Airtel Payments Bank was found to be illegally creating accounts for users who authenticated their Aadhaars to link their mobile SIMs with their Aadhaar number. The newly created bank accounts were naturally linked to their Aadhaar, and their subsidy and other payments through the Aadhaar bridge ended up with the Airtel Payments Bank instead of their usual accounts. The fraud came to light when a large number of people complained about missing LPG subsidies that were found to be routed to Airtel Bank accounts the Aadhaar holders were not even aware of starting.
This has been extensively reported in the media, so I will look at several aspects not discussed.
It cannot just have been LPG subsidies
If the Airtel Payments Bank illegally rerouted the payments to their account, ALL payments using the Aadhaar bridge would have landed up with Airtel. Not just the LPG subsidies, which they were allegedly refunding – it is unknown to whom, as the Airtel Payments Bank is unlikely to have the alternative bank details of its customers. However, what about other payments? The Aadhaar bridge would transfer all payments issued to the Aadhaar holder to the new account. This would include funds transfers using the Aadhaar pay apps, for example. Such people would not be in large enough numbers to be taken seriously and would perhaps never know where their money went. Or they may think the person sending them money did not send it.
There is no way to know which accounts and linkages were with consent and which were a result of the fraud, due to the nature of the tech, as there is no point where the user consent was actually recorded, so that its lack could be considered a fraudulent case.
This was not just a case of missing consent, it was banking fraud
Airtel mobile and Airtel Payments Bank have separate licences for authenticating Aadhaar. Legally, Airtel Payments Bank could not use another licence to enrol customers. So what actually happened was that when Airtel mobile authenticated customers, Airtel Payments bank, knowing that the data was valid, simply copied it from Airtel mobile bypassing the Aadhaar authentication altogether for numbers that it knew were authentic. Even if an Airtel mobile holder had willingly opted to create an Airtel Payments Bank account, they would have had to authenticate their Aadhaar separately – IF UIDAI claims weren’t complete nonsense. However, UIDAI claims are complete nonsense and there is no way for UIDAI to know about the use or misuse of authentic Aadhaar data beyond the entity authenticating it with them.
The NPCI mapper requires separate and explicit consent for overwriting the data in the mapper.
In other words, all Airtel Payments Bank needed in order to start a new bank account for a person was to have their true demographic information. In theory, this does not have to come from Airtel mobile alone, and any source of demographic information could be misused in such a manner if it were to be guaranteed authentic – say for example a 500 rupee access to the database itself.
Not only does this expose the risks Aadhaar imposes on Aadhaar holders, it sets the idea of authorization upside down completely. Note that in the starting of such bank accounts, the customer did not even come to know that the account was started. Let alone filling a form or signing an application. Aadhaar makes it easy. One number and no form needed, no signature needed – no real person needed either, if a good scammer will do.
Airtel Payments Bank was exposed, but other banks could be doing it too.
Airtel Payments Bank was exposed because it started new accounts to route subsidies to for people who held mobile SIMs. So when the payments went missing, there was a great hue and cry. However, banks have been relentlessly linking Aadhaar to bank accounts, and there is no way of tracking which ones are rerouting subsidies to themselves in the process – probably all – since the observed pattern appeared to be that the subsidies would be linked to the latest bank account to be linked – a particularly stupid idea given the rampant push for linkages. A person with several accounts would be more likely to link active accounts first only to end up receiving subsidies in the obscure account they got around to linking last. But such is the world of UIDAI. Not much thought has gone to usability or security.
Regardless, it is quite safe to say that the actual scam in the Airtel Payments Bank scam – that of routing incoming money to accounts held by the bank – was likely done by ALL the banks. Except, the customers being aware that they had the accounts, would probably find the subsidies in their other passbooks eventually instead of thinking they vanished.
This absurdity is possible because the NPCI mapper for Aadhaar bridge does not recognize an Aadhaar user as the final word on which account their subsidies should be transferred to. It sends them to whichever bank demands it claiming the Aadhaar holder as their customer. It may even turn out to be possible for banks to continue to receive money for people whose accounts get closed if they don’t link a new bank to their Aadhaar – say if the Aadhaar holder dies and the account gets closed and the heirs take their time changing the name on the LPG subscription or cancelling the pension. This is speculation, but nothing so far seems to show much verification on the part of the Aadhaar side of this blind handing over of the funds of Aadhaar holders.
This is the tip of the iceberg
The Airtel Payments Bank scam came to light only because enough people made a noise as to create serious alarm about missing subsidies prompting immediate action from other quarters. Subsidies being deposited to the wrong account would not generate as much alarm. Nor would occasional payments going missing – if some bank pulls off the scam on a smaller scale. So far, UIDAI has not shown any exceptional eagerness to fix gaping security holes of this sort. There is no reason to expect that this kind of a scam does not happen on a smaller scale and/or with other banks.
UIDAI has no real deterrent against misuse by the telecom operators or banks
Because the imposition of Aadhaar depends on strangling necessary services to citizens in order to force them to adopt, the UIDAI cannot actually revoke licences for any of the major services. Legally, it is not required to link Aadhaar at least till the 31st of March 2018 – and even that is under serious challenge in the Supreme Court while the security of UIDAI has become laughing stock for anyone who understands tech. Any essential services that stop using Aadhaar would actually be rewarded and not punished by the revocation of their licence, because all the people who do not want to use Aadhaar would flock to such services and those who don’t mind Aadhaar would not be inconvenienced in any manner by not having to use it. So no matter the scam, the UIDAI actually has no teeth against any major service that exploits Aadhaar for profit and all it can do is issue cover ups in the media.
Unless of course UIDAI wants to publish a copy of their FIR against Airtel or revoke the licence permanently given the magnitude of the scam.