In March 2026, Priya Mehta from Pune discovered that someone had withdrawn ₹4.2 lakh from her linked bank account using cloned fingerprints at an Aadhaar-enabled payment system (AePS) kiosk in Kolhapur — she had never visited that district, and her phone showed no OTP alerts because fingerprint authentication bypassed SMS completely.
Citizen Crisis Response Network
Follow this checklist within 72 hours to freeze biometric access, file an FIR, notify UIDAI, and initiate bank recovery before the trail goes cold.
1. Lock your Aadhaar biometrics immediately via the UIDAI m-Aadhaar app or myaadhaar.uidai.gov.in. 2. File an FIR for cheating by personation and identity theft — citing the cheating and personation provisions of the Bharatiya Nyaya Sanhita (BNS) 2023 and sections 66C and 66D of the Information Technology Act 2000 — within 24 hours. 3. Lodge a complaint on the National Cyber Crime Reporting Portal (cybercrime.gov.in) with transaction logs. 4. Notify your bank in writing, citing the Reserve Bank of India's customer-protection framework on unauthorised electronic banking transactions, and demand provisional credit within 10 working days. 5. Request your Aadhaar authentication logs from UIDAI. 6. Preserve all device logs, SMS records, and location data proving you were elsewhere. 7. Engage a cyber forensics expert if the claim is large, to support criminal and civil recovery.
Fingerprint cloning fraud exploits biometric authentication systems by creating synthetic or lifted fingerprints from surfaces, photographs of fingers, or high-resolution scans obtained through phishing, corrupt AePS operators, or hacked enrollment databases. Law-enforcement and banking advisories have reported a sharp rise in biometric and AePS-related fraud in recent years, primarily targeting Aadhaar-enabled payment systems, ration card portals, and digital locker services.
The process typically unfolds as follows: an attacker lifts a latent fingerprint from a glass, mobile screen, or public kiosk touchpad, digitizes it using commercially available scanners, and creates a silicone or gelatin mold. This synthetic fingerprint is then pressed onto capacitive fingerprint sensors at AePS kiosks or banking correspondents. Because many legacy sensors lack liveness detection — the ability to distinguish live skin from synthetic material — the cloned print can pass authentication, granting the attacker access to linked bank accounts, subsidies, or pension disbursements.
Warning — Aadhaar fingerprint authentication does not require OTP or device binding, so victims often discover fraud only when checking passbooks or receiving low-balance alerts days or weeks later.
AePS-related fraud is reported most often in states with very high AePS transaction density, and fraudsters frequently operate through shell business correspondent networks, processing several fraudulent withdrawals before disappearing.
The legal and technical challenge lies in proving that the authentication was non-consensual and that the biometric data was cloned rather than voluntarily provided. Courts increasingly accept electronic and forensic evidence, but victims must act within narrow statutory windows to preserve digital audit trails and invoke statutory liability protections.
Fingerprint cloning fraud is prosecuted under the Bharatiya Nyaya Sanhita (BNS) 2023 (the new penal code, in force from 1 July 2024) together with the Information Technology Act 2000. Under the BNS, section 318 covers cheating, and section 318(4) — cheating and dishonestly inducing delivery of property — carries imprisonment up to seven years and a fine; an AePS fraud that dishonestly induces the bank to release money falls here. Section 319 covers cheating by personation, punishable with imprisonment up to five years, or fine, or both.
The computer-related and identity-theft elements are prosecuted under the Information Technology Act 2000: section 66C punishes identity theft — the fraudulent or dishonest use of another person's electronic signature, password, or other unique identification feature, including biometric identifiers — with imprisonment up to three years and a fine up to ₹1 lakh. Section 66D punishes cheating by personation using a computer resource, also up to three years and a fine. Section 43 imposes civil liability for unauthorized access to a computer resource, with compensation determined in adjudication.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, as amended in 2019, governs the collection, storage, and authentication of biometric data. Section 28 requires UIDAI to ensure the security and confidentiality of identity information and authentication records. Section 29 restricts the sharing of identity information and prohibits sharing of core biometric information (fingerprints, iris scans) for any reason other than Aadhaar generation and authentication. Residents can obtain their own authentication history, and the technical detail of authentication logging is governed by the Aadhaar (Authentication and Offline Verification) Regulations.
