Home » , , , ,

NPCI and iSpirt say glitches in a bank’s UPI app caused fraudulent transactions

Share on Facebook0Tweet about this on TwitterShare on LinkedIn14Email this to someone

The National Payments Corporation of India (NPCI) and iSpirt sought to allay fears of the recent fraudulent transactions on the Unified Payments Interface (UPI). Both the NPCI and iSpirt said that the fraudulent transactions were due to glitches in Bank of Maharashtra’s UPI application.

Moneycontrol reported that Bank of Maharashtra filed a First Information Report (FIR) with the police in Pune against 50 people for illegally pulling money using the UPI app and causing a loss of Rs 6.14 crore to the bank. The report added that frauds sent multiple ‘collect money’ requests of up to Rs 1 lakh each over a period of 48 days to accounts held with Bank of Maharashtra through UPI.

One of the key features of the UPI is that merchants and users can initiate a collect request for payments.

“As far as we know, there was an internal issue with Bank of Maharashtra where they allowed a customer to send money to another account, even if the source account did not have balance, Sharad Sharma, co-founder of iSpirt and governing council member told MediaNama in an email. The UPI is a part of the IndiaStack which was developed by the members of iSpirt.

“This was an issue with the bank and its core banking system. Due to this bug, payments would have been possible from an account not having balance through multiple payment systems apart from UPI. In effect, this isn’t a UPI issue. Bank of Maharashtra is rectifying the situation,” Sharma added pinning the issue to the bank.


Meanwhile, the NPCI issued a statement that there was no vulnerability or loophole in the Bharat Interface for Money (BHIM) and the UPI system.  “NPCI has done intensive testing, robust design of security controls and continuous monitoring of its UPI infrastructure. The environment in which BHIM or UPI is run by NPCI is highly secure and certified with best global practices like PCI DSS ISO 27001. The packages have also been audited by reputed IT security firms. NPCI has put in place adequate governance mechanism for banks to report any fraud or system issues and its redressal,” the NPCI added.

Note that there are still structural issues on the payment system and many transactions are failing and customers have not been able to get refunds to their bank accounts. The problem is exacerbated by the fact that there is no API for refunds from banks at the moment.

Whitelisting merchants 

Note that the UPI is said to be developing a mechanism for verifying merchant virtual payment addresses (VPA). These addresses will have a tick mark next to them, similar to verified accounts on Twitter. This would help banks identify who is a merchant and whitelist them.  This would also allow users to decline collect requests from fraudulent virtual addresses which are similar to merchants.

BHIM linkages

The NPCI added that the BHIM app was downloaded 19.16 million times and 5.1 million customers were able to link their bank accounts to the app. The NPCI is also launching a drive backed by the government to link mobile numbers with their bank accounts. “Banks are expected to reach out to all their customers by various means and ensure universal acceptance of mobile banking services at the earliest,” AP Hota, MD and CEO of the NPCI added in a statement.

The second version of the UPI will integrate Aadhaar. Right now, UPI hasn’t got Aadhaar integration, even though the draft paper had detailed out that it would be using the Aadhaar to map out financial addresses on the UPI.

Share on Facebook0Tweet about this on TwitterShare on LinkedIn14Email this to someone
  • sketharaman

    Good job NPCI / iSpirt – I’m sure you’ve inspired Bank of Maharashtra to pass the buck for this fraud to its UPI app developer, which I believe is InfraSoft.

    • Shashidar KJ

      Well they did pass the buck, but frauds made away with the money. Just seems like the whole NPCI and iSpirt guys are making excuses for a shoddy system :P

      • sketharaman

        I wouldn’t go as far as to dismiss UPI as shoddy but, as I pointed out in my above comment, you can’t afford to be thorough when that would belie your claims to being disruptive, game-changing, blah blah blah.

        Going by BoM’s version of the root cause of the fraud, its UPI app debits BoM’s nostro account with RBI when payer’s account has insufficient balance to put through the transaction. Normally, under such a circumstance, the UPI app should disallow the transaction with an NSF error message.

        When I compare this situation with my experience with how similar systems are implemented overseas (e.g. FPS in UK), I’m amazed to see that dozens of bank UPI apps are allowed to access the scheme (UPI) without any evidence that they were pre-certified and / or pre-tested to work together by the scheme owner (NPCI). Maybe NPCI has plans to do this certification and “group hug” tests in the near future.

  • NPCI should study the incident and incorporate new security features and other measures which won’t allow such incidents in future.

    • sketharaman

      Unfortunately, that’s easier said than done. To be absolutely foolproof, a retail payment system needs many checks and balances. Unfortunately not all of them can be implemented when the said system has to work in realtime. This is an old problem and there are old solutions for it e.g. credit card network separates authorization and settlement from each other by doing only the former in realtime and operating the latter to T+2 basis. But when you want to tout your product as disruptive, game-changing, world’s first and stuff like that, good work done by others becomes an unwanted distraction and you tend to conveniently ignore it. Not to single out NPCI / iSPIRT – this is the standard operating procedure of most Indian startups that claim to be innovative.