Aadhar Card Vulnerabilities: Understanding scams and protective measures

By Tanushree Dubey

Published on: October 31, 2023 at 15:51 IST

In today’s digital age, the Aadhar card is India’s is vital to identity verification, widely used across government and private sector services. However, its extensive personal information repository makes it a prime target for scammers and identity thieves. This comprehensive article explores the common Aadhar card scams, delves into how they happen, and provides comprehensive guidance on prevention.

What is Aadhaar card?

Aadhaar is a 12-digit identifying number issued by the Unique Identification Authority of India (UIDAI) to Indian residents following a verification process. To obtain an Aadhaar number, individuals must provide essential demographic and biometric information, including their name, date of birth or age, gender, address, mobile number, and optional email ID. Biometric data such as fingerprints, iris scans, and a facial photo are also collected.

There are various forms of Aadhaar provided by UIDAI for residents’ convenience such as:

• Aadhaar Letter: This is a laminated paper-based document issued to residents after enrolment or updates. It’s sent free of charge via regular mail. In case of loss or damage, residents can request a reprint from UIDAI’s official website for a fee of Rs 50.

• eAadhaar: eAadhaar is a password-protected electronic copy of Aadhaar digitally signed by UIDAI. The password is typically the first four letters of the name in capital letters and the birth year (YYYY). eAadhaar includes a QR code for offline verification and displays issue and download dates. The “Mask Aadhaar” option allows residents to hide their Aadhaar number, revealing only the last four digits.

• mAadhaar: This is the official mobile application developed by UIDAI. It allows Aadhaar holders to carry their demographic data, including name, date of birth, gender, and address, along with their photo on their smartphones. The app features a QR code for offline verification and is compatible with smartphones running iOS version 10.0 and above or Android version 5.0 and above. Users can add up to three profiles on one device if they share the same registered mobile number in their Aadhaar. The app offers features such as biometric data locking/unlocking, sharing QR code and eKYC data, and updating the Aadhaar profile.

• Aadhaar PVC Card: Introduced in October 2020, the Aadhaar PVC card is a durable and easy-to-carry plastic card. It includes a digitally signed secure QR code with a photograph and demographic details, along with multiple security features. Residents can order this card online using their Aadhaar number, virtual ID, or enrolment ID by paying a fee of Rs 50. After application, the card is delivered to the registered address via postal mail.

How Aadhar and Privacy interconnected

Aadhar, the unique identification system in India, has been a subject of significant debate and controversy regarding privacy issues. The connection between Aadhar and privacy is complex and has been a central focus of numerous legal and ethical discussions. To illustrate this connection, we can look at the landmark case of Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India, which is commonly referred to as the “Aadhar case.”

In 2009, the Government of India introduced the Aadhar project, which aimed to assign a unique 12-digit identification number to every Indian resident. Aadhar numbers were linked to an individual’s biometric and demographic information, such as fingerprints and iris scans. The government justified this initiative as a means to improve the delivery of welfare benefits and public services and to prevent fraud and corruption in government programs.

Privacy Concerns:

Privacy advocates and legal scholars raised concerns about the potential invasion of privacy due to the collection and use of sensitive biometric and personal data. They argued that Aadhar, with its extensive data collection and linking capabilities, had the potential to be misused or result in mass surveillance. The petitioners in the Aadhar case contended that the Aadhar project violated the fundamental right to privacy, which was recognized as an intrinsic part of the right to life and personal liberty under Article 21 of the Indian Constitution.

Aadhar Case and the Right to Privacy:

The Aadhar case was heard by a Constitution Bench of the Supreme Court of India in 2017. In a landmark judgment, the court recognized the fundamental right to privacy as a constitutionally protected right.

The court held that the right to privacy was intrinsic to the right to life and personal liberty and could not be violated except in certain specific circumstances, which must meet the test of legality, necessity, and proportionality.

The court also examined the Aadhar project in light of the right to privacy and other constitutional principles. It determined that while the collection of biometric and demographic data was not per se unconstitutional, the manner in which Aadhar was being implemented raised privacy concerns. Therefore, the court established several important guidelines and limitations for the use of Aadhar, such as:

• Requiring the government to establish a robust data protection framework.
• Limiting the use of Aadhar to specific government welfare programs and financial transactions.
• Recognizing the importance of obtaining informed consent from individuals before collecting their biometric data.

The Aadhar case is a prime example of how Aadhar and privacy are connected. It highlights the tension between the government’s objectives, such as efficient service delivery and fraud prevention, and the protection of individual privacy rights.