Most citizens miss this — UIDAI lets every resident lock and unlock biometric authentication temporarily or permanently, free of charge, via the UIDAI portal or m-Aadhaar app. While the lock is on, fingerprint and iris authentication is disabled across AePS, e-KYC and other services.
In practice, sections 66C and 66D of the IT Act are the most reliable provisions for biometric and AePS fraud, because they squarely cover the dishonest use of stolen identification features and online personation, and there is well-developed case law under them.
The Reserve Bank of India's framework on limiting the liability of customers in unauthorised electronic banking transactions (RBI circular dated 6 July 2017) gives customers zero liability where the loss arises from a third-party breach in the banking system and is reported promptly. Banks must credit the disputed amount provisionally within ten working days pending investigation, and the burden of proving customer liability lies on the bank.
The first 24 hours determine whether you preserve evidence, freeze further fraud, and meet statutory reporting windows. Begin by locking your Aadhaar biometric authentication immediately. Open the m-Aadhaar app (available on Android and iOS) or visit myaadhaar.uidai.gov.in, log in using your 12-digit Aadhaar number and OTP sent to your registered mobile, navigate to “Lock/Unlock Biometrics,” and toggle the lock. This disables fingerprint and iris authentication across all platforms — AePS, e-KYC, digital locker — until you manually unlock it.
Simultaneously, contact your bank's 24×7 customer care and request an immediate freeze on AePS and biometric transactions. Send a written complaint via email to the bank's nodal officer (name and contact available on the bank's website under “Customer Grievances”) as soon as possible. Cite the RBI customer-protection framework on unauthorised electronic banking transactions and demand provisional credit under the zero-liability rule.
Do this immediately — Take screenshots of your m-Aadhaar biometric lock confirmation, bank account statement showing unauthorized debits, and your mobile location history (Google Timeline or Apple Significant Locations) proving you were not at the fraud site.
Visit the nearest police station within 24 hours to file a First Information Report (FIR). Carry printed copies of: (1) Aadhaar card, (2) bank statement showing debits, (3) m-Aadhaar lock confirmation, (4) timeline proof (location data, office attendance, travel tickets), and (5) a written complaint detailing the fraud. Insist on an FIR for cheating by personation and identity theft under the BNS 2023 and sections 66C and 66D of the IT Act. If the Station House Officer (SHO) refuses, invoke section 173 of the Bharatiya Nagarik Suraksha Sanhita (BNSS) 2023, which requires registration of information about a cognizable offence (and allows a “zero FIR” at any police station), and request the SHO's name and reasons in writing.
Simultaneously, file an online complaint on the National Cyber Crime Reporting Portal (cybercrime.gov.in) operated by the Ministry of Home Affairs. This creates a parallel digital record and routes your complaint to the local Cyber Crime Police Station for concurrent investigation.
Preserve all digital evidence on your devices. Do not factory-reset phones, uninstall apps, or delete messages. Back up SMS logs, WhatsApp chat exports, email threads, and bank app notifications to cloud storage and external drives. Courts and forensic experts require unaltered, timestamped data.
Your FIR must clearly invoke the relevant offences, describe the modus operandi, quantify the loss, and list all evidence. Begin the narrative by stating your name, Aadhaar number (masked: XXXX XXXX 1234), address, and the date-time you discovered the fraud. Mention the exact amount debited, the AePS transaction IDs (visible in bank statements), and the geographic location of the fraudulent kiosk or business correspondent (BC) as per transaction metadata.
Invoke these offences explicitly:
Trust signal — Courts and banks give greater weight to FIRs that cite precise statutory provisions, include verifiable digital evidence, and are filed within 24–48 hours of discovery.
List evidence chronologically: (1) Bank statement showing debits, (2) Aadhaar authentication logs (request from UIDAI post-FIR), (3) mobile location history proving physical distance from fraud site, (4) m-Aadhaar biometric lock confirmation, (5) CCTV footage from your actual location during fraud window (office, home society), (6) witness statements (colleagues, family), (7) technical analysis reports if already obtained.
