Two people, including a former Axis Bank employee, have been arrested on charges of financial fraud for stealing Rs 45 lakh from nine Axis Bank customers by taking advantage of the loopholes in the Bharat Interface for Money (BHIM) app and the Unified Payments Interface (UPI) payments system, reports The Times of India. The report mentions that the perpetrators first extracted customers’ 16-digit debit card number, expiry date, mobile number and address. Using this information they filed a fake lost SIM card complaint at a police station, following which they approached the telecom company with a copy of the police complaint and placed a request for a new SIM card.

Since the perpetrators had all the requisite information, a new SIM card would be issued. This automatically invalidated the old SIM card, which would stop working. They would insert the new SIM in a phone, download the BHIM app, enter debit card number, and receive the OTP on the registered number to steal money.

Apparently, 240 such transactions worth Rs 45 lakh were performed over 40 days.

This troubling news comes at a time when, as per data published by the National Payments Corporation of India (which owns and operates payments systems such as UPI and IMPS): a) UPI saw a 31% growth in the total transaction volumes between April 2017 and May 2017, while the amount transacted increased by 23% on a monthly basis to Rs 2,765.3 crore, b) the BHIM app saw a transaction volume of  2.49 million for the month of March and transactions worth Rs 823.1 crore, accounting for 40.16% of all UPI transactions processed and 34.44% of the total value of transactions in March.

Bank of Maharashtra case

This isn’t the first instance of an UPI fraud either: In March this year, Bank of Maharashtra filed an FIR with the police in Pune against 50 people for illegally pulling money using the UPI app and causing a loss of Rs 6.14 crore to the bank. The fraudsters sent multiple ‘collect money’ requests of up to Rs 1 lakh each over a period of 48 days to accounts held with Bank of Maharashtra through UPI. At the time, co-founder of iSpirt and governing council member, Sharad Sharma had told MediaNama that “this was an issue with the bank and its core banking system. Due to this bug, payments would have been possible from an account not having balance through multiple payment systems apart from UPI. In effect, this isn’t a UPI issue.

In fact, the NPCI had issued a statement in light of the Bank of Maharashtra case that there was no vulnerability or loophole in the BHIM and the UPI system. It said that:

NPCI has done intensive testing, robust design of security controls and continuous monitoring of its UPI infrastructure. The environment in which BHIM or UPI is run by NPCI is highly secure and certified with best global practices like PCI DSS ISO 27001. The packages have also been audited by reputed IT security firms. NPCI has put in place adequate governance mechanism for banks to report any fraud or system issues and its redressal.

Well, looks like NPCI will be engaged in more “intensive testing” following the latest instance of exploitation of weaknesses in the UPI system.

Also Read: Whose refunds is it anyway: A look at UPI’s underprepared redressal mechansim