Fake Fingerprints – A new weapon with Fraudsters
Undoubtedly, technology has become an integral part of every aspect of our life, thanks to the technology revolution we have witnessed in the last two decades. With the ever-increasing digitization in our country be it mobile & data penetration or digital banking platforms, it has become very challenging to safeguard confidential information.
With the abundance of security breaches and the rise of identity theft, it is clear that stronger authentication methods are necessary. Keys and passwords are no longer sufficient data security measures. One such method is biometric security systems. India has one of the best national ID programs Aadhaar, which has the largest database of biometrics for more than 1.3 billion Indian citizens. While we have the best systems are in place to secure the database, a mix of
social engineering and “Indian Jugaad” by fraudsters has exposed us to a completely different risk.
This article focus on biometric security, digital banking using Aadhaar, the rise of new types of frauds and recommendations to overcome such frauds.
Why Authentication is a key factor:
In the cybersecurity world, authentication to someone before allowing any access is the most crucial step. Authentication does a vital check about the identity of the person and if he or she is allowed to access the information
requested. If your authentication system is not strong, you are indeed running a huge risk. There are multiple ways to authenticate i.e. static user name and password, OTP, Hardware token, Dynamic keys, Step-up authentication etc. However, all such authentications are technology-driven and proven to be compromised. Although, human biometrics are somewhat unique and difficult to compromised.
Biometric recognition (also known as biometrics) refers to the automated recognition of individuals based on their
biological and behavioural traits. Examples of biometric traits include fingerprint, face, iris, palm print, retina, hand geometry, voice, signature and gait. Biometrics is the most suitable means of identifying and authenticating individuals in a reliable and fast way through unique biological characteristics. So, the obvious advantage of a biometric security system compared to more traditional authentication methods, such as personal ID cards, magnetic cards, keys or passwords, is that it is intrinsically linked to a person and therefore can not be easily compromised through theft, collusion or loss.
Aadhaar based Authentication
In 2010, the Unique Identification Authority of India (UIDAI) rolled out the world’s biggest biometric based national identity program “Aadhaar” to provide every Indian resident with a unique identification. The rollout of the 12-digit unique identification number Aadhaar is India’s extraordinary attempt to give every citizen a biometric identity and one of the biggest game- changers for India in the past decade. Aadhaar has now become the world’s largest biometric identification—iris and fingerprint scan, with the UIDAI, which has issued more than 1.3 Billion cards.
Apart from a unique identity for each citizen of India, Aadhaar provides an unparallel real-time authentication service. Aadhaar Authentication means the process by which the Aadhaar number along with the demographic information or biometric information of an Aadhaar number holder is submitted to the Central Identities Data Repository (CIDR) for its verification and such repository verifies the correctness, or the lack thereof, based on the information available with it.
Post successful role out of Aadhaar across the country, The government of India came out with an ambitious plan to change the mechanism of transferring cash subsidies and benefits for social welfare. The program was aimed at transfer of subsidies and cash benefits directly to the people through their Aadhaar seeded bank accounts with a hope that crediting subsidies into the bank accounts would substantially reduce leakages, and associated delays, owing to the flow of funds in a multi hierarchy of administrative offices till it reaches the end beneficiary. Primary components in the implementation of Direct Benefit Transfer (DBT) schemes include Beneficiary Account Validation System, a robust payment and reconciliation platform integrated with RBI, NPCI, Public & Private Sector Banks, Regional Rural Banks and Cooperative Banks (core banking solutions of banks, settlement systems of RBI, Aadhaar Payment Bridge of NPCI) etc.
Rise of Aadhaar Enabled Payment System (AEPS)
The whole initiative of the government gave an idea of a new and very unique payment channel in India named the Aadhaar Enabled Payment System (AEPS). AEPS is a secured payment method facilitating the bank account holders to execute their banking/ financial services with the assistance of their biometric at the Micro- ATM.
For efficient transactions, customers are simply required to give their 12 digit Aadhaar Number to a bank official and validate through a biometric fingerprint scanner device called a registered device.
With the outbreak of the COVID-19 pandemic and the imposition of lockdown and social distancing norms, AEPS supported DBT emerged as a boon in providing succour and relief to millions of citizens whose livelihood was impacted. Especially in the rural part of the country, the government support through DBT was very instant and has helped millions of people during the lockdown period. One of the important benefits of this system is that it doesn’t require too much digital literacy, unlike mobile banking. You just need your Aadhaar number and your fingerprint to authenticate yourself and your transaction is done.