Request the investigating officer to: (1) seize the AePS device and BC registration documents from the fraudulent kiosk, (2) obtain transaction logs from the Aadhaar Authentication User Agency (AUA) and the bank's sponsor bank, (3) secure CCTV footage from the kiosk and adjacent areas, (4) issue a notice to UIDAI under section 94 of BNSS 2023 (summons to produce a document or thing, including electronic records) to produce authentication metadata, and (5) send seized devices and any synthetic fingerprint materials to the State Forensic Science Laboratory (FSL) for liveness analysis.
Obtain a stamped, signed FIR copy with a unique Crime Registration Number (CRN) or FIR number. This document is mandatory for all downstream recovery actions — bank claims, insurance, civil suits, and UIDAI complaints.
The Unique Identification Authority of India (UIDAI), headquartered in New Delhi and accessible at uidai.gov.in, maintains authentication logs. Submit a formal complaint via the UIDAI grievance portal (uidai.gov.in/contact-support/grievance-redressal.html) or by registered post to:
Unique Identification Authority of India Regional Office (select your state) UIDAI Headquarters, 3rd Floor, Tower I, Jeevan Bharati Building, Connaught Circus, New Delhi – 110001
Your letter must include: (1) masked Aadhaar number, (2) registered mobile number, (3) FIR copy, (4) details of fraudulent transactions (date, time, AUA name, transaction ID), (5) request for authentication logs covering a window around the fraud, and (6) a request that your Aadhaar be flagged for review owing to suspected fraud.
Authentication logs can reveal: the device ID of the AePS terminal, location data, timestamp, authentication success/fail status, and AUA name (bank or payment aggregator). If the logs show authentication attempts from multiple locations simultaneously, or from devices you never used, this supports evidence of cloning.
Citizen tip — Ask UIDAI to flag your Aadhaar for enhanced monitoring under the Aadhaar (Authentication) Regulations, which let UIDAI act on suspected authentication fraud.
If UIDAI does not respond in reasonable time, file an RTI application under the Right to Information Act 2005 to the Central Public Information Officer (CPIO), UIDAI, requesting: (1) copies of all authentication logs for your Aadhaar number from [start date] to [end date], (2) names and registration details of all AUAs that authenticated your Aadhaar during that window, (3) details of any complaints or fraud flags associated with your Aadhaar, and (4) the status of your grievance ticket. You can use the Citizen Crisis Response Network's RTI drafter (https://righttoinformation.wiki/tools/rti-assistant) to generate a compliant application.
Simultaneously, notify the bank in writing that you have requested UIDAI logs and instruct the bank to freeze all biometric authentication channels until forensic analysis is complete. This written notice strengthens any claim of bank negligence for fraudulent transactions that occur after your notice.
The Reserve Bank of India's framework on limiting the liability of customers in unauthorised electronic banking transactions (RBI circular dated 6 July 2017) sets the liability standards for unauthorized electronic transactions. If you report the fraud promptly — within three working days of receiving communication about the transaction — and the loss arises from a third-party breach in the banking system, you bear zero liability and the bank must refund the amount. Reporting after that window attracts limited, tiered liability depending on your account type, capped per the circular. Beyond the prescribed period, liability is determined case-by-case, but banks cannot deny claims solely because biometric authentication succeeded, and the burden of proving customer liability lies on the bank.
Send a written complaint to the bank's nodal officer (details on bank website) via registered post and email as soon as possible after discovery. Your letter must state:
Subject: Unauthorized AePS Transactions Due to Fingerprint Cloning Fraud — Zero Liability Claim
Include: (1) account number, (2) Aadhaar number (masked), (3) list of fraudulent transactions with dates and amounts, (4) FIR copy, (5) m-Aadhaar lock confirmation, (6) declaration that you did not authorize the transactions, (7) evidence of your physical location during fraud, (8) demand for provisional credit within 10 working days as per the RBI customer-protection framework.
If the bank does not credit your account within 10 working days, escalate to the Banking Ombudsman under the RBI Integrated Ombudsman Scheme 2021. File the complaint online at cms.rbi.org.in or via registered post. The Ombudsman has jurisdiction over disputes involving unauthorized electronic transactions and can award compensation up to ₹20 lakh.