The case resulted in the acknowledgment of the right to privacy as a fundamental right in India and laid down crucial principles for balancing the use of Aadhar with privacy concerns. It underscores the importance of safeguarding personal data in large-scale identification systems like Aadhar and ensuring that privacy is not unduly compromised in the pursuit of government objectives.

Despite the landmark Aadhar case’s recognition of privacy rights, ongoing challenges and scams raise concerns. Unauthorized data access, breaches, and fraudulent activities remain prevalent. Biometric vulnerabilities and inadequate oversight contribute to these issues. Balancing security and privacy while promoting public awareness is crucial for addressing Aadhar scams effectively. Continual improvements are needed to safeguard personal data while achieving the system’s objectives.

Scams through Aadhar Card

Aadhaar scams are a significant concern in India, given the widespread use of this identity document. These scams come in various forms, targeting individuals with the aim of stealing personal information or causing financial harm. To protect yourself, it’s essential to be aware of these scams and take preventive measures.

Here are some common Aadhaar scams to watch out for:

• Phishing Calls and Texts: Scammers use phone calls and text messages to impersonate government officials, bank representatives, or UIDAI personnel. They claim that there are issues with your Aadhaar and request personal information such as your Aadhaar number, bank details, or OTP. The intent is to steal your identity or money.

• Email Scams: Similar to phishing calls, scammers send fake emails that appear to be from official sources, including UIDAI. These emails contain links that lead to counterfeit websites where individuals are tricked into providing their Aadhaar information.

• Fake Aadhaar Websites: Scammers create fake websites that closely resemble the official UIDAI website. They lure individuals into attempting to update or check their Aadhaar information, collecting personal data in the process. This data can be misused for fraudulent activities.

• Aadhaar Enrollment Fee Scams: Fraudsters establish unauthorized Aadhaar enrollment centers and charge unsuspecting individuals for Aadhaar registration or updates. They often pocket the fees and do not provide legitimate services. Genuine Aadhaar enrollment and update services are typically free.

• Aadhaar Card Printing Frauds: Scammers offer to print Aadhaar cards or provide quick Aadhaar-related services for a fee. However, they frequently fail to deliver on their promises or provide fake cards, leaving victims with a loss of money and no legitimate service.

• Aadhaar Linking Frauds: Scammers convince people to link their Aadhaar with various services, such as bank accounts or mobile numbers, and then use this opportunity to extract personal information or request fees for fraudulent linking services. The government has mandated some Aadhaar linkings, but individuals should only use official channels for these purposes.

• Aadhaar Data Theft: Some criminals hack into databases that store Aadhaar data or purchase stolen Aadhaar information from the dark web. This stolen data can be used for identity theft, fraudulent transactions, or other criminal activities.

• Fake Aadhaar Mobile Apps: Scammers develop counterfeit Aadhaar mobile applications that closely resemble the official app but are designed to steal personal information when users download and use them. It’s essential to use only official apps for Aadhaar services.

• Job and Scholarship Scams: Scammers promise fake job opportunities, scholarships, or government grants, asking individuals to provide their Aadhaar details for eligibility. These scams can lead to identity theft or financial loss, and individuals should verify the legitimacy of such offers.

• Aadhaar Card Resale: Scammers may obtain legitimate Aadhaar cards through illicit means and sell them to individuals who use them for fraudulent activities. This can include opening bank accounts, obtaining loans, or committing crimes under a false identity.

• Biometric Data Theft: Criminals may attempt to steal an individual’s biometric data associated with their Aadhaar, such as fingerprints or iris scans, to misuse this information for illegal purposes. Biometric data is highly sensitive and should be protected at all costs.

• SIM Card Frauds: Scammers use stolen Aadhaar details to obtain SIM cards in the victim’s name. They may then engage in illegal activities using these SIM cards, and victims can be held responsible for these actions.

• Loan and Financial Frauds: Some fraudsters use stolen Aadhaar information to secure loans, credit cards, or other financial products in the victim’s name. This can lead to financial liability for the victim and damage their credit history.

• Aadhaar-Based Money Transfer Scams: Criminals may claim to help transfer government benefits or funds linked to Aadhaar and request a fee for the service, but they don’t provide any legitimate assistance. Government benefits and funds can typically be accessed through official channels.

• Property and Land Frauds: Scammers manipulate property records and land ownership using forged or stolen Aadhaar information to carry out fraudulent land transactions. This can lead to the loss of property or significant financial damage for the victim.

