How to Stop AePS Fraud: Lock Aadhaar Biometrics Online

by

We have been taught one rule for banking safety: “Never share your OTP.”

But what if I told you that hackers can empty your bank account without your OTP, without your Debit Card, and without hacking your password?

In 2025, this is the reality of AePS (Aadhaar Enabled Payment System) Fraud. Criminals are using stolen fingerprint data to withdraw money from your account while you are sleeping.

In this CSNR Cyber Awareness guide, we explain how this “Silent Scam” works and the single most important setting you must change on the UIDAI portal today to protect your life savings.

What is AePS? (The Loophole)

AePS was designed to help people in rural India withdraw money using just their Aadhaar Number and Fingerprint. No card or PIN is needed.

The Scam:

  1. Data Theft: Scammers buy fingerprint data from hacked land registry offices or property document leaks.

  2. Cloning: They create a “Silicone Thumb” using your stolen fingerprint image.

  3. Theft: They go to any rural CSP (Customer Service Point), enter your Aadhaar number, use the fake thumb, and withdraw cash.

  4. No Alert: Since the system thinks you are authenticating the transaction with your finger, no OTP is sent to your phone. You only get an SMS saying “Rs. 10,000 Debited.”

 While securing your biometrics, ensure your digital identity is safe too. Read about the Digital Arrest Scam where scammers impersonate police.

The Solution: “Lock” Your Biometrics

The Unique Identification Authority of India (UIDAI) provides a “Lock” switch. When enabled, your fingerprint and iris scan cannot be used for authentication. Even if a hacker has your silicone thumbprint, the system will reject the transaction saying “Biometric Locked.”

Step-by-Step Guide: How to Lock It (Takes 2 Minutes)

You can do this via the mAadhaar App or the UIDAI Website. We recommend the App for ease of use.

Method 1: Using the mAadhaar App (Recommended)

  1. Download: Install the official mAadhaar app from the Play Store or App Store.

  2. Login: Register with your mobile number linked to Aadhaar.

  3. Go to Profile: Tap on “My Aadhaar” and enter your 4-digit PIN.

  4. Find the Switch: Scroll down to find “Biometric Lock”.

  5. Activate: Tap it. You will receive an OTP. Enter it to confirm.

    • Status: Your screen will show a “Red Padlock” icon. 🔒

    • Result: Your biometrics are now disabled for AePS.

Method 2: Using the UIDAI Website

  1. Go to myaadhaar.uidai.gov.in.

  2. Login with Aadhaar Number + OTP.

  3. Click on the card that says “Lock/Unlock Biometrics”.

  4. Follow the instructions to confirm the lock.

When Should You “Unlock”?

You only need to unlock it when YOU need to use your fingerprint. Examples:

  • Buying a new SIM card.

  • Registering a property.

  • Giving attendance at a government office.

How to Unlock: Open the App > Click “Unlock Biometrics”.

  • Temporary Unlock: Opens for 10 minutes (Good for SIM KYC).

  • Disable Lock: Permanently removes the lock (Not Recommended).

How to Check if You Are Already a Victim?

If you suspect foul play, check your bank statement for transaction codes like:

  • AePS WDL (Withdrawal)

  • CW Dr (Cash Withdrawal Debit)

If you see these and you didn’t make the withdrawal:

  1. Lock Biometrics Immediately.

  2. Call 1930: Report the financial fraud.

  3. Visit Bank: Dispute the transaction under “Unauthorized Electronic Banking Transaction” rules.

Convenience vs. Security

For city dwellers who use Debit Cards and UPI, AePS is a liability, not a feature. You rarely use your fingerprint for payments.

Leaving your biometrics “Unlocked” is like leaving your house door open because you might want to walk out someday. It makes no sense.

Take Action Now: Pick up your phone, download mAadhaar, and LOCK your biometrics. It is the only firewall between your hard-earned money and a silicone thumb.

Our Analysis / Expert Opinion

At CSNR, we investigated the specific loophole in the Indian banking system that allows AePS fraud to happen. We also stress-tested the UIDAI locking mechanism to see if it actually stops unauthorized withdrawals.

1. The “No-OTP” Loophole (Why You Are Vulnerable)

Most people think: “My bank is safe because I never share my OTP.” Our Technical Breakdown: The AePS (Aadhaar Enabled Payment System) was designed for rural connectivity, allowing people to withdraw money using only their Fingerprint + Aadhaar Number.

  • The Flaw: This system does not trigger an OTP. It does not send a confirmation SMS until after the money is gone.

  • The Attack: Hackers buy your “Silicon Fingerprint” (cloned from property registration documents or old biometric data) and use it at a remote village micro-ATM. Your bank thinks it is you. Verdict: If you live in a city and use UPI/Cards, you have zero need for AePS. Leaving it active is like leaving your front door open.

2. The “Lock” Efficiency Test

We tested the lock mechanism using the mAadhaar App and visited a local CSP (Customer Service Point) to attempt a cash withdrawal.

  • Test 1 (Unlocked): The transaction went through instantly.

  • Test 2 (Biometrics Locked): We locked the biometrics on the app. The CSP device immediately threw Error Code 330 (“Biometrics Locked”). The transaction failed before it could even reach the bank. Expert Insight: The lock is instant. There is no waiting period. Once you toggle that switch in the app, your fingerprint becomes useless to hackers.

3. The “10-Minute” Unlock Rule

A common fear is: “What if I need to buy a SIM card or verify my KYC?” Our Experience: You do not need to permanently disable the lock.

  • The Feature: Use the “Temporary Unlock” feature.

  • How it works: It opens your biometrics for exactly 10 minutes. We tested this while buying a Jio SIM. We unlocked it, gave the fingerprint, and by the time we walked out of the store, it had auto-locked itself. Final Advice: Never choose “Disable Lock.” Always use “Temporary Unlock.” It is the safest habit to build.

Leave a Comment

© 2025 csnr. All Rights Reserved

About Us

Privacy Policy

Disclaimer

Contact