Most citizens miss this — The Banking Ombudsman cannot entertain complaints if a civil suit on the same matter is pending. File the Ombudsman complaint first; escalate to court only if the Ombudsman's award is unsatisfactory.
If the loss is large or the bank denies liability, consider filing a civil suit for recovery in the competent court. You may claim: (1) the principal amount lost, (2) interest from the date of fraud, (3) compensation for mental agony, and (4) litigation costs. The burden-of-proof rule under the RBI customer-protection framework — that the bank must prove customer liability — works strongly in your favour where you establish a prima facie case of cloning through your alibi, device logs, and forensic evidence.
Banks often settle before trial if you produce strong forensic evidence and demonstrate that the fraud exploited the bank's failure to deploy adequate biometric security, such as liveness-detection sensors, as expected under RBI's digital-payment security directions.
The National Cyber Crime Reporting Portal (cybercrime.gov.in) is the central clearinghouse for cyber fraud complaints in India, managed by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs. Filing a complaint here in addition to the FIR ensures your case is tracked nationally and routed to specialized Cyber Crime Police Stations.
Log in using your mobile number, select “Report Other Cyber Crime,” and choose the most appropriate financial-fraud category (Aadhaar-enabled Payment System / AePS fraud). Provide: (1) FIR number and police station, (2) transaction details, (3) suspect AePS kiosk address, (4) bank account and Aadhaar number, (5) attachments (FIR copy, bank statement, authentication logs if available), (6) brief narrative.
You will receive an acknowledgment number. Track your complaint via the portal dashboard. The system auto-routes complaints to the jurisdictional Cyber Crime Police Station and to the financial-fraud units where monetary loss is significant.
Do this immediately — Screenshot the complaint acknowledgment page with the tracking number and date-time stamp; banks and courts treat this as corroborative evidence that you reported fraud promptly.
If no action is taken within a reasonable time, escalate by writing to the Superintendent of Police (Cyber Crime) of your district. Mention your FIR number and Cyber Crime Portal acknowledgment number, and request a progress report. Copy the letter to the Inspector General of Police (Cyber) at state headquarters and to the I4C nodal officer.
For large or organized fraud, request the investigating officer to consider provisions of the Prevention of Money Laundering Act (PMLA) 2002. Fingerprint cloning fraud often involves layered transactions across multiple accounts; where the trail suggests organized fraud, PMLA attachment orders can freeze suspect accounts and help recover assets.
Additionally, call the Cyber Crime Helpline 1930, a 24×7 service for immediate assistance, account-freezing requests, and suspect mobile/bank-account blocking. This helpline can coordinate with banks to freeze suspect accounts quickly if you provide transaction IDs and beneficiary account details.
If criminal recovery is delayed or the bank disputes liability, file a civil suit in the competent court for: (1) recovery of principal, (2) interest, (3) damages, and (4) a permanent injunction restraining further misuse of your biometric data.
For banking and financial-services disputes above the prescribed threshold, the matter is filed in the Commercial Court under the Commercial Courts Act 2015, which follows a fast-track timeline. For lower-value claims, file in the regular civil court or consider the Consumer Disputes Redressal Commission under the Consumer Protection Act 2019 for faster adjudication.
Your plaint may assert:
Attach: FIR copy, UIDAI authentication logs, bank correspondence, Ombudsman order (if any), forensic expert report, medical certificate (if mental-health impact is documented), witness affidavits.
Trust signal — Consumer and civil forums have awarded compensation in biometric and AePS fraud cases where banks were shown to be negligent or slow to respond. Cite recent judgments from your own High Court or the consumer commissions for persuasive precedent.
Request interim relief: an ad-interim injunction restraining the bank from reporting you as a defaulter to credit bureaus (CIBIL, Experian, Equifax, CRIF) and seeking provisional credit pending final decree. Courts grant such relief where you demonstrate a strong prima facie case and irreparable harm.
If the civil court is slow, consider concurrently filing a consumer complaint before the State Consumer Disputes Redressal Commission or the National Consumer Disputes Redressal Commission (NCDRC) under the Consumer Protection Act 2019. These commissions have jurisdiction over banking services. Section 2(11) of the Act defines “deficiency” broadly, covering any fault, imperfection, shortcoming or inadequacy in service — including failure to adopt reasonable security standards.
