Unified Payments Interface (UPI) emerged as a popular payment option over the last few years. Sadly it inherits various architectural and user interface level flaws, now widely used by scamsters to target less aware users via social engineering. The Bank authorizes UPI payment requests originating from a Virtual Payment Address(VPA) with a 6 or 4 digit MPIN. VPAs can be created from a bank account linked Phone number, and MPIN created using the last six digits of the debit card and phone number. Any number of VPAs can be created for the same bank account, and there is no way user can prevent the creation or authorization of requests from a new VPA based on his bank account plus phone number if somebody got access to the user’s mobile number and debit card’s last six digits (which is not always a piece of private information like CVV codes). Similarly, the security of UPI apps available on the market is often worse, including BHIM app. If a user changes the mobile number from a bank account, some apps including BHIM still retain access to the mobile number changed account on the old phone number, unless it is manually deleted. These all create room for fraudsters for social engineering scams via calls, do swim swaps, collect the last six digits of card numbers etc.

The user-interface confusion for normal users in identifying Pay and Send options separately is a serious issue. Various news reports are pointing on how fraudsters misused this interface confusion to collect money from online sellers in Facebook pages, OLX etc. A payment collection request instead of sending payment to the seller combined with social engineering skills results in monetary loss. The absence of Interface localization combined with non-standardized technical terms in Indian languages makes this frame more complex.

QR Payments in Alipay App, China - Photo by Markus Winkler / Unsplash

Mobiles are the first computing device in the hands of many Indians. Seeking remote access to the device via a request to install specific apps, in the pretext of helping to solve the payment issue results in a financial identity takeover. Such frauds are increasing day by day.

As of now, UPI is a closed proprietary and private, access restricted APIs available to NPCI member banks and their authorized partners alone. It does not give agency for the most vulnerable stakeholders in the cashless space, the users of UPI. One way out of ensuring the success of UPI will be opening up UPI technology stack as free and open-source software for public scrutiny and ensuring implementations will be after consumer consultations. This action will create room for free and open source technology communities to point out the critical vulnerabilities before the rollout of new versions. Now UPI does not even have a public bug tracker to report security issues including the ones I mentioned earlier. The result of a closed, very private system will be bugs, more bugs and scammers utilizing it. As more first time users step into UPI apps for convenience, ensuring the financial security of Indians in cashless space is the responsibility of NPCI and the Government of India.

[Prepared as per the request of a print newspaper in February first week 2020, for a series they planned on UPI Scams, but series never got published]

Leave A Comment

Related Posts