My article on the Bank of Maharashtra(BOM) UPI fraud where in I had expressed an opinion that NPCI and RBI also have some responsibility elicited some off the record remarks from NPCI and one of the senior technical members of another Bank. Their main contention was that the BOM Core Banking System (CBS) interacts with the BOM-UPI system which inturn interacts with NPCI, and in this instance the problem of mis communication was between BOM-CBS and BOM-UPI interface. Hence they argue that NPCI was not in a position to understand if the transaction was genuinely cleared by the CBS system or not. It is also stated that BOM-UPI interface belongs to BOM and hence it has to assume complete responsibility for the transaction and NPCI cannot be held liable.
I suppose that this is the structure of communication used and if so, it may be technically correct to consider that NPCI was not in a position to find out whether the transaction was cleared in the back end between BOM CBS and BOM UPI systems or not.
That apart, we should discuss some additional aspects of how the system was adopted between NPCI and BOM without an end-to-end testing so that a faulty sub system became part of the whole system that operated between a customer of the Bank and an intended payee.
It is possible that technical persons in NPCI as well as BOM were only focussing on how the UPI interface of BOM interacts with UPI interface at NPCI and only tested the technical aspects involved in this exchange of data.
The technical persons forgot that what UPI interface of BOM was communicating to NPCI was whether a certain money was debited to a certain account and the debit was passed by the Banking officials.
Here was a banking transaction bound in law. Had it been a cheques transaction, Negotiable Instruments Act 1881 (NI Act) as amended in 2002 would require the payment should be a “Payment in Due Course”. Even in this case of e-instructions substituting the cheque transaction, it is essential that the payment from BOM CBS system should be a “Payment in Due Course” or its equivalent. If not, the Paying Bank may be liable for the fraud. At the same time the Collecting Bank (to which the money was credited on behalf of the payee) should also fulfill its responsibilities similar to what is contained in Section 131 of NI Act for collection of cheques, which should be taken care of by the technology team configuring the UPI app at that end.
Without satisfying the legal requirements of the NI Act, or its equivalent, the transaction cannot be considered as legally complete.
In the digital payment transaction, between the Paying Bank and the Collecting Bank, there is NPCI as a clearing agency. It is an intermediary which instructs both the Paying Bank and the Collecting Bank on what they should do to complete the banking transaction using the UPI interface.
As an intermediary, NPCI has its own responsibilities under ITA 2000/8 besides some immunity derived under the Payment and Settlements Act.
NPCI should have supplied APIs to different Banks along with instructions on how they may be configured at the respective Banks and linking it with their own CBS systems. If the API belongs to NPCI, then it is also responsible to ensure that it is compatible with the different CBS systems that may be under use by different Banks.
It appears from this BOM incident that the UPI interface as built by BOM was not properly functioning and hence it’s instructions to NPCI were unreliable. But NPCI did not know because it had not tested the “transactions” from the banking perspective and was satisfied only in testing the technical connectivity within a section of the transaction.
In this type of transaction, the transaction originates from one mobile using an UPI app and the digital instruction travels to NPCI, then onto the paying Bank, comes back and is communicated by NPCI to the sender. In case of successful transactions, information is also sent to the intended payee’s mobile app and his bank’s UPI interface. The authentication system used in each segment of the transaction may not conform to the legal standards necessary in Indian laws but is only riding on a technical belief that nothing will go wrong.
The way UPI system developed, it may be argued that NPCI is the owner of the system and has enrolled the Banks as members to use the platform. Therefore, the responsibility for the integrity of the platform lies more with NPCI than the Banks. Even if in the case of individual Bank’s UPIs, there is a possibility for NPCI to shift the responsibility to the Banks, at least in the case of BHIM, it is clear that NPCI is the lead institution and others are supporting organizations.
Frauds can occur right from the downloading of the App by either of the two transaction parties, with possible malware infections at various levels.
It would not be possible for Banks and NPCI to consider that they donot have responsibility for technology related frauds and the customer should bear the cost of such frauds. Since the Government is behind forcing users to adopt digital payments, it is the responsibility of the Government and RBI to ensure that the system is safe and does not create a technology based risk to the customers.
Technology persons especially the software developers should understand that they are building software that substitutes humans at different points of decision making and unless they view the software from the perspective of the underlying transaction and not as few bytes of data that go in between, they will not be able to build secure applications. Applications that are tested only for the functionality without any regard to the underlying business transaction, are to be considered as “Faulty ab-initio”.
