Bengaluru cops clamp down on cybercrime using biometrics from land records, Aadhaar-enabled payments

The police have managed to get the Karnataka Revenue Department to remove Aadhaar and biometric data from online land records.

ByBellie Thomas

Published Jan 18, 2024 | 7:00 AMUpdatedJan 18, 2024 | 7:33 AM

Both Achu and Geethu have approached the police against the cyber attack. (Creative Commons)

The Bengaluru City Police have to quite an extent put the brakes on the increasing number of cybercrime cases that see cybercriminals accessing the biometrics of victims.

The cybercriminals were allegedly accessing the biometric data from land records downloaded from government portals and with the help of Aadhaar card numbers.

With these, they were allegedly siphoning off lakhs of rupees from the bank accounts of unsuspecting property owners in Bengaluru and other parts of Karnataka.

Karnataka’s Police Department had recently written to the state’s Revenue Department explaining the modus operandi of the cyber-frauds and directed its officials to create a foolproof cybersecurity system for the Karnataka government’s Kaveri portal.

The Police Department asked the revenue officials to ensure that the system had strong security features so that third-party members or cybercriminals could not access any land documents that have biometrics of the property owners or their Aadhaar card numbers.

Based on the letter, the revenue officials made changes to the Kaveri portal, enhancing its cybersecurity features.

They also ensured that the portal removed its biometrics pages and also made changes so that Aadhaar numbers were not displayed.

Also read: Bengaluru to centre for excellence soon to battle cybercrime

The arrests

A senior police officer told South First that there was a total of 128 Aadhaar-enabled Payment System (AePS) cases registered at various police stations across Bengaluru, including the eight Cybercrime Economic and Narcotics (CEN) police stations.

The city’s Northeast Division police arrested two persons in November last year from Krishanganj in Bihar who were agents of a micro-ATM system in the rural part of that state.

They were identified as Mohammad Parvez Ezdani Ansari (26) and Abuzar Shamim Akhtar (20).

“The duo, while working in the villages of Bihar, learnt about loopholes while accessing the land records with thumb impressions, even as unsuspecting villagers shared their Aadhaar numbers,” said police sources.

“They, however, did not commit any offences there in Bihar. They came down to Bengaluru and started this as a full-time job,” added the police sources.

Upon further probing, the city police learnt that the cyber-fraudsters had a deep-rooted network, and had even started a customer service centre locally.

It was then that the special police teams probing the cases arrested five others — identified as Muthi-Ur-Rehman, Abuzar, Mohammad Parwez, Mohammed Arif, and Nazeer Ahmed.

All of them were again natives of Bihar, but had also worked in Uttar Pradesh and Delhi, police sources added.

Also read: Karnataka Congress under digital attack, official website vanishes

Several cases

With the arrest of these seven people, the police solved six separate cases.

According to police sources, the agents who collect the biometrics and Aadhaar numbers would sell them to cyber-criminals for thousands of rupees per set.

They added that the cyber-criminals would then use the AePS to siphon off money from the bank accounts of unsuspecting property owners.

South First, in November 2023, brought to light the plight of a few victims who were conned using this modus operandi.

Multiple withdrawals were made from the bank account of Ramanjinappa — one of the victims — since 7 October last year without his knowledge.

On three occasions, ₹10,000 each was withdrawn. The fourth transaction showed a withdrawal of ₹9,500, while another ₹4,300 was taken away on 25 October.

He swore to the police that he had not shared any One-Time Password (OTP) with anyone or received any suspicious phone calls or emails.

It was later that the police explained to Ramanjinappa the modus operandi of these cyber-criminals.

Also read: Cybercrime takes new form in Bengaluru as ‘Mumbai Police’ call

The modus operandi

Crooked agents who registered with government portals such as Kaveri 2.0 would access and download land documents that would have thumb impressions of owners.

They also managed to collect the Aadhaar numbers of these people from the portal and then sell this biometric data and Aadhaar data for at least ₹5,000 for each set to cyber-criminals.

The cyber-criminals would replicate the thumb impressions onto a silicone rubber sheet, with which they would activate the AePS facility.

Then they would siphon off money from point-of-sale (PoS) machines — the kinds used in many shops these days to make payments — that they would operate from remote locations in different states.

That’s exactly how Ramaninjappa lost money through no fault of his.

“There is a withdrawal limit of ₹10,000 at a time and ₹25,000 each day. This prevents crooks from withdrawing large amounts. So, they keep trying on multiple days to take whatever they can,” a senior police officer told South First.

Also read: Bengaluru cops form SITs as cyber-criminals use new methods 

The warning

The cyber fraudsters have already conned hundreds of victims using this modus operandi. To date, at least 128 such cases have been taken up by the police in Bengaluru and Karnataka, who have formed special teams to probe them.

However, with the recent changes made to the Kaveri portal, it looks like it would be a dead-end for this modus operandi.

However, a team of cyber experts are also analysing if there could be other loopholes in other government websites, a senior police officer said.

The Bengaluru city Police’s Northeast Division Deputy Commissioner of Police (DCP) BS Laxmi Prasad told South First: “The Kaveri portal has already been changed, with the removal of Aadhaar numbers and biometric pages. Yet, fresh cases may happen because of earlier downloads or some other source of biometric leaks.”

She added: “However, the number of new such cases has gone down significantly after the changes.”

The DCP cautioned: “Citizens should be vigilant about not sharing passwords, PINs, or OTPs, or even clicking on random or dubious hyperlinks sent to their phone or social media account.”

She added: “One should also update the antivirus software on both the mobile and computers from time to time. People should also not transfer money if someone said they were a crime branch or narcotics official and were investigating FedEx courier packages containing drugs.”