There are 9 steps involves to complete the AEPS transaction successfully as described below.
The customer makes an amount withdrawal request in front of a bank correspondent (An owner of Kirana store, SHG – self-help group, PO – post offices can act as a bank correspondent). The bank correspondent (BC) with the aid of biometric Micro-ATM will make a money transfer request by capturing a biometric fingerprint image of a customer/account holder and entering his Aadhaar number.
Now, the bank correspondent’s bank representatives will make a request to central switch at the NPCI for validating the customer.
Central Transaction Processing Switch at NPCI will send an authentication request to the UIDAI system for validating the customer by matching his Aadhaar number & biometric fingerprint impression.
Upon successful authentication of the customer, UIDAI system will send a confirmation message to NPCI switch. NPCI switch will further send a request to debit the withdrawal amount to a customer’s bank account.
Step 5 :
Upon cash withdrawal requisition, the customer’s bank will send the SMS to inform him about the debit request.
The withdrawal amount will now be debited from the customer’s bank and it will connect to NPCI switch again.
The cash amount will be transferred to the bank correspondent’s bank account from the customer’s bank via NPCI switch.
The bank correspondent will now receive an SMS from his/her bank account upon customer’s withdrawal amount getting accredited to the account.
The bank correspondent will lastly hand over the cash amount to the customer and the money withdrawal procedure is successfully completed.
As mentioned earlier, biometrics is meant to be a more reliable solution to security issues like these. Over the past few years, fraudsters have discovered an astonishing number of vulnerabilities in what was believed to be a reliable method of identity data protection; the biometric authentication. However, a new set of sneaky ways to spoof biometric authentication is emerging as a fraud that uses stolen data as hackers have shown that they also come with innovative ways to commit frauds.
Biometric based fraud landscape
Digital frauds are not new. We have seen its rise almost a decade ago and today it has become a well-coordinated and motivated business in India. With Fraudsters are on the move. Fraud attacks are moving higher and as they become more profitable for criminals, they’ll continue on an exponential growth path. Kind of weird social engineering techniques being used by fraudsters, people are easily falling into their trap mostly out of greed or fear.
There are some technical constraints that fraudsters exploit to gain financial benefits. But such frauds can continue till those vulnerabilities are fixed.
Fraudsters are innovative and every time comes with a new technique to commit fraud. So we believed that biometric is the ultimate authentication mechanism but they have proven it wrong. Although there is no technical loophole they have found in the entire Aadhaar based authentication and payment system, the modus operandi they have used is very much alarming.
Modus Operandi – Fake biometrics- based frauds
Here is how they commit frauds using your fingerprint.
- Fraudsters get hold of possible places where a person gives his or her biometric for any non-financial transactions like property registration through some insiders.
- Such records consist of a copy of the fingerprint as well as the Aadhaar card number of the person.
- Fraudsters make an exact replicas of the fingerprint using advanced computer driven technology.
- Once a replica of the fingerprint is made, the fraudster first checks if the Aadhaar card number is linked to any bank account or not. This is important for the fraudster to know before using it for any financial transaction.
- After this, they shortlist those Aadhaar card numbers which are linked to bank accounts and now the fraudster is ready to use the fake biometric along with Aadhaar no. either on AEPS enabled Micro-ATM or a mobile application that allows Aadhaar based payment processing.
- If fraudsters use fake biometric at Micro-ATM, it is mostly under the knowledge of the banking correspondent (BC) as one cannot use a fake fingerprint instead of a thumb impression for such transaction. In this case, money is given by BC to the fraudster upfront upon biometric authentication subject to the availability of the fund.
- If a fraudster uses a mobile app then an account needs to be created online with any App platform by submitting KYC documents i.e. same Aadhaar no and biometric.
- One account is created, fraudsters login into the app of the Electronic transaction processing platform and initiate transactions using biometric device and cloned fingerprint.
- As soon as the transaction is completed, money goes into the wallet of the electronic platform from where the fraudster transfers it to his bank account.
Many such frauds have already been reported. Large no. of stolen biometrics, fake fingerprints on the rubber stamps, scanners, biometric devices etc. have been seized by the police in Rajasthan, Haryana, UP and other places. Though the no. of frauds reported with this new technique are significantly low compared to debit, credit or UPI based frauds, still alarming as it is linked with the Aadhaar system. Therefore, considering the level of the threat it’s an immediate need to revisit the security framework for Aadhaar-based or biometric- based payment processing.