Software developers who are used to releasing software with bugs and later on sending patches and holding the users responsible for not applying the patches in time cannot be called “Responsible Software Developers”.
Knowing the difficulties in technology, there are two things which software developers and their owners should do.
First is that any software released to the public should be put on extensive field test at first. During this time, there should be a “Bug Bounty” program which attracts other specialists to pool their skills in cleaning up bugs. UPI did not go through this standard process.
Secondly, in financial transactions related software, the users must be protected by “Cyber Insurance” and part of the liability of the insurance premium must be borne by the software developers.
In the present instance, none of the players such as the Banks or NPCI or the RBI or the Government is concerned about the risks that an UPI user is exposed to. Banks are interested in their profits, RBI is powerless to regulate the Banks and the Government officials and politicians donot know what is the risk they are pushing into the system. Since public love Mr Modi, they are adopting digital payment systems faster than they should and hence exposing themselves to greater and greater financial risks by the day.
By making NPCI as a giant universal gateway for financial transactions across India, a huge amount of financial risk has converged on the organization. In the event of a war or a major terrorist attack, NPCI may be rendered dysfunctional by our enemies and the Indian financial system may take a huge hit.
I am not convinced that the technologists who donot have a holistic view of the transactions will be able to visualize all the risks in the system and take adequate action.
In the meantime, we the honest citizens of the country are left to keep praying to our favorite Gods that they should be spared from Cyber Crime risks, more so in the coming days when payments happen with their aadhar registered biometric.
One technology person complained that I am creating a “Scare” by exaggerating the risks. I donot agree. But even if it is so, it does not matter. Because I know that software developers suffering from “Technology intoxication” are likely to over speed and cause accidents to the passer’s by while they themselves are protected behind sophisticated air bags. Some body like us should therefore challenge them from time to time for the general good of the society.
Naavi
Naavi, Excellent analysis.
I would like to add two points –
1. It was stated that the BOM-UPI app was creating two messages for the one (same) transactions – (a) one true message and (b) other false message. That means NPCI is getting 2 messages for same transactions – one true and other false. True transaction goes through whereas false one is rejected. Let us go further. Both these twin (Judwa-जुड़वाँ) transaction must bear same (a) transaction number and/or (b) id number and/or (c) amount and/or (d) time and/or (e) source and/or (f) destination. Further, they came one after the other. NPCI could not identify this pattern. This means that NPCI do not have any transaction analysis or fraud monitoring module. The fraud monitoring module must be compulsory for this type of service by NPCI. If this is not planned, the high risk exist that many other things may also not be planned.
2. Let us compare this with UIDAI. One incident of Axis Bank and UIDAI have taken the step to re-audit all 350 AUA/KUA. UIDAI has a well defined process to on-board AUA/KUA, which includes support from UIDAI and KSA teams; validation and checking of end-to-end process on pre-production server with minimum 100 transactions and then allow AUA to connect to production server and provide services. They insist certain minimum mandatory controls and certain recommended controls. UIDAI runs fraud monitoring module at it’s end. Even with this, I believe UIDAI need more controls.
I do not know NPCI processes, infrastructure, internal controls and controls specified to connecting banks. But, on the face, it appears that the basic well defined on-boarding process is missing. This was also seen, when BHIM was launched after demonetization in a hurry with many vulnerabilities.
Excellent analysis Sir, appreciate it.
Security must be a ‘habit’ and must NEVER be called as ‘scare mongering’.
Software developers hardly understand “Functional Testing” & “security testing” and most of the times they mistake it as one.
Any app that is to be launched or launched MUST be first rigorously tested by experts and even after that public programs like “BugBounty” must be in place. This will keep a check on all the developers and the security testers involved in security testing the applications for developers/clients.
Security is mistaken and has been limited to Anti Virus Solutions / Firewalls / UTM devices… The application execution logic here plays the role that can ‘make’ or ‘break’ the application especially for the sensitive applications like these.
Before jumping hastily on the “DIGITAL INDIA CHORUS”, the need for proper security has to be put in order. And yes..security wont work as a ‘retrofit’.. it just buys you some more time before it gets bypassed again, and more worse next time.
And last but not the least, the point (1) raised by Dr.Rakesh Goyal is just eye opening. Really surprising. Hope NPCI gets serious and its interface for payments must always authenticate the requests before it processes the payment.