Biometric skimmers are much more advanced than card skimmers; they are equipped with Wi-Fi and Bluetooth facilities,” he says.

Hyderabad: Cybercrime gangs that use skimmer devices to steal credit and debit card information have started applying the same modus-operandi to obtain biometric authentication and steal Aadhaar information.

While the government has made Aadhaar verification mandatory for the authentication of various welfare schemes, cybercrime experts have alerted the public to the possibility of data theft through the use of biometric skimmers.

On the other hand oblivious of this development, banks are also considering upgrading automated-tellers machines (ATM) with biometric authentication facilities which they believe to be more secure than PIN numbers and OTPs.

Sandeep Mudalkar, a private cybercrime investigator, says the Delhi Police have identified some criminal gangs that have been able to obtain SIM cards through the use of fake Aadhaar cards containing the personal details of unsuspecting individuals. “Initially, the police suspected that the Aadhaar centre organisers had a role to play in this. But they found that biometric skimmers had been used to produce the cloned cards in at least some of the cases. An investigation into this is underway,” he says.

He says that criminal gangs have been known to use skimmers at ATMs and point of sale (POS) machines to steal information from the cards being swiped there. “Later, the gangs clone the cards and misuse them. This has caused banks to suffer losses amounting to hundreds of crores of rupees. Biometric skimmers are much more advanced than card skimmers; they are equipped with Wi-Fi and Bluetooth facilities,” he says.

Mr Mudalkar says that after stealing information through the use of biometric skimmers, the gangs use thermostat technology to make masks of the fingerprints. “During a recent conference on Cyber Security held in Delhi, cyber crime investigators from various countries said that there were about 12 firms across the globe that manufactured such devices. Of the 12 firms, nine manufacture fingerprint and palm-print stealing devices, and the three others manufacture iris pattern stealing devices,” he says.

Card skimmers were used to perpetrate frauds in developed countries between 2003 and 2014. Such frauds began being committed in India in 2008 when the first case of credit card cloning was registered in Kolkata. Similarly, while biometric skimmers have been used by criminals abroad since 2015, cybercrime experts expect it to take some time for their use to become widespread in Telangana and the other south Indian states. However, they advise the public to remain alert while providing biometric authentication.

How it’s done

12 firms across the globe manufacture biometric skimmers capable of stealing fingerprint, palm veins, and the iris recognition data.

Criminals use these skimmers to steal data and then transfer it to a remote location through the use of thermostat devices.

With governments making biometric authentication mandatory, cyber gangs have the opportunity to use stolen biometric data to commit frauds.

At present, there are five ways in which biometric authentication is used at ATMs. In one approach, fingerprints are used as a replacement for PINs.

Cybercrime investigator Sandeep Mudalkar says that biometric skimmers broadcast information via Bluetooth. These Bluetooth devices are generally listed as HC-05 and have the password 1234. If customers find HC-05 listed among the Bluetooth devices in their vicinity, they should avoid conducting any biometric transactions.

The Bluetooth module used in such skimmers is extremely common and may also be used in legitimate products end educational kits.