Fraud Alert: Aadhaar 'Lightning' Strikes Individuals and the Tax Dept
Ever since the Unique Identification Authority of India (UIDAI) created Aadhaar as a unique biometric identity for residents of India, it has dismissed all doubts and queries by being in permanent 'denial mode'. Moneylife has been reporting, analysing and highlighting issues with Aadhaar through hundreds of articles, even before its formal launch as the brainchild of tech-czar Nandan Nilekani. But, supported by both the United Progressive Alliance (UPA) and then through the about-turn on the issue by the National Democratic Alliance (NDA), Aadhaar continues to march on with some patchwork course corrections and band-aid protection offered to hapless Indians who have been forced to acquire the identification. 
A few years ago, Moneylife reported how Aadhaar data of individuals was floating freely on the internet. At that time, UIDAI tweeted that Aadhaar is just like any other ID and need not be treated as a confidential document. "By simply knowing someone's Aadhaar, no one can impersonate & harm him because Aadhaar alone is not sufficient, it requires biometrics to authenticate one's Identity," it was asserted.
Unfortunately, this is not true. With no one ready to take any responsibility for data leaks and misuse, Aadhaar-holders are virtually living under a sky full of lightning without an iota about who would be hit next. (Read: Aadhaar Nightmares Coming True. How Ameya Dhapre Is Enduring 'Living Hell' with His Aadhaar: Report
Every day, there are reports about police arresting one or the other gang for crimes committed using the Aadhaar information of individuals. In most cases, the criminals have successfully created rubber or silicone fingerprints of the original Aadhaar-holder to withdraw money from bank accounts linked with the 12-digit number. 
You may be shocked to learn that misuse of Aadhaar is not merely affecting individuals; banks and the tax authorities have also fallen prey to Aadhaar fraud. 
Aadhaar Rampage Continues
The Uttar Pradesh (UP) police, in coordination with the cyber cell department, has busted an inter-state cybercriminal gang from the Bhadohi district and recovered 194 'thumb clones' from their possession. These thumb clones were tagged with the Aadhaar number and account number of many bank customers.
UP police arrested Rishi Raj Singh from Saraon in Prayagraj and Rohit Kumar from Mau, who are alleged members of an inter-state gang of cybercriminals, says a report from News18.
Rajesh Bharti, additional superintendent of police (SP), told the portal that the duo had been found cloning thumb impressions from sale deeds available on various websites and siphoning money from bank accounts linked with Aadhaar numbers through point of sale (PoS) machines. "It was also found that the fraudsters withdrew money by forging biometric thumb impressions and abusing the Aadhaar-enabled payment system (AePS). They copy thumb impressions on butter paper from various websites to create duplicate silicon thumbs," Mr Bharti says.
According to the records, more than 6,000 cyber fraud cases have been registered so far in UP. "Cases of Aadhaar-enabled payment system -AePS are on the rise. It has been observed that people, especially in the rural pockets, are soft targets to these cyber 'thug' gangs, who make clones of the thumb impressions of the target to make withdrawals from their accounts using AePS. There are more than 100 such cases that have been reported from Uttar Pradesh. We often carry out random checks of the 'Jan Suvidha Kendra' and create awareness programmes in the rural pockets to create awareness among the people," Dr Triveni Singh, SP, cybercrime, told News18.
AePS enables a person to withdraw money from their bank account using a local business correspondent anywhere in the country, and this also makes it easy to cheat people.
The over-dependence on a flawed Aadhaar system continues to cause difficulties for people. In March, even the national cybercrime reporting portal of the Union ministry of home affairs (MHA) warned about online financial fraud using the AePS without needing a one-time passcode (OTP).
As if frauds related to AePS were not enough, criminals have used the Aadhaar data of unsuspecting people to fraudulently obtain goods and service tax (GST) registrations in their name. Investigators have found that at least 25% of the estimated Rs20,000 crore of fake billing occurred in Gujarat. 