• AEPS Scams: An AEPS (Aadhaar Enabled Payment System) scam involves fraudulent activities where scammers misuse the Aadhaar system to execute unauthorized financial transactions. They may steal or impersonate individuals’ biometric data or Aadhaar numbers, leading to unauthorized fund transfers and withdrawals from bank accounts without the account holder’s consent.

How to Protect yourself from Aadhar card scams

To protect yourself from Aadhar scams, it is vital to take proactive measures:

• Verification of Requests: Always scrutinize requests for your Aadhar information. If you receive unsolicited emails, phone calls, or text messages asking for your Aadhar number, OTP, or other personal details, exercise caution. Legitimate organizations, including government agencies, banks, and reputable service providers, do not typically request this information over the phone or through email.

• Use Official Channels: For any Aadhar-related tasks, it is advisable to use the official channels provided by the Unique Identification Authority of India (UIDAI). These can include the official UIDAI website (https://uidai.gov.in/) and authorized Aadhar enrollment centers. Avoid unofficial sources or unverified individuals offering Aadhar-related services.

• Secure Your Aadhar Number: Treat your Aadhar card and number as highly confidential information. Do not share your Aadhar number casually, and avoid carrying the physical card in your wallet. Instead, keep it in a secure location in your home where it is less likely to be misplaced or stolen.

• Biometric Data Protection: If you have linked your biometrics (fingerprint and iris scans) with your Aadhar, it is crucial to ensure that your biometric data is secure and inaccessible to unauthorized individuals. Protect your Aadhar-registered devices, such as smartphones or biometric machines, with strong passwords and security measures.

• Beware of Fake Apps: Utilize only the official mAadhar app or other applications endorsed by government authorities for Aadhar-related services. Be extremely cautious when downloading apps from unofficial sources, as counterfeit apps may be designed to capture your personal data.

• Verify Website Security: When accessing websites related to Aadhar, always check for the “https://” in the website URL, which indicates a secure and encrypted connection. Look for the padlock symbol in your web browser’s address bar, which further confirms the legitimacy and safety of the site.

• Avoid Paying for Free Services: Official Aadhar services are typically provided for free or with nominal charges for specific services. Be cautious if someone asks you to pay a substantial fee for services that should be available at no cost. Verify the authenticity of the request or service provider.

• Safeguard Your Mobile Number: If your mobile number is linked to your Aadhar, ensure that it is protected. Be selective about sharing your mobile number with individuals or organizations you trust, and consider implementing additional security measures such as two-factor authentication.

• Monitor Your Aadhar Activity: Regularly check your Aadhar activity and update history on the official UIDAI website. This practice helps you identify any unauthorized changes or activities linked to your Aadhar and enables you to take prompt action in case of suspicious activities.

• Report Suspicious Activity: If you suspect any fraudulent activity associated with your Aadhar or have become a victim of a scam, it is essential to report the incident to local law enforcement and the UIDAI. Prompt reporting can prevent further harm and assist in addressing the issue.

• Stay Informed: Stay updated about the legitimate uses of Aadhar and the precautions necessary when sharing your Aadhar-related information. Periodically review the official UIDAI website and guidelines for updates, security recommendations, and other relevant information.

• Exercise Caution with Aadhar Linking: While Aadhar linking is mandatory for certain services, be discerning about where and when you link your Aadhar. Only connect it when explicitly required and to reputable, government-authorized entities.

• Regularly Review Bank and Mobile Statements: Routinely examine your bank and mobile service provider statements for any unauthorized transactions or changes related to your Aadhar. This monitoring can help you detect and respond to any fraudulent activities promptly.

Recent Scams through Aadhar Card

• Aadhar-Related Scam Exposes Data of 815 Million Indians might be on Dark Web

A significant data breach has exposed the personal information of 815 million Indian citizens. This data includes Aadhaar and passport details, names, phone numbers, and addresses, all available for sale on the dark web.

An unknown hacker, going by the alias “pwn0001,” shared this vast dataset on BreachForums, offering the entire Aadhaar and Indian passport database for just $80,000 when contacted by cybersecurity firm Resecurity.

This breach underscores the urgent need for organizations to bolster their security measures. Sanjay Kaushik, Managing Director of Netrika Consulting, emphasized the importance of securing assets in today’s digital landscape.

While the source of this breach remains uncertain, speculation suggests the Indian Council of Medical Research (ICMR) database may be compromised. Regardless, this incident highlights the critical importance of robust cybersecurity measures, including encryption, multifactor authentication, and stringent access controls.

