Gurgaon: Fingerprints are more secure than passwords? Once your password is lost, you can get a new one.
But what happens when your fingerprint gets cloned? A fraud perpetrated by a gang of cybercrooks that was busted in Palwal on Monday exposed a worrying chink in the system of fingerprint-based transactions that use Aadhaar-enabled payments systems (AePS).
Senior police officers said the fraud showed the need for a multi-level authentication system, even if it slowed down the process a bit, to ensure this does not become a more common modus operandi.
For just Rs 10 each, these fraudsters were able to create rubber clones of a person’s fingerprints from images of the ones they found on property registry papers.
All they needed was photopolymer, a poly stamper machine and butter paper.
With this, they were able to siphon off funds to the tune of several lakhs via electronic transaction processing platforms.
SP (Palwal) Deepak Gahlawat told TOI: “First, they would print images of the fingerprint on a butter paper, then place these prints on a sheet of a light-sensitive photopolymer, which would then be exposed to ultraviolet light.
The fingerprint clone obtained at the end of this process resembles an office rubber-stamp — which can be used on a biometric reader.” The gang members told the cops that these rubber clones, while not foolproof, had a high success rate and worked in 70% cases.
Aadhaar-based Payment Systems (AePS) require electronic transaction processing platforms for transactions.
Gahlawat explained: “The fraudsters would first create an online account with any such platform, by submitting some documents.
They would log in to the app and initiate transactions using biometric devices and the rubber clone.
As soon as the transaction was completed, the money would go into the wallet of the electronic platform — from where the fraudsters would transfer it to their bank accounts.” Assistant commissioner of police (cybercrime) Karan Goel said, “Some platforms where only biometrics is used as an authenticator for financial transactions are prone to such crimes.
A multi-level authentication system is the only way to check such frauds.” Rakshit Tandon, a cybersecurity expert who has been assisting Haryana Police in creating awareness on cybercrime, said the case has exposed that even physical data is not safe and there is an immediate need to add a double layer of verification to Aadhaar-enabled payment system.
“This incident shows the level of threat and the need to immediately update the security framework for Aadhaar-based or biometric transactions.
Second-level authentication should be introduced on every biometric-based transaction.
Updating security policies based on current events should be an ongoing process,” he added.