A report from Times of India (ToI) says, Mohammad Tata, the alleged kingpin of another fake billing scam worth Rs739 crore involving Madhav Copper Ltd, has been shifted from Sabarmati jail in Ahmedabad to Bhavnagar, to probe his involvement in the Aadhaar-GST fake billing scam. "This adds credence to the claims of top state GST (SGST) officials who say Bhavnagar was the epicentre of major bogus billing scams taking place across the state and across the country."
"The investigators made a breakthrough after detecting a new modus operandi: fudging Aadhaar data to obtain permanent account number (PAN) cards and GST registrations. GST registrations obtained using fudged Aadhaar data have been found in all major states," a source told the newspaper.
So far, at least 24 persons have been arrested in connection with the case.
Over the years, Moneylife has constantly been highlighting risks associated with Aadhaar-based payment solutions and how they can be used to propagate money laundering—make money transfers unauditable, propagate money laundering and financial fraud. (Read: How Aadhaar linkage can destroy banks). 
According to privacy researcher V Anand, biometrics are easy to fool and have several examples, but no one seems to have cared. "We can finally see ghost loans, ghost bank accounts and chimaeras with different fingerprints, iris scans and photographs in action."
Commenting on the Aadhaar-GST fraud, he says it appears to be a job of scammers who invented the 'fraud stack', an innovative and shadow stake, which is a mirror image of the 'India Stack'.
According to the ToI report, the Indian Cyber Crime Coordination Centre (I4C) — the MHA's nodal agency to tackle matters related to cybercrime — asked the state and Union territories (UT) governments to direct their revenue and registration departments to 'mask' fingerprints on documents while uploading them on the registry websites. I4C says cybercriminals are 'cloning' the biometric data of Aadhaar users uploaded on states' registry websites that host sale deeds and agreements, intending to carry out unauthorised withdrawals through AePS.
This brings us to the main question: How will an individual Aadhaar holder protect him/ herself from such frauds taking place without their knowledge? You can't. Because there is simply no system that can help you find out how many places your Aadhaar has been used (with or without your knowledge). 
Many people assume that their Aadhaar number is linked to their bank account. But in case there is more than one bank account, you would not know which one is linked with the Aadhaar. Remember the case of a senior citizen who found that her Aadhaar was linked to her bank account in another city and not the one from which she wanted to withdraw money through the banking correspondent? This is a flaw in Aadhaar systems which takes into account only the recently-linked bank account as valid for transactions.
While there is no solution to the misuse of your Aadhaar number by criminals, with or without your knowledge, you can follow a few steps to lock the 12-digit number to prevent its misuse.
How Do you Protect Aadhaar from Misuse?
1. Never share your 12-digit Aadhaar number or 16-digit virtual Aadhaar number with any unknown or unauthorised entity.
2. Never share a copy of your Aadhaar with anyone without mentioning the purpose and date written on it (it can be done while self-attesting the photocopy)
3. Lock your Aadhaar (you will have to visit and first create a 16-digit virtual ID before locking/ unlocking your Aadhaar number)
4. Register your mobile number or email ID with UIDAI, if not already done (this will help you to receive an alert in case someone uses your Aadhaar for identification purposes and is trying to verify it).
5. For making changes in your demographic details like name, address, date of birth, gender, mobile number, and email, visit only an authorised Aadhaar enrolment centre.
How To Report Cyber Fraud?
Do report cybercrimes to the National Cyber Crime Reporting Portal or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c). 
If the fraud is related to your bank account, you need to immediately send an email to the official email ID of your branch (you can find it on the bank's website or your passbook) with a copy to the bank's customer care. Even if you have called the official number for customer care, you must still send an email describing your conversation with the bank executive, along with the time, date, and duration of the call. This will be helpful if you face a liability issue with the bank.
Debashis Roy
1 year ago
This is really a critical issue . In everywhere frm bank account to PAN linking, Voter linking, Ration Card linking, and even hotel booking to travel by train we have to produce aadhar. But we r unable to know why and for what purpose the aadhar have to produce or link. It may help the Administration but not individual citizen.
1 year ago
these types of critical details govt should ensure that it highest security which no one decipher and have no of layers of operation to prevent fraud since it is linked to bank /it and lot of other financial instruments etc
Free Helpline
Legal Credit