Haryana: Hackers Copy Thumb Impressions From Govt Website To Withdraw Cash

Hackers from Bihar took thumb impressions from a Haryana government website and withdrew money using the Aadhaar-enabled payment system (AEPS) through POS (point of sale) devices in an ingenious way to defraud naive victims.
The scammers accessed jamabandi.nic.in and downloaded sale deeds, according to the Faridabad police. They constructed silicon thumbs by copying thumb impressions of persons who carried out the deeds. They then used these thumb impressions and other information to make a cash withdrawal.

DCP Nitish Aggarwal has informed the Director of Land Records about the situation. “Because of easy availability of data, it is recommended that only the first page of the sale deed be made visible for the general public,”  Aggarwal explained. He also suggested that the website be audited to find any loopholes.

The situation surfaced during the inquiry of an incident in which a Ballabhgarh resident lost Rs 30,000 in her bank account due to fraudulent withdrawals. She had recently registered a deed. Three people were detained in Purnea, Bihar. Inspector Basant Kumar said, “They know about these loopholes as they had worked at a common service centre in Bihar.”   Land Records Director could not be reached for a comment.

Speaking to News18, Venkatesh Sundar, Co-founder and CMO of Indusface, a leading Tata Growth Capital-backed SaaS business said,  “The core of the issue here is a hacker got visibility into an ‘application loophole’ of access to fingerprint data of a user in a Sale deed form, before the application owners were aware of this risk or had time to fix it (in case they were aware of it).”

“In this case, an ‘application loophole’ was exploited to get access to fingerprint data of other users and it was used to create payment fraud. In another application, it can be the same fundamental for example; to get access to the past three transactions from a credit card or a bank statement which can be used for verifying on behalf of a client to create other types of fraud, the focus should not be on what type of fraud was committed, but on what caused it to be enabled and how can one mitigate it,” he added.

Leave a Reply

Your email address will not be published.