Gaps in the AePS transaction model

Subject: Science and Technology

Section: Awareness in IT

Concept:

Aadhaar-enabled Payment Services

Aadhaar-enabled Payment Services (AePS) is a bank-led model which allows online financial transactions at Point-of-Sale (PoS) and Micro ATMs through the business correspondent of any bank using Aadhaar authentication.
There is no need for OTPs, bank account details, and other financial details for AePS.
It allows fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment.

Are AePS transactions enabled by default?

Neither Unique Identification Authority of India (UIDAI) nor NPCI mentions clearly whether AePS is enabled by default.
According to UIDAI, users who wish to receive any benefit or subsidy under schemes notified under section 7 of the Aadhaar Act, have to mandatorily submit their Aadhaar number to the banking service provider.
Aadhaar is also the preferred method of KYC for banking institutions, thus enabling AePS by default for most bank account holders.

How is biometric information leaked?

While data breaches in Aadhaar have been reported in 2018, 2019, and 2022, according to UIDAI the Aadhaar data, including biometric information, is fully safe and secure.
However, UIDAI’s database alone is not the only location where data can be leaked.
Aadhaar numbers are readily available in the form of photocopies, and soft copies, and criminals are using Aadhaar-enabled payment systems to breach user information.

How the Aadhaar biometric information could be secured?

Aadhaar (Sharing of Information) Regulations, 2016: The UIDAI is proposing an amendment to the regulations, which will require entities in possession of an Aadhaar number to not share details unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and electronic form.
Authentication:The UIDAI has also implemented a new two-factor authentication mechanism that uses a machine-learning-based security system, combining finger minutiae and finger image capture to check the liveness of a fingerprint.
Locking Aadhaar:Additionally, users are also advised to ensure that they lock their Aadhaar information to ensure that their biometric information, even if compromised, cannot be used to initiate financial transactions.
Aadhaar can be unlocked when the need for biometric authentication arises, such as for property registration and passport renewals, after which it can again be locked..