wordpress blog stats
Connect with us

Hi, what are you looking for?

Once again fraudsters take advantage of loopholes in BHIM and UPI

Two people, including a former Axis Bank employee, have been arrested on charges of financial fraud for stealing Rs 45 lakh from nine Axis Bank customers by taking advantage of the loopholes in the Bharat Interface for Money (BHIM) app and the Unified Payments Interface (UPI) payments system, reports The Times of India. The report mentions that the perpetrators first extracted customers’ 16-digit debit card number, expiry date, mobile number and address. Using this information they filed a fake lost SIM card complaint at a police station, following which they approached the telecom company with a copy of the police complaint and placed a request for a new SIM card.

Since the perpetrators had all the requisite information, a new SIM card would be issued. This automatically invalidated the old SIM card, which would stop working. They would insert the new SIM in a phone, download the BHIM app, enter debit card number, and receive the OTP on the registered number to steal money.

Apparently, 240 such transactions worth Rs 45 lakh were performed over 40 days.

This troubling news comes at a time when, as per data published by the National Payments Corporation of India (which owns and operates payments systems such as UPI and IMPS): a) UPI saw a 31% growth in the total transaction volumes between April 2017 and May 2017, while the amount transacted increased by 23% on a monthly basis to Rs 2,765.3 crore, b) the BHIM app saw a transaction volume of  2.49 million for the month of March and transactions worth Rs 823.1 crore, accounting for 40.16% of all UPI transactions processed and 34.44% of the total value of transactions in March.

Bank of Maharashtra case

Advertisement. Scroll to continue reading.

This isn’t the first instance of an UPI fraud either: In March this year, Bank of Maharashtra filed an FIR with the police in Pune against 50 people for illegally pulling money using the UPI app and causing a loss of Rs 6.14 crore to the bank. The fraudsters sent multiple ‘collect money’ requests of up to Rs 1 lakh each over a period of 48 days to accounts held with Bank of Maharashtra through UPI. At the time, co-founder of iSpirt and governing council member, Sharad Sharma had told MediaNama that “this was an issue with the bank and its core banking system. Due to this bug, payments would have been possible from an account not having balance through multiple payment systems apart from UPI. In effect, this isn’t a UPI issue.

In fact, the NPCI had issued a statement in light of the Bank of Maharashtra case that there was no vulnerability or loophole in the BHIM and the UPI system. It said that:

NPCI has done intensive testing, robust design of security controls and continuous monitoring of its UPI infrastructure. The environment in which BHIM or UPI is run by NPCI is highly secure and certified with best global practices like PCI DSS ISO 27001. The packages have also been audited by reputed IT security firms. NPCI has put in place adequate governance mechanism for banks to report any fraud or system issues and its redressal.

Well, looks like NPCI will be engaged in more “intensive testing” following the latest instance of exploitation of weaknesses in the UPI system.

Also Read: Whose refunds is it anyway: A look at UPI’s underprepared redressal mechansim

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?


A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'


India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...


There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data


Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