The Unification of Fraud possibilities through UPI

The Unified Payment System launched by RBI on 12th April 2016 on a platform managed by National Payment Corporation of India (NPCI) poses a huge challenge to the security of public money held in Banks.

As we go forward, the Banking IDs and Mobile Wallet IDs  of individuals will get integrated into a single “Virtual Address” with which a person can push or pull monetary payment from others. At the back end NPCI will maintain a repository similar to the repository of Aadhar in which the mapping of different Banking accounts for a customer is maintained.

Conceptually the idea appears attractive and efficient, and the technology enthusiasts can boast of a break through in “Mobile as a Universal Payment Management Device” and Tax authorities can gloat over a “Cashless Society”.

However the risks in committing the national payment in introducing such a system on an immature technology such as a mobile platform where a large number of devices are supplied from China, known for planting  “Manchurian Chip” into Credit Card swiping equipments and “Planting of People” into companies in India are too huge from the National Security perspective.

It is unfortunate that, the risks of any compromise of security are boarne by the Citizens of India and neither NPCI nor the Banks can be trusted for protecting the consumer.

The various cases which are being fought in the country between Phishing victims and the Banks are a standing example of how common people are losing money every day and the Banks, supported by RBI and IBA flex their legal muscle to browbeat customers into bearing the loss.

The Government of India is also compromised under the influence of the Banking lobbies and the result is that Cyber Appellate Tribunal is not having a Chair person since 2011, consumer oriented Adjudicators such as Rajesh Agarwal of Mumbai and PWC Davidar of Chennai were shunted out from their positions. Adjudicators in Karnataka went a step ahead in twisting law to support the Banks against victims of fraud even taking on the legal department of the State and the Human Rights Commission. Some High Courts such as Karnataka were also unable to provide justice as they were blinded for whatever reason not to see through the games played by Banks to avoid their liabilities.

Our honourable Prime Minister  has also repeatedly ignored the call for mandatory introduction of “Cyber Insurance” to protect the insecure mobile payments and technology innovations in Banking. Poor Rahul Gandhi can only understand the plight of “Farmers” who form a vote bank and not the plight of victims of Bank frauds and hence there is no pressure on the Government to ask Banks why they donot have Cyber Insurance in place to protect consumer interest which was in fact made mandatory through the RBI’s Internet Banking guidelines in June 2011.

The CERT IN which should be concerned and the CCA which is the custodian of digital identity of Indians are part of the Ministry of Information Technology and donot have independent thinking. They support the technology initiatives without trying to fulfill their statutory obligations.

Overall the future of financial security in India appears to be grim.

It is common knowledge that when we travel, we donot keep all our cash in one single pocket because of the threat of the pick pocket. But NPCI thinks that keeping all our financial IDs under one “Virtual Address” is a great idea. Idea may be good but risks are being ignored.

When a mobile is being used as a universal financial ID, we must factor in the possibility of a mobile being stolen or at least compromised through malicious Apps. Has the NPCI considered this possibility where a mobile can be hijacked by a fraudster. If done, then the bank balance of persons across multiple Banks and limits under Credit cards are prone to be stolen. It has now become common practice for Apps to be designed with an ability to read “SMS” and thus the so called OTP sent to a mobile always gets back an automated reply back. How can this be called 2 factor authentication?.. without an affirmative consent from the mobile owner of the OTP? While the law in India wants digital signature, why is Government supporting OTP as a universal technology even to obtain a digital certificate under e-sign system?.. Opening  All this defies logic. Now top it all, we are opening the financial vault of an individual to execution of USSD codes.  I consider this as an unacceptable risk. But as a bank customer, the service and insecure banking has been forced on me.

The only logic that explains all this stupid acts of technologists and bureaucrats is that the global fraud industry is slowly taking over the Indian economy for commercial gains.

What is however more alarming is that one day this will explode as a “Cyber War” or a “Cyber Terror Attack” much before the Pak Nukes fall into the hands of AlQueda.

I hope the deaf bureaucrats in the Government who may actually be more patriotic than me but ignorant of the risks listen to these shouts and protect the National Security interests before getting blown over by presentations by technologists.

The only way out of this for the individual is to de-register mobile from my bank account, get back to cash transactions, use the good old mobile handset which is not smart but can meet my communication requirements… Yes, for the sake of securing ourselves from the insecurity spreading around us, we need to take a few steps back in technology use since we need to survive before we can enjoy life.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.