Update on August 8: NPCI said that it has stopped on boarding new Truecaller users on the UPI Platform and an investigation into the matter is currently underway, in response (see below) to a letter sent by the Internet Freedom Foundation (IFF).
Earlier on August 6: Truecaller CEO Alan Mamedi said today that less than 0.12% of total monthly active users in India were affected by the “bug”, nearly after a week that the Truecaller app started registering users for an UPI ID without their consent. In a statement, the company also said that this “mishap didn’t mean any sort of loss for the affected user, neither in in terms of user’s data nor anything financial, . The company explained that the particular API which caused the problem, was supposed to be initiated for only existing Truecaller Pay users who consented to sign up for it, but it triggered for a portion of users who were not already registered for payments. It added that this led to a “credential refresh which would eventually cause the UPI registration to be triggered inadvertently”.
To our Truecaller community: This is what happened last week with our thoughts, and way forward. pic.twitter.com/lNbq5Mgw6v
— Alan Mamedi (@AlanMamedi) August 6, 2019
Earlier on July 31: NPCI told MediaNama that the issue was an “enrolling mistake” by the Truecaller app without “customer consent”. It said that the customer can’t do any UPI [transaction] despite this issue. “For onboarding to UPI the customer has to still enter 2FA (issuer OTP and debit card), and set UPI pin. The workflow mistake is limited to enrolling which will not have any impact on any customer account whatsoever,” it added.
Earlier on July 30: This is disturbing: Truecaller created UPI IDs for several people without their knowledge or consent. The app’s latest version (10.41.6) automatically started the registration process for creating an UPI ID for multiple users. One Twitter user, @Codepodu, explained that his Truecaller app sent an encrypted SMS from his phone to an unknown number, following which ICICI Bank sent an SMS that read, “Your registration for UPI app has started”. Note that there are banks which work with UPI providers to enable the registration process, and you can have a UPI ID with a bank that you don’t hold an account with. UPI essentially unbundles the account ID from the bank with which you have an account. You could have an HDFC bank account and a UPI ID on PhonePe with Yes Bank.
IMPORTANT: Uninstall @Truecaller immediately. They sent an unauthorized SMS from my phone to UPI registration. I repeat, this SMS has gone FROM my inbox. If possible uninstall your @ICICIBank_Care app as well immediately. And of course I'm going to follow up with @NPCI_NPCI pic.twitter.com/LXB9BlGkzO
— Shilpa Rathnam (@shilparathnam) July 30, 2019
On being contacted by MediaNama, Truecaller first said that they had “discovered a bug” that affected the payments feature. Following that, they issued the following statement:
“The bug only affected a small fraction of Truecaller’s Android users in India. The rollout of the update was halted immediately after user’s reported the issue. Any users who have been registered for UPI services will automatically be deregistered at the back end. An updated version with the fix will be rolled out to all users soon.”
NPCI told MediaNama that it was aware of the issue with Truecaller and that it’ll take action against the app is found non-compliant:
“There was an issue in the app [Truecaller] observed today. We have been updated that last night’s migration had resulted in a bug in the workflow. We understand that it [is] being fixed and till then user on-boarding has been stopped in this app. NPCI ensures to take action if found non compliant”.
https://twitter.com/codepodu/status/1156070363249295361
Thread on how @Truecaller created a UPI ID for me, without my intervention. Maybe @nixxin can help how this could have happened.
Woke up to this message from ICICI Pay on an Android phone that I use only as a wifi hotspot when traveling. pic.twitter.com/yusI1ZYYKY— Aashish Bansal (@Unbelted) July 30, 2019
Truecaller ‘bug’ bypasses 2 steps in UPI registration
The “bug” that Truecaller is referring to is overriding two steps in creating an UPI ID. I tried registering for an UPI ID using PhonePe and had to follow the following steps:
Step 1. I was asked to first select the bank account for which I wanted to create my UPI ID.
Step 2. Following that, the app displayed a ‘Validate Mobile Number’ message which asked for my consent if I wanted to use that particular phone number
Step 3. Upon Validation, the app opened up the Messages app and requested that I send an SMS to register my UPI ID.
Step 4. After sending the SMS, the app had this message
Step 5. Following verification, my UPI ID was created.
In Truecaller’s case, it already has your mobile number, validated, and the bug is allowing the app to bypass two of the first three steps: Selecting your bank account, and manually sending the UPI SMS. What is not clear here is, what is the process through which a user’s bank accounts is being identified, and then selected?
Several people on Truecaller’s Google Play page have also highlighted the same problem in the review section, fearing that the app is accessing personal data and banking information.
Many reviews on playstore alleging the same behavior by @Truecaller app as alleged in the thread above. pic.twitter.com/bFqRtDdLkK
— Pratik Sinha (@free_thinker) July 30, 2019
*
[embeddoc url=”https://www.medianama.com/wp-content/uploads/ToIFF-Truecaller-Concerns_6aug19.pdf” download=”all”]
Updated on August 8, 2019 (10:17 am) with NPCI’s response (above). Originally published on July 30, 2019.