Unified Payment Interface introduced… New Threats unleashed…

The RBI has introduced the Unified Payment Interface that is expected to change the way the current payment systems especially over mobile wallets change…hopefully for the better.

NPCI (National Payment Corporation of India) has released the details of the architecture under which the system would function.

The UPI is expected to make it easy for transfer of money from and to a bank account merely on the basis of a virtual address. It is claimed that one need not disclose the bank account number to receive a payment but instead use a “Virtual Address” provided by the same Bank.

It is not clear in what way this will make security better. Using the Virtual address, e-commerce companies may be able to send a request for payment which in other words mean “Can dig into the Bank account”.

The system is completely dependent on the mobile network and uses the mobile ownership as the sole identity.  It appears that the system poses grave danger to the mobile users using mobiles for banking purpose.

If some body types *99# in a mobile, it spits out the Bank balance.  Money can also be instantly transferred to a known MMID.  This means that if a mobile device is stolen or given out to another person for a while, it can be used to transfer money from his Bank account.

NPCI has given some use cases to explain how useful is the system for a labourer to transfer money to his wife etc. It appears that NPCI is naive to believe that the system would be used only for genuine transactions. In fact, many of the less educated labourers can easily be cheated out of their savings by this dangerous system.

I am now trying to disable *99# accessing by bank balance. Alternatively, I need to de register my mobile from the ICICI Bank and forego the option of mobile banking.

( I observed that *99# did not work on my HDFC and Corporation Bank account but worked on ICICI Bank account)

Presently different Banks were using different e-wallets and the marketing claim is that UPI makes it easy to integrate all e-wallets. But it appears that it enables money to be siphoned off by fraudsters from all e-wallets.

I request RBI to put the system on hold before further damage is done.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.