Is AEPS a Digital Honey Trap?… Is there an Escape Plan?

In January 2017, an interim report of the NITI Ayog Committee of Chief Ministers on digital payments recommended

  1.  To ensure wide-scale adoption of AEPS and Aadhaar Pay, banks need to be mandated to complete Aadhaar seeding of all their customers in a time bound manner.  All banks must ensure that their AEPS gateway are up and running all the time and have proper reconciliation teams in place.
  2. All Payment banks to be made interoperable on AEPS
  3. All BCs to be made interoperable on AEPS.
  4. Biometric (Finger Print & Iris) sensors may be provided at 50% subsidy for all merchants to onboard on to AadhaarPay
  5. Rollout of Aadhaar Pay application riding on the AEPS platform may be expedited by encouraging banks to adopt the same. Bank branches to be given target to onboard merchants in their vicinity to adopt Aadhaar Pay with their existing android smartphone and biometric reader which would present a significantly cost-effective alternative compared to the traditional PoS infrastructure. There should be a bank-wise target to achieve 10 lakh active Aadhaar based merchant outlets by June, 2017 and 40 lakhs by December, 2017
  6. RBI should allow white-labelled business cum merchant correspondents for spreading AEPS PoS devices across the country. Common Service Centers (CSC),De- 5 partment of Posts and India Post Payments Bank should be allowed to begin with. It be extended to other entities who meet the criteria prescribed by RBI.
  7. NPCI and Banks should enable Iris authentication on AEPS so that people with worn out fingerprints are also able to do AEPS transactions.
  8. All ATMs/Micro-ATMS/POS should be mandated to have Aadhaar biometric authentication facility from June 1, 2017

RBI vide its circular dated December 2, 2016 had also indicated that the deployment of Aadhar based devices should be completed by June 30, 2017.

As a result of these measures there is a rush to implement AEPS gateway and make it operational at the earliest.

Some of the Banks have already issued “Aadhar Cards” for their customers and obtained IIN numbers assigned to them. While NPCI and NITI Ayog are excited and are pushing the implementation, RBI has no option but to oblige.

In all this excitement, the safety and security of the Indian Consumer appears to be the last and perhaps a lost priority.

The system as is envisaged is creating a network of Bank accounts which are all inter connected with the Aadhar number, PAN number and Mobile numbers operating through NPCI switch/es which are also open to Banking software, Mobile wallets, ATMs, UPI apps etc.

If any one of these network elements is compromised, there is a possibility of the entire financial system in India to be compromised.

Aadhar was not designed for this kind of usage as is being envisaged under AEPS. It was meant to be a confidential data base with only the ability to send out binary responses of Yes or No when a specific query is made with a reference to a parameter associated with an Aadhar Number or a biometric input. It was never meant to send out the entire data sheet on request with just the verification of an OTP. It was not meant to be used as a ID substitute nor as a sole  KYC instrument. In this role aadhar data of individuals is getting broadcast widely and gets stored in innumerable places with many vendors and agents of vendors where there is no control on privacy or security.

While it has helped Government to check misuse of Direct benefit Transfer, it has also opened other vulnerabilities that are a risk to those who have no interest in Direct Benefit Transfers. Today honest citizens have no control on their Aadhar and the linked PAN card being used in impersonation. Now linking Bank accounts will further open the gateway to money transfer from the accounts of individuals because their Aadhar data was compromised some where by some vendor like a mobile operator or a domestic gas supplier if not a fraudulent banker.

Aaadhar system today is itself dependent heavily on the associated mobile numbers where the security is very lax and obtaining duplicate SIM and fake SIM is extremely easy.  Since  Bank accounts are operable under USSD, UPI and AEPS systems, the entire security infrastructure of the Indian financial systems will be at the mercy of the mobile identity of individuals.

Now all the SIM card vendors are also becoming Business Correspondents who can put their hands into my/our Bank account and there in lies one of the major risks of AEPS system.

Since the Mobile devices are already under the control of Chinese manufacturers and innumerable number of viruses and trojans are already on the prowl on mobile devices, Indian financial system will be at the mercy of China in a Cyber War situation. Since China is always on the side of Pakistan, this entire Chinese Cyber War machinery would be at the disposal of Pakistan.

There are any number of Paksitani dalals in India (some of whom have already requested that Pakistan should help them defeat Mr Modi), there will be enough number of traitors within the country who would welcome any development where Pakistan can discredit Mr Modi through a Cyber attack on his favourite “Digital Payment System”.

The proposed AEPS system is the last straw on the camel’s back and will push Indian financial system to a point of no return.

I therefore reckon that the Digital Payment Systems in India as it is being conceived now can turn out to be a Honey trap for Mr Modi and BJP and spoil the chances of BJP winning the next Loksabha elections.

What the Political Maha Khatbandhan cannot achieve, this Financial Khatbhandahan called AEPS can achieve.

Already, Aadhar data base has been compromised, there are many fake Aadhar IDs in circulation and many more that will come up in the coming days because the cost of obtaining a fake aadhar ID is as low as Rs 100/- as indicated by the Pakistani nationals who were arrested in Bangalore recently.

The UPI system has its own weaknesses as indicated by the Bank of Maharashtra UPI fraud.

UIDAI is itself vulnerable to “Stored Biometric Replay” attack demonstrated by Axis Bank and E Mudhra.

Banks would do anything for a price and if accounts are to be opened with manipulated KYCs, there are many Banks and branches who specialize in this.

Hence opening a bank account in the name of a fraudster linked to a fake aadhar card is as easy as ABC.

It is this infrastructure that is weak at a number of points that the Government is now relying upon to introduce Aadhar Based Payment System (AEPS) and link the biometrics of all Bank customers to an ability to pass debits to the Bank account.

The entire process has many loop holes and does not comply either with the laws of the Banking industry nor RBI’s own guidelines.

Unfortunately, there appears to be no sane voice available to the Government in flagging the risks and even if some emerge, the counter force will drown such voices.

While innovations in technology are required and are inevitable, at each stage of transformation, we need to ensure that there are enough checks and balances to ensure the security of people who use the systems.

I think there is a huge gap on what is needed to be done and what is being done by technology intoxicated persons who are advising the Government agencies.

AEPS is a test case in which the commitment to security by these agencies are challenged. So far the technology administrators have not come out exuding confidence to the community.

There is no doubt that we can innovate technology solutions that can improve the security by many notches. But these solutions may not be available off the shelf. We need to create indigenous technology to protect the proposed AEPS objective of “Place your finger and transfer money”.

But one needs an eye to see and readiness to absorb higher costs if Government has to chart an escape plan from the trap that they are entering into.  At present the Government is not able to see the risks properly and not therefore thinking of solutions that are required. The cost consideration is therefore yet to come into the radar.

It is premature and inappropriate to discuss the technology solutions in this public platform since it is a matter which even NITI Ayog recognizes as a “Patentable” innovation.

However, in the interest of preserving the political future of Mr Modi, we can state that the system of AEPS  as being envisaged now (giving allowances for the fact that some security aspects might have been introduced by UIDAI and not made public), may have risks that are not easily addressable in the current dispensation and this is likely to be a honey trap that Mr Modi should guard against.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

One Response to Is AEPS a Digital Honey Trap?… Is there an Escape Plan?

  1. Anupam Chopra says:

    Excellent Research and Recommendation.Can’t believe the Article was written in Mid 2017. Great projections.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.