Why it should be a concern:
Frauds in digital banking are now an accepted fact. Frauds will continue to happen as fraudsters always use newer ways to commit such frauds. So far we have witnessed card cloning, vishing, skimming, SIM swap, spear phishing, Remote app, and very effective social engineering techniques by fraudsters. However, those frauds are limited only to the people availing banking facilities.
In other types of frauds, you may become the victim of such frauds because you have either shared your credentials with fraudsters or downloaded some malicious app or must have used your card at the ATM or POS from where the card might have been cloned. However, in this type of fraud, you may not have done any transaction ever in the banking system still you are exposed to such risk if your Aadhaar No is linked with your bank account.
While one of the use cases for this MO is illustrated in this article, there are many other use cases of biometric authentication using Aadhaar. Procuring duplicate identity documents using forged biometric and Aadhaar details viz. Passport, Driving License, PAN etc. This is not only a customer centric issue but also could turn into a serious national security issue.
It’s a hard reality that unlike a password, you cannot change your fingerprints if it is stolen. If the biometric data gets leaked, unlike changing your passwords or creating a new account, people won’t be able to change their fingerprints or their facial structure. The digital infrastructure across the country has grown exponentially in recent times and a large no. of people have used biometric authentication to avail government benefits through DBT during the pandemic time. Although this is not at a technical loophole in the Aadhaar system, still such frauds can bring down the customer trust in the whole ecosystem.
The success ratio of such fake biometrics is around 70%. However, every fraud causes serious damage to an individual or an institution.
Following are the best practices or recommendations that may be considered by individuals and institutions including regulatory bodies to create a deterrent mechanism to combat this new way of fraud.
- As an immediate action to prevent misuse of your Aadhaar biometric, disable your biometric authentication with Aadhaar. There are very simple steps to do so using this link https://resident.uidai.gov.in/bio- lock. You can enable it as and when need to use it for any such authentication. Just disable once it is done.
- Biometric authentication using the Aadhaar database is not needed for everyone every day. However, currently, Aadhaar biometric authentication is by default “enabled” for every Aadhaar holder. This can be tuned to be “disable” by default if not for all, at least those who have not used their biometrics ever in the last 6 months or so.
- When Aadhaar was rolled out, mobile penetration wasn’t that high that time. However, there are no conscious efforts made so far to link mobile no. with Aadhaar No. unlike mapping of Aadhaar No with the bank account. If mobile no is linked with Aadhaar No. a person can use “mAadhaar” on registered mobile no. Also, every time an Aadhaar holder gets a notification through SMS about any activity that takes place with his or her Aadhaar No.
- For those who are using a basic feature phone, IVR facility in vernacular languages to disable/enable their biometrics can be a great support in preventing such frauds.
- While AEPS is using two factors authentication i.e. Aadhaar No. (What you know) and biometrics (What you have), an additional layer of authentication may be an IVR call or OTP need to be introduced as the maximum users of these payment channels are in the rural part of the country.
- A centralized cybercrime reporting portal at www.cybercrime.gov.in is the best way to report such frauds. But again this would be difficult to be accessed by people in rural parts due to various limitations. Hence a centralised AEPS fraud reporting/helpline would be helpful for easy reporting of such frauds.
- For a long term solution, it may be considered to use “Advanced Liveness Models” with facial and iris biometrics to replace fingerprints. Or simply extend the authentication through Aadhaar to the next level using Iris & Facial recognition.
- Fingerprint scanner technology should be advanced to differentiate between normal finger pressure and artificial finger pressure. AI/ML models can be deployed for more accurate predictions.
- Customer Education programmes should be initiated for the usage of blocking/unblocking of the Aadhaar biometric. These should be run in various vernacular languages for maximum outreach.
About the Author:
Bharat Panchal is currently working as Chief Risk Officer- APAC, Middle East and Africa at FIS Global & former Chief of Risk @ NPCI. He is well-known risk professional globally having rich experience in the areas of digital risk and cyber security. He regularly writes about best practices in digital risk management, cyber related frauds and risk governance. He can be contacted on firstname.lastname@example.org
Views expressed in this article are purely personal. The images used for representation purpose only.