|Unified Payments Interface (UPI)|
The Unified Payments Interface (UPI) may not be as safe as the government has said it is. Citing police sources, Mail Today on Tuesday reported that criminals were exploiting loopholes in the UPI mobile app to steal money from banking customers.
Digital security concerns have assumed greater importance as the Modi government steers India towards a less-cash, digital economy. The UPI, being one of the foundation stones of such an endeavour, needs to be airtight when it comes to security. However, according to the report, cops say that the new trend among cybercriminals is to fraudulently withdraw money by gaming the UPI system and exploiting its weaknesses.
How does the crime take place
According to police sources cited by the report, the criminals are tipped off about potential target accounts by bank officials, who pass on their client information in the form of screengrabs over apps such as WhatsApp.
The leaked information consists the bank customer's name, address, account and card details, PAN number and mobile number. The colluding bank officials get paid based on the data they provide.
Subsequently, the cited police sources explain, the criminals contact their intended target while posing as telecom operators and ask him or her to apply for a 4G SIM free of cost. Once the customer sends an SMS to the operator authorising such a SIM upgrade, the crooks collect a 4G SIM and have it activated in the target's name.
What happens next? According to the source cited by the report: "Mostly, our banking accounts are linked to our mobile number. All the notification, password and pin reset details are received on the phone. So, as soon criminals get access to a new mobile SIM, they download UPI or the BHIM app and fill the banking details which they have already gathered and start transferring money."
The crucial loophole here is the lack of verification or know-your-customer procedures involved in such SIM upgrades.
From no vulnerabilities to leaking vessel?
In March this year, the National Payments Corporation of India (NPCI) had assured that there was "no vulnerability of loopholes" reported in the Bharat Interface for Money or the UPI applications.
"We have done intensive testing, robust design of security controls and continuous monitoring of its UPI infrastructure," NPCI Managing Director and CEO A P Hota had said.
In fact, Hota had said that the environment in which UPI is run by NPCI was highly secure and certified with best global practices like PCI DSS ISO 27001. Furthermore, it had been audited by reputed IT security firms.
Despite such reassurances, in January this year, the Times of India had reported that police in Aurangabad, Gujarat, had booked hree people on charges of illegally transferring money from Bank of Maharashtra to a private bank via the UPI app.
Speaking to the national daily, the investigating officer in the case had said, "The case is sensitive in nature and the alleged cheating has been committed by using loopholes in UPI, which is newly introduced and most advanced form of digital payment." Bs