The exposure of such sensitive information on the dark web poses a substantial risk of digital identity theft. Malicious actors could potentially exploit this data for activities such as online banking fraud and tax refund scams. This situation underscores the imperative to strengthen data protection and security measures, especially concerning Aadhar and personal information in India.

• Vigilance Urged as Aadhaar Card Scams Surge in Kolkata

Kolkata Police Commissioner Vineet Goyal is calling on the public to stay alert and safeguard their biometric data in response to a surge in financial fraud cases involving Aadhaar cards. Fraudsters are actively pilfering biometric data to drain bank accounts. To counteract these scams, individuals are being recommended to use the M-Adhaar application to secure their biometric information.

Furthermore, the police have issued a warning advising against the sharing of unmasked Aadhaar numbers or the divulgence of biometric data to unauthorized individuals. There have been allegations of thumbprint theft from the West Bengal Government’s land records website, with a notable number of victims having ties to property transactions.

In one particular case, a resident lost over Rs 60,000 without receiving any notification regarding OTP generation. This unfortunate incident occurred after the individual provided a thumb impression during a mobile number porting process.

In a separate incident, perpetrators withdrew money from bank accounts using the Aadhaar Enabled Payment System (AEPS) facility. The cyber cell of the Kolkata Police Port Division successfully managed to recover the lost funds.

Notably, model and actor Mousumi Sanyal Dasgupta fell victim to a Rs 10,000 loss from her bank account due to biometric data misuse. She is advocating for individuals to proactively lock their biometric information and has shared her experience regarding attempts to siphon money from her other accounts. The cyber police are actively examining these cases.

This persistent issue underscores the pressing need for heightened awareness and the implementation of stringent security measures to deter Aadhaar-related scams.

• Karnataka’s First AEPS Fraud Uncovers Vulnerabilities in Aadhaar Security

Karnataka recently witnessed its inaugural Aadhaar Enabled Payment System (AEPS) fraud case, exposing significant vulnerabilities within the Aadhaar system. In a concerning turn of events, cybercriminals managed to siphon ₹20,000 from a woman’s bank account. Sunita Ravikumar, a resident of Vasanthnagar in Bengaluru, discovered unauthorized withdrawals of ₹10,000 each on two consecutive days in early September. In response, she promptly sought assistance at a Union Bank branch and reported the incidents to the police.

The subsequent investigation, registered under section 66D of the Information Technology (IT) Act, brings to light the perpetrators’ astute exploitation of Sunita’s biometric data through the AEPS technology. It also reveals that Sunita’s biometrics were shared during a recent property transaction in Davanagere, prompting legal notices to those involved in the deal.

Union Bank, alongside the police, is actively conducting an internal investigation and collaborating with the cybercrime division to resolve this concerning case. The incident underscores the pressing need for enhanced security measures and public awareness to safeguard the Aadhaar system and prevent individuals from falling prey to financial fraud.

• Aadhaar Scam in Mangalore: Residents Lose Money to Fraudsters

A woman in Mangaluru lost money from her bank accounts after her Aadhaar details and fingerprints were taken during a visit to the city sub-registrar’s office. Fraudsters from North Indian states used this information to withdraw funds using the Aadhaar-enabled payment system (AEPS). Several victims have reported losses ranging from ₹10,000 to ₹1 lakh. The police are actively pursuing the fraudsters, and the company responsible for AEPS reported ₹1 crore in fraudulent withdrawals over the last two months. Experts suggest implementing two-way authentication for AEPS withdrawals and capturing the person’s photograph and GPS coordinates during transactions to enhance security. To protect themselves, individuals can download mAadhaar or visit the myAadhaar website to disable their biometric details.

Conclusion

To protect oneself from Aadhaar card scams, you must exercise caution, utilize official channels, safeguard your personal information, and stay informed about the latest security recommendations. Recent incidents of Aadhaar-related scams underscore the urgent need for enhancing cybersecurity measures and fostering public vigilance.

Real risks such as data breaches, financial fraud, and biometric data theft can lead to substantial losses for individuals. It is imperative to promptly report any suspicious activity and proactively take steps to secure your Aadhaar information, including using the official mAadhaar app and monitoring your bank and mobile statements.

In a world where personal data faces increasing vulnerabilities, safeguarding your Aadhaar card is not only a matter of security but also a crucial step in protecting your financial well-being and digital identity. Stay informed, maintain vigilance, and collaborate to combat Aadhaar card scams and prevent your personal information from falling into the wrong hands.