Biometric fraud cases hinge on forensic evidence proving that the authentication was non-consensual and involved cloned fingerprints. Courts accept the following categories:
1. Liveness detection failure reports: If the fraudulent transaction used a synthetic fingerprint, a forensic examination of the AePS device can reveal that the sensor lacks capacitive or thermal liveness detection. Expert reports from the State FSL or CERT-In empanelled labs demonstrating sensor inadequacy support negligence claims against the bank and AUA.
2. Authentication log analysis: UIDAI logs showing authentication attempts from geographically distant locations within an impossibly short interval, or repeated failed attempts followed by a sudden success, can indicate cloning attacks. Timestamped analysis by qualified cyber forensic experts (such as CERT-In empanelled examiners) is admissible as electronic evidence — under the Bharatiya Sakshya Adhiniyam (BSA) 2023, section 63, which replaced section 65B of the old Indian Evidence Act for electronic records from 1 July 2024.
3. Device forensics: If you can demonstrate via mobile GPS logs, Google Timeline exports, Apple Location Services data, or telecom tower dumps that you were physically elsewhere during the fraud window, this constitutes strong alibi evidence. Forensic experts can extract and certify this data while maintaining chain-of-custody as required under the BNSS 2023.
4. Synthetic fingerprint examination: If police seize synthetic fingerprint molds or gelatin lifts from the suspect or the kiosk, FSL analysis can compare the mold composition with latent prints on surfaces you touched (glass, mobile screen). This helps establish the cloning method.
Citizen tip — Engage a CERT-In empanelled forensic lab early. A private lab report carries significant weight if the expert testifies in court. Budget for comprehensive forensic analysis when the loss is large.
5. CCTV footage: Footage from the fraudulent kiosk showing someone other than you performing the authentication, or footage from your actual location proving alibi, is compelling. Request police to secure footage quickly, as many systems overwrite recordings within a few weeks.
6. Expert testimony: Courts recognize testimony from certified forensic examiners. Prepare your expert to explain fingerprint cloning techniques, sensor vulnerabilities, and authentication-log anomalies in plain language.
Under the Bharatiya Sakshya Adhiniyam 2023, section 39, courts may rely on the opinion of an examiner of electronic evidence and on expert opinion in matters of science. Fingerprint cloning falls under “science,” so a qualified expert's report is admissible where the methodology is sound.
To, The Station House Officer, [Name] Police Station, [City, State] Subject: FIR for Fingerprint Cloning Fraud — Offences under BNS 2023 Sections 318(4), 319 and IT Act 2000 Sections 66C, 66D Sir/Madam, I, [Your Full Name], aged [Age], residing at [Full Address], Aadhaar No. XXXX XXXX [Last 4 digits], hereby lodge a formal complaint regarding fraudulent withdrawals from my bank account using cloned fingerprints. **Facts of the Case:** 1. I hold Savings Account No. [Account Number] with [Bank Name], [Branch Name], linked to my Aadhaar. 2. On [Date], I discovered unauthorized debits totaling ₹4,20,000 (Rupees Four Lakh Twenty Thousand) from my account through Aadhaar-enabled Payment System (AePS) transactions. 3. The fraudulent transactions occurred on [Date 1], [Date 2], and [Date 3] at an AePS kiosk operated by [Business Correspondent Name or "Unknown BC"], located at [Kiosk Address or District]. 4. Transaction IDs: [List all IDs from bank statement]. 5. I did not authorize these transactions. During the fraud window ([Time Range]), I was physically present at [Your Actual Location], as evidenced by [Office attendance/CCTV/Mobile GPS logs]. 6. I immediately locked my Aadhaar biometrics via the m-Aadhaar app on [Date Time] and notified [Bank Name] on [Date Time]. 7. Investigation reveals that my fingerprint data was unlawfully cloned using synthetic biometric technology and misused to impersonate me before the banking system. **Offences Committed:** - BNS 2023 Section 318(4): Cheating and dishonestly inducing delivery of property — impersonating me to induce the bank to release funds. - BNS 2023 Section 319: Cheating by personation — wrongful use of my biometric data to impersonate me. - IT Act 2000 Sections 66C and 66D: Identity theft and cheating by personation using a computer resource — using synthetic biometric identifiers to access Aadhaar-linked systems. **Evidence:** 1. Bank statement showing unauthorized debits (attached). 