BOOM

Trending Searches

    SUPPORT
    BOOM

    Trending News

      • Fact Check 
        • Fast Check
        • Politics
        • Business
        • Entertainment
        • Social
        • Sports
        • World
      • Law
      • Explainers
      • News 
        • All News
      • Decode 
        • Impact
        • Scamcheck
        • Life
        • Voices
      • Media Buddhi 
        • Digital Buddhi
        • Senior Citizens
        • Videos
      • Web Stories
      • BOOM Research
      • BOOM Labs
      • Deepfake Tracker
      • Videos 
        • Facts Neeti
      • Home-icon
        Home
      • About Us-icon
        About Us
      • Authors-icon
        Authors
      • Team-icon
        Team
      • Careers-icon
        Careers
      • Internship-icon
        Internship
      • Contact Us-icon
        Contact Us
      • Methodology-icon
        Methodology
      • Correction Policy-icon
        Correction Policy
      • Non-Partnership Policy-icon
        Non-Partnership Policy
      • Cookie Policy-icon
        Cookie Policy
      • Grievance Redressal-icon
        Grievance Redressal
      • Republishing Guidelines-icon
        Republishing Guidelines
      • Fact Check-icon
        Fact Check
        Fast Check
        Politics
        Business
        Entertainment
        Social
        Sports
        World
      • Law-icon
        Law
      • Explainers-icon
        Explainers
      • News-icon
        News
        All News
      • Decode-icon
        Decode
        Impact
        Scamcheck
        Life
        Voices
      • Media Buddhi-icon
        Media Buddhi
        Digital Buddhi
        Senior Citizens
        Videos
      • Web Stories-icon
        Web Stories
      • BOOM Research-icon
        BOOM Research
      • BOOM Labs-icon
        BOOM Labs
      • Deepfake Tracker-icon
        Deepfake Tracker
      • Videos-icon
        Videos
        Facts Neeti
      Trending Tags
      TRENDING
      • #Operation Sindoor
      • #Pahalgam Terror Attack
      • #Narendra Modi
      • #Rahul Gandhi
      • #Waqf Amendment Bill
      • #Arvind Kejriwal
      • #Deepfake
      • #Artificial Intelligence
      • Home
      • Decode
      • Land Deeds: A New Tool In The Hands...
      Decode

      Land Deeds: A New Tool In The Hands Of Scammers Pulling Off AePS Scam

      Biometric data is getting leaked from a state government website of West Bengal, lending to an increase in AePS scams in the state.

      By -  Hera Rizwan |
      22 Sept 2023 11:59 AM IST
    • Boomlive
      Listen to this Article
      Land Deeds: A New Tool In The Hands Of Scammers Pulling Off AePS Scam

      Refraining from disclosing One Time Passwords (OTPs) or not divulging bank account information may sound like a foolproof idea to avoid falling into the trap of scammers. However, cybercriminals have found a way to surpass these checks and attack biometric ATMs to drain users’ bank accounts.

      The scammers are now leveraging AePS banking to execute scams. AePS is a Unique Identification Number (UID) based payment system where bank account holders can perform financial transactions using Aadhaar based authentication and biometric information which includes iris scan or thumb impression. This means one just needs the bank name, Aadhaar number and biometrics captured during enrolment to withdraw money.

      Earlier Decode documented such cases of scams in Bihar where the scammers were targeting the poor who were semi-literate by cloning their fingerprints. Such incidences of scams are being reported in West Bengal too at an alarming rate.

      Also Read:Scammers Have Found An Easy Way To Clone Fingerprints

      According to a report by Times of India, three divisional cyber cells in Kolkata -South, Southeast, and suburban South- have reported 37 cases of AePS fraud in August alone. What remains difficult for the police to track is how the scammers get access to the biometric details of victims.

      How do scammers acquire people's fingerprints?

      Sourajeet Majumdar, an independent security researcher, helped Decode in unfolding the modus operandi of the ongoing scam in West Bengal. Majumdar highlighted that this time the scammers were not deceitfully cloning fingerprints from M-seal, but stealing them from land registry offices. According to some media reports, Kolkata Police Cyber Cell has also suspected the same.

