Cyber criminals always look for new and innovative ways to steal personal information and rob money from innocent victim. Fingerprint cloning has become a new weapon in the arsenal of hacker. Noida police has busted a Lucknow based gang of hackers who were siphoning off money from victims’ bank accounts by cloning fingerprints and withdrawing money through Aadhar Enabled Payment system (AEPS).
In recent incident Noida police has arrested a group of hackers who are skilled in cloning fingerprints and registering fake Aadhar cards. As per the investigation by the Noida police, cybercriminals were exploiting a vulnerability in AEPS registration and authentication process. AEPS allows customers to make payments using their Aadhaar number and by providing Aadhaar verification at point of Sale (PoS) or microATM. It was found that gang was withdrawing money by cloning the fingerprints and Aadhar card number.
For enrolling a new user to Aadhar database requires an authorized enrolment operator, who can access Unique identification Authority of India (UIDAI) system by using his biometrics and a scan of his retina. In this case, Hackers had stolen the images of fingerprints of Aadhar enrolment operators, printed these images on butter-paper and placed these fingerprints on a sticky organic substance similar to gum and then exposed to ultraviolet light. At the end the whole process fingerprints are imprinted on that gum like substance and ready like a runner stamp and can be used on a biometric reader. It was also found that hacker have got some other ways to bypass the retina authentication but how it was done is not understood yet.
fig: Glue like substance used for imprinting fingerprint.
Hackers were subverting the UIDAI login and authentication process by exploiting the weakness in the registration and verification process.
In this case it was found that for AEPS only fingerprints and Aadhar number is required. Customer does not receive an OTP, which should be mandatory for any card-based payment. It is always advised that two-factor authentication is followed for such transactions. This will not only increase the security such financial system but also make it difficult to bypass two-layers of security.
What is Aadhar Enable Payment System (AEPS)?
AEPS is an Aadhar based payment system through wich anyone can make financial transaction. AEPS allows customers to make payments using their Aadhaar number and by providing Aadhaar verification at point of Sale (PoS) or micro ATMs.
The only inputs required for a customer to do a transaction are:
It is never possible to make all the system 100% secure. By either way hackers find a way to break into the system. We should never rely on technical protection only. We should use combination of technical and human awareness while enrolling and making any online payment or at point-of-sales.
Reference of the news: https://www.the420.in/hacker-arrested-in-noida-for-stealing-money-by-cloning-fingerprint/