"They would first get the fingerprint scanned from the land papers. Then they would print the fingerprint on plastic paper and put fevicol on the fingerprint. They would keep the plastic paper under a fan for 10 to 12 hours to dry the glue. This way they would get a cloned fingerprint," DSP Priya Jyoti says.
In Purnia as well at least half a dozen persons were arrested who would extract land documents of other states from government websites and prepare cloned fingerprints using trace papers.
In some cases, CSP operators were found involved in the scam. On July 2, Gaya police arrested one Rajiv Kumar, CSP operator for withdrawing 18,000 rupees from Dukhni Devi's bank account.
Yogendra Bind, Dukhni Devi's son, in his complaint to Alipur police station in Gaya alleged that on June 1 this year, a CSP operator called Dukhni Devi to his home and took her fingerprint three times promising her to make Shram card. Shram cards help workers in availing insurance, pension, and other social security benefits easily.
An amount of 18,000 rupees were withdrawn altogether.
Cyber experts suggest that people should avoid submitting Aadhaar card details as identity proof everywhere. "If it is not mandatory, people should use a driving license or other documents as identity proof instead of an Aadhaar card," Chandan Roy, territory manager of Indian School of Ethical Hacking (ISEH) told Decode.
"There should also be proper scrutiny of CSP operators and business correspondents, because transactions are done through them," he added.
Partha Pratim Chakraborty, information security analyst at ISEH suggests that there should be multi factor authentication in AePS.
"Like online banking transactions, there should be multi factor authentication in AePS as well. This can stop the scam to a large extent as a mobile phone remains with customers so scammers can not scam seating at any place. They will need an account holder with them to tell OTP," Partha Pratim Chakraborty told Decode.