      At land registry offices, it is mandatory to provide the fingerprint on the official land deeds. On digging further, it was found that it is possible to download a digital copy of any land deed after entering few details like Deed Number, Year of Sale and so on. "Any cybercriminal would not have those details nor would he want to leave a footprint on a government website through transaction history, as every download requires a nominal payment," said Majumdar.

      However, there is another feature in the site, called the AIN, that lets one download a digital copy of a deed free of cost and in mass. AIN stands for Application Identification Number, which is a 16 digit number generated when a user legitimately applies for a digital copy of a deed by providing correct information and paying the fees.

      But how does a scammer get access to so many AINs? Well, thanks to the IDOR vulnerability of the website, this too is possible.

      Also Read:The 'Laila Rao' Scam That Sold Dreams and Stole Lakhs From Women

      What is IDOR vulnerability?

      As Majumdar explains, IDOR or Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorisation and access resources in the system directly, for example, database records or files.

      Simply put, IDOR is a security loophole where someone can access or manipulate data that they are not authorised to. This happens when a website or application doesn't properly check who is asking for information and lets the wrong people see or change things they shouldn't.

      Let us understand this with the help of an example. Imagine there is a website where students can check their exam results by entering their roll number, unique to them. So a student with the roll number "12345" enters it and checks their grades.

      Here's where the IDOR vulnerability comes into play. Normally, the website should only allow the student to see their own grades. But if the website has this security flaw, the student could potentially change the roll number to "12346" in the website's URL to obtain another student's grades.

      Therefore, the website with this vulnerability does not properly check and verify that you have the right to access that specific roll number and shows you the grades for "12346" as well, even though you're not that student.

      Similarly, by altering the last 2-4 digits of 16 digits AINs anybody can obtain digital copies of deeds belonging to random people along with their details, Aadhaar card copy and fingerprints.

      Majumdar has reported the issue to CERT-In, National Critical Information Infrastructure Protection Centre (NCIIPC) and the Registry Office of West Bengal. "CERT-In, NCIIPC and the state government have validated my findings and taken cognizance of the matter," said Majumdar.

      Also Read:The Web Of FedEx Scam That’s Leading To Identity Theft

      AePS Vulnerabilities: Cybercriminals' Goldmine

      Neither the Unique Identification Authority of India (UIDAI) nor National Payments Corporation of India (NPCI) mentions clearly whether AePS is enabled by default. However, according to a circular published by WEBEL (West Bengal Electronics Industry Development Corporation Limited), as Majumdar points out, the AePS is activated by default if a customers’ bank account is linked with Aadhaar.

      Furthermore, in accordance with the Prevention of Money-laundering (Maintenance of Records) Third Amendment Rules, 2019, individuals are required to provide their Aadhaar number to their banking service provider if they intend to receive benefits or subsidies through any scheme outlined in section 7 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016. This makes AePS enabled by default for Indian citizens.

      There have been enough incidences to prove that fingerprints can be compromised through alternative means, which leaves this 'by default' system susceptible to attacks.

      This investigation by Majumdar also highlights significant flaw in the implementation process. In March 2023, the Indian Cyber Crime Coordination Centre (I4C) had asked the state and UT governments to direct their revenue and registration departments to “mask” the fingerprints on documents while uploading them on the registry websites. The delay in executing the orders have left the sensitive information of many citizens in jeopardy.

      Also Read:Inside Mewat: A Scammer's Manual On How To Run A Sextortion Racket



      Tags

      CybercrimeAadhar Payments
      Read Full Article

      Next Story
      Our website is made possible by displaying online advertisements to our visitors.
      Please consider supporting us by disabling your ad blocker. Please reload after ad blocker is disabled.
      X

      Subscribe to BOOM Newsletters

      👉 No spam, no paywall — but verified insights.

      Please enter a Email Address
      Subscribe for free!

      Stay Ahead of Misinformation!

      Please enter a Email Address
      Subscribe Now🛡️ 100% Privacy Protected | No Spam, Just Facts
      By subscribing, you agree with the Terms & conditions and Privacy Policy connected to the offer

      Thank you for subscribing!

      You’re now part of the BOOM community.

      Or, Subscribe to receive latest news via email
      Subscribed Successfully...
      Copy HTMLHTML is copied!
      There's no data to copy!