Refraining from disclosing One Time Passwords (OTPs) or not divulging bank account information may sound like a foolproof idea to avoid falling into the trap of scammers. However, cybercriminals have found a way to surpass these checks and attack biometric ATMs to drain users’ bank accounts.
The scammers are now leveraging AePS banking to execute scams. AePS is a Unique Identification Number (UID) based payment system where bank account holders can perform financial transactions using Aadhaar based authentication and biometric information which includes iris scan or thumb impression. This means one just needs the bank name, Aadhaar number and biometrics captured during enrolment to withdraw money.
Earlier Decode documented such cases of scams in Bihar where the scammers were targeting the poor who were semi-literate by cloning their fingerprints. Such incidences of scams are being reported in West Bengal too at an alarming rate.
According to a report by Times of India, three divisional cyber cells in Kolkata -South, Southeast, and suburban South- have reported 37 cases of AePS fraud in August alone. What remains difficult for the police to track is how the scammers get access to the biometric details of victims.
How do scammers acquire people's fingerprints?
Sourajeet Majumdar, an independent security researcher, helped Decode in unfolding the modus operandi of the ongoing scam in West Bengal. Majumdar highlighted that this time the scammers were not deceitfully cloning fingerprints from M-seal, but stealing them from land registry offices. According to some media reports, Kolkata Police Cyber Cell has also suspected the same.
At land registry offices, it is mandatory to provide the fingerprint on the official land deeds. On digging further, it was found that it is possible to download a digital copy of any land deed after entering few details like Deed Number, Year of Sale and so on. "Any cybercriminal would not have those details nor would he want to leave a footprint on a government website through transaction history, as every download requires a nominal payment," said Majumdar.
However, there is another feature in the site, called the AIN, that lets one download a digital copy of a deed free of cost and in mass. AIN stands for Application Identification Number, which is a 16 digit number generated when a user legitimately applies for a digital copy of a deed by providing correct information and paying the fees.
But how does a scammer get access to so many AINs? Well, thanks to the IDOR vulnerability of the website, this too is possible.
What is IDOR vulnerability?
As Majumdar explains, IDOR or Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorisation and access resources in the system directly, for example, database records or files.
Simply put, IDOR is a security loophole where someone can access or manipulate data that they are not authorised to. This happens when a website or application doesn't properly check who is asking for information and lets the wrong people see or change things they shouldn't.
Let us understand this with the help of an example. Imagine there is a website where students can check their exam results by entering their roll number, unique to them. So a student with the roll number "12345" enters it and checks their grades.
Here's where the IDOR vulnerability comes into play. Normally, the website should only allow the student to see their own grades. But if the website has this security flaw, the student could potentially change the roll number to "12346" in the website's URL to obtain another student's grades.
Therefore, the website with this vulnerability does not properly check and verify that you have the right to access that specific roll number and shows you the grades for "12346" as well, even though you're not that student.
Similarly, by altering the last 2-4 digits of 16 digits AINs anybody can obtain digital copies of deeds belonging to random people along with their details, Aadhaar card copy and fingerprints.
Majumdar has reported the issue to CERT-In, National Critical Information Infrastructure Protection Centre (NCIIPC) and the Registry Office of West Bengal. "CERT-In, NCIIPC and the state government have validated my findings and taken cognizance of the matter," said Majumdar.
AePS Vulnerabilities: Cybercriminals' Goldmine
Neither the Unique Identification Authority of India (UIDAI) nor National Payments Corporation of India (NPCI) mentions clearly whether AePS is enabled by default. However, according to a circular published by WEBEL (West Bengal Electronics Industry Development Corporation Limited), as Majumdar points out, the AePS is activated by default if a customers’ bank account is linked with Aadhaar.
Furthermore, in accordance with the Prevention of Money-laundering (Maintenance of Records) Third Amendment Rules, 2019, individuals are required to provide their Aadhaar number to their banking service provider if they intend to receive benefits or subsidies through any scheme outlined in section 7 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016. This makes AePS enabled by default for Indian citizens.
There have been enough incidences to prove that fingerprints can be compromised through alternative means, which leaves this 'by default' system susceptible to attacks.
This investigation by Majumdar also highlights significant flaw in the implementation process. In March 2023, the Indian Cyber Crime Coordination Centre (I4C) had asked the state and UT governments to direct their revenue and registration departments to “mask” the fingerprints on documents while uploading them on the registry websites. The delay in executing the orders have left the sensitive information of many citizens in jeopardy.