2. m-Aadhaar biometric lock confirmation (screenshot attached). 3. Mobile location history proving I was at [Location] during fraud (attached). 4. Complaint to [Bank Name] dated [Date] (copy attached). 5. National Cyber Crime Portal acknowledgment [Number] dated [Date] (attached). **Prayer:** I request you to: 1. Register an FIR under BNS 2023 Sections 318(4), 319 and IT Act 2000 Sections 66C, 66D. 2. Seize the AePS device and BC records from [Kiosk Address]. 3. Obtain CCTV footage from the kiosk and my actual location. 4. Issue notice to UIDAI under BNSS 2023 Section 94 for authentication logs. 5. Send seized materials to State FSL for liveness detection analysis. 6. Investigate and arrest the accused. I am available for further statements and evidence submission. Date: [Date] Place: [City] [Your Signature] [Your Name] [Mobile Number] [Email Address]
Submit this letter to UIDAI via the grievance portal or registered post:
To, The Regional Officer, Unique Identification Authority of India (UIDAI), [State] Regional Office, [Address] Subject: Request for Authentication Logs and Fraud Flagging — Fingerprint Cloning Fraud Sir/Madam, I, [Your Full Name], Aadhaar No. XXXX XXXX [Last 4 digits], Mobile [Registered Mobile], hereby request my authentication logs and ask that my Aadhaar be flagged for enhanced monitoring due to fingerprint cloning fraud. **Details:** 1. Unauthorized AePS transactions totaling ₹4,20,000 occurred between [Start Date] and [End Date]. 2. FIR No. [Number] dated [Date] registered at [Police Station] (copy attached). 3. Fraudulent transaction IDs: [List]. 4. I have locked my biometrics via m-Aadhaar on [Date Time]. **Request:** Please provide: 1. Complete authentication logs for my Aadhaar from [30 days before fraud] to [Date]. 2. Device IDs, location data, timestamps, and AUA names for all authentication attempts. 3. Details of any flagged or suspicious activity on my Aadhaar. 4. Flagging of my Aadhaar for enhanced monitoring under the Aadhaar (Authentication) Regulations. I declare that this request is made in good faith for fraud investigation and recovery. Date: [Date] Place: [City] [Your Signature] [Your Name] [Mobile Number] [Email Address] Attachments: 1. Copy of FIR 2. Copy of Aadhaar (front side, masked) 3. Bank statement showing fraudulent transactions
Warning — Do not share full unmasked Aadhaar copies via unencrypted email. Use password-protected PDFs or upload via UIDAI's secure portal only.
It is possible in principle. High-resolution images of fingers (for example, close-up “peace sign” photos) can sometimes be processed to extract fingerprint ridge patterns, and security researchers have demonstrated that high-resolution cameras can capture enough detail for limited cloning. As a precaution, avoid posting high-resolution close-ups of your fingers on public platforms. In practice, however, cloning still requires specialized equipment and materials, so most fraud involves physical lifting from surfaces or corrupt insiders at enrollment or correspondent agencies.
No. You can unlock biometrics anytime via m-Aadhaar or the UIDAI portal using OTP authentication. Locking prevents fingerprint and iris authentication but does not affect OTP-based authentication, virtual ID usage, or demographic updates. UIDAI recommends locking biometrics when not actively using AePS or e-KYC services and unlocking only when needed.
Under the RBI customer-protection framework on unauthorised electronic banking transactions (RBI circular dated 6 July 2017), the burden of proving customer liability lies on the bank. Once you establish a prima facie case through your FIR, alibi, and forensic evidence, the bank must show either that you were negligent (for example, that you shared your Aadhaar, PIN, or otherwise consented) or that the loss did not arise from a third-party breach in its system. Because many AePS devices lack liveness detection, banks often find it difficult to discharge this burden, which improves your prospects of a refund.