Call Us Now

+91 9606900005 / 04

For Enquiry

Gaps in the AePS Transaction Model


A popular YouTuber, in a Twitter thread, shared how his mother’s bank account was drained using an Aadhaar-linked fingerprint without needing a two-factor authentication.


GS III: Indian Economy

Dimensions of the Article:

  1. What is AePS?
  2. How is biometric information leaked?
  3. How to secure your Aadhaar biometric information:

What is AePS?

  • The Aadhaar-enabled Payment System (AePS) is a bank-led model which allows online financial transactions at Point-of-Sale (PoS) devices and micro ATMs of any bank using Aadhaar authentication.
  • The model removes the need for OTPs, bank account and other financial details.
  • It allows fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment, according to the National Payments Corporation of India (NPCI).
Is AePs enabled by default?
  • There is no clear mention from the Unique Identification Authority of India (UIDAI) or NPCI about whether AePS is enabled by default.
  • Cashless India, a website managed by the MeitY, states that AePS does not require any activation, but the user’s bank account must be linked with their Aadhaar number.
  • To receive benefits or subsidies under schemes covered by the Aadhaar Act’s section 7, users must submit their Aadhaar number to the banking service provider, according to the UIDAI.

How is biometric information leaked?

  • While Aadhaar data breaches were reported in 2018, 2019, and 2022, the UIDAI has consistently denied any data breaches.
  • The UIDAI maintains that Aadhaar data, including biometric information, is completely safe and secure.
  • However, it is important to note that UIDAI’s database is not the sole source of potential data leaks.
  • Aadhaar numbers are easily available in the form of photocopies and soft copies, and criminals may exploit Aadhaar-enabled payment systems to compromise user information.

How to secure your Aadhaar biometric information:

  • The UIDAI is proposing an amendment to the Aadhaar (Sharing of Information) Regulations, 2016, which would require entities holding Aadhaar numbers to not share the details unless the numbers have been redacted or blacked out.
  • A new two-factor authentication mechanism has been implemented by the UIDAI, using a machine-learning-based security system that combines finger minutiae and finger image capture to verify the “liveness” of a fingerprint.
  • Users are advised to lock their Aadhaar information through the UIDAI website or mobile app, ensuring that even if their biometric information is compromised, it cannot be used for financial transactions. It can be unlocked when needed for biometric authentication, such as property registration or passport renewals, and locked again afterward.

-Source: The Hindu

February 2024