Unified Payment Interface makes Mobile a better tool for financial frauds

Last week, Reserve Bank of India proudly announced the launch of a “Unified Payment Interface” (UPI) hailed as the next giant leap in “Digital Payment System Innovation”.

UPI is expected to make our mobiles a universal instrument for all forms of payments including person to person (P2P) money transfers or Government to Citizen (G2C) or Business entity to Consumer (B2C) or Consumer to a Business entity (C2B).

UPI would be used not only for making payment when the person who wants to pay pushes the money out from his account into a beneficiary’s account, but also to receive payment, when the person who has to receive money from another sends out a “Pull Request” to the payer.

The “Pull” system  has the potential to turn out to be a sinister system like the collection agent digging into your pocket and taking out money. For example, one use of this would be the arrack supplier supplying arrack on credit and taking money out of the labourer’s account on the pay day before his family can lay its hands. The system can also be used by fraudsters to pull money through fraudulent transactions.

Under UPI, the National Payment Corporation of India (NPCI) will maintain a Central Repository of information of an individual’s Aadhar ID, his various Bank and Card details and mobile number. This would create  a single point of access to an individual’s financial information, personal information and mobile information so that all this can be integrated to enable payment of money from one mobile owner to another. Mobile will become a universal KYC instrument querying Aadhar for information and identifying itself through an OTP to the mobile.

In the proposed system, the Bank account becomes secondary and the mobile becomes the primary access point to your bank account. When you ask your mobile to pay, it will instruct your Bank. If you want to receive money from another mobile owner, you ask your mobile to collect the money and it will contact the other mobile and pull the money.

At first glance, the system appears attractive and in fact exciting for the tech savvy persons. But in this rush to use the technology, it appears that security of the citizen’s savings in the Banking system appears to have been completely ignored.

Mobile as an instrument and its operating system and the App environment is yet to mature in security perspective. At present, there are numerous technical bugs that can be exploited by criminals when a mobile is used for financial transactions.

When Mobile is used as a KYC instrument through OTP, it would render the neighborhood mobile store worker who sells SIM cards an intermediary who can interfere in the process of new SIM card issue. This is a channel which is often exploited by criminals and terrorists to get fake SIMs and cloned SIMs.

When this unregulated channel is relied upon by Banks and the e-KYC system, the security of the entire ID process is subordinated to the KYC process of the Mobile service provider.

It is like your Airtel KYC verification agent  becoming a Bank officer to approve your signature on an account opening form. He may be a glorified courier boy who can verify address efficiently but does not understand the importance of KYC in financial transactions.

I am only highlighting the huge responsibility that the KYC agents are hoisted with and not trying to be disrespectful of the KYC agents presently operating in the scene.

A small example of the issues that come up when mobile becomes the universal payment interface is here.

Let us say your friend walks up to you and asks for a loan. You say, sorry friend, I don’t have money.

If your friend says.. “Yar, don’t bluff, I just saw you had a balance of 50,000/- in your account. You received a bonus yesterday Isn’t it?”, how would you feel? ..

…You may keep wondering how on earth he came to know about your bonus.

Remember, in the current scenario, knowing one’s bank balance may be as simple as dialing *99# in a mobile (may be of your friend’s or spouse’s) and just entering the first four digits of the IFSC code of the Bank (e.g.: ICIC for ICICI Bank or UTIB for Axis bank). This will execute what is called an USSD code and if the mobile is one of the registered mobiles for internet/mobile banking, it may give out not only the balance but also the last few transactions without even asking for a PIN or password. (Try it on your mobile and check its vulnerability to give out your bank information).

If anybody who gets a temporary access to a mobile can know the bank balance of its owner, it is a serious breach of privacy and confidentiality of information. This is not only against the established Banking tradition, but also a contravention of the legal provisions of Information Technology Act 2000 and constitutional rights of privacy.

Under the UPI system, it is also envisaged that every user would be provided a “Virtual Address” which will be linked to all his accounts and would work as a universal ID for financial transactions.

For example, let us say, your friend Ramesh is the customer of Axis Bank, and has an ID Ramesh@axisbank which is his virtual address for making payment into and out of the account. You send money to him occasionally through UPI using this virtual banking address. It is possible that another person may hold a virtual financial address Ramesh@icicibank and you may make an erroneous remittance.

More probably, a fraudster may use your contact list information which you have shared with an App and alter the virtual financial address from Ramesh@axisbank to Ramesh@icicibank. Once done your next payment goes to ICICI Bank’s fraudster and not your friend. Out of courtesy, your friend may never inform you and repeated payments may go to the fraudster and even if found out later, the recipient  may simply claim he was not aware that he was receiving money not belonging to him.

Yet another issue that UPI throws up is the risk in the facility to enable a receiver of money to “Pull” money from your account by sending a message through the mobile.

Now a days it is common for such incoming messages to be able to read SMS without any intervention of the mobile owner (e.g. auto fill up of OTP in some mobile banking apps).  When a request for a “pull money” comes into the mobile and asks for “permission” it is possible that your mobile may simply provide the permission without your even knowing what  is going on in the mobile.

If necessary, a fraudster will be able to send a malicious code to extract your permission say by sending an earlier message which may say, “Hi, I want you to send some money through UPI. Shall I?”…and such message may appear to come from one of your known contacts.

Most recipients will open such an SMS and even may reply if necessary, clicking a link which purports to send an automated reply.. “Yes. You can send. My virtual address is ……”.

In the meantime a virus could have already been implanted into the mobile and all the Bank accounts or mobile wallets accessed through the mobile may be compromised.

Who would be responsible for such incidences?

Banks may say that the user should be aware of frauds and protect himself from such frauds. But how practical it is to expect every mobile user which includes the uneducated rural beneficiary of MNREGA and our own urban kith and kin who are not so tech savvy to be aware of sophisticated mobile viruses and take care?

Police therefore will now have more challenging and perhaps frustrating complaints ahead of them in increased incidences of Mobile frauds, Mobile thefts and also  consequential frauds. Legal pundits would be sweating to prove lack of due diligence of multiple intermediaries involved in the transaction making it impossible for the victim of a cyber fraud to get a satisfactory legal remedy.

One safety feature which should have been an integral part of such technology innovation was coverage of every user through a Cyber Insurance Scheme at the cost of the Bank. Unfortunately, this is no where in the consideration of either NPCI or the individual Banks.

It is regrettable to note that despite the risks cited above being easily foreseen, RBI has failed to make it mandatory for the Banks to provide a Cyber Insurance Cover to the consumers against such frauds despite repeated demands.

The need for such Cyber Insurance has also been brought to the notice of none other than the PM himself and yet the importance of cyber insurance as an instrument of social security is yet to be appreciated by the Government promoting Digital India, in a manner which we may regret some time in future.

In fact both RBI and Banks are assuring that the UPI system is secure but it appears to be a false and misleading assurance given to promote the new system and needs to be challenged.

Time has come therefore for mobile users to take steps to ensure that their mobile is never out of their sight and they donot provide permissions to apps to automatically respond to incoming messages without an affirmative action like entering a PIN or a Password by clicking buttons.

Also, Consumer Protection Organizations need to initiate action in first educating the public of the risks of mobile banking in the UPI scenario and then on the security measures they need to take. They should also press for the mandatory introduction of Cyber Insurance for all mobile based financial transactions at the cost of Banks or the Mobile app owners.

Naavi

arbitration_logo4

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.