The government-launched payments apps UPI and BHIM may be vulnerable to security glitches and banks have witnessed instances of fake transactions, sources tell Moneycontrol.
They say that the apps, launched with much fanfare amid the government's drive to promote cashless payments, have witnessed "fake transactions" -- most of which, however, are of low value.
"The loss isn’t big yet,” said a person aware of the development, adding that most banks are not reporting such cases.
“Bank of Maharashtra has reported it, the private banks who have been victims have not reported about it,” the person said, adding that gaps were likely to be at the software company level which may have developed the application for the respective banks.
United Payments Interface and Bharat Interface for Money or UPI and BHIM are mobile applications developed by the National Payments Corporation of India (NPCI) to facilitate bank-to-bank fund transfers on smartphones, using phone numbers linked to banks.
BHIM app is linked to over 30 banks while over 15 banks are using the UPI app. In January, just a week after the launch of BHIM app, there were reports of bug and unknown money transfer requests to bank customers.
A week ago, state-owned Bank of Maharashtra (BoM) filed a First Information Report with the police in Pune against 50 people for illegally pulling money using the UPI app and causing a loss of Rs 6.14 crore to the bank.
Two other private banks are also said to have witnessed some breaches but have not reported. The names of the banks could not be identified.
In BoM’s case, fraudsters are said to have exploited a coding flaw in the UPI app developed by Mumbai-based Infrasoft Technologies.
The 50 accused sent various money transfer requests of up to Rs 1 lakh each over a period of 48 days to accounts held with BoM through UPI.
An Infrasoft spokesperson said, “Banks have reported losses from December 1 but we got to know about it on January 18. There is a “collect money” feature on UPI which was used by fraudsters who opened fake accounts using fake SIM cards…The investigation is on and more details should be out soon.”
To approve the requests, two messages were sent to NPCI which is the clearing agency – one success and another error message. NPCI approved transactions based on the success message which was sent first,” the spokesperson added.
ICICI Bank, Axis Bank and Kotak Mahindra Bank spokespersons have denied any existence of malware or fake transactions observed on their respective UPI applications. HDFC Bank did not respond to emails sent.
Mails sent to NPCI failed to get a response.
According to a security agency expert, “The flaw is unlikely with the NPCI. It has tight security standards and guidelines. However, since the app is evolving, banks need to beef up their internal and outsourced services as we cannot afford to be lax at any level while pushing digital channels for transactions to the public.”