Update on August 8:  NPCI said that it has stopped on boarding new Truecaller users on the UPI Platform and an investigation into the matter is currently underway,  in response (see below) to a letter sent by the Internet Freedom Foundation (IFF).

Earlier on August 6: Truecaller CEO Alan Mamedi said today that less than 0.12% of total monthly active users in India were affected by the “bug”, nearly after a week that the Truecaller app started registering users for an UPI ID without their consent. In a statement, the company also said that this “mishap didn’t mean any sort of loss for the affected user, neither in in terms of user’s data nor anything financial, . The company explained that the particular API which caused the problem, was supposed to be initiated for only existing Truecaller Pay users who consented to sign up for it, but it triggered for a portion of users who were not already registered for payments. It added that this led to a “credential refresh which would eventually cause the UPI registration to be triggered inadvertently”.

Earlier on July 31: NPCI told MediaNama that the issue was an “enrolling mistake” by the Truecaller app without “customer consent”. It said that the customer can’t do any UPI [transaction] despite this issue. “For onboarding to UPI the customer has to still enter 2FA (issuer OTP and debit card), and set UPI pin. The workflow mistake is limited to enrolling which will not have any impact on any customer account whatsoever,” it added.

Earlier on July 30: This is disturbing: Truecaller created UPI IDs for several people without their knowledge or consent. The app’s latest version (10.41.6) automatically started the registration process for creating an UPI ID for multiple users. One Twitter user, @Codepodu, explained that his Truecaller app sent an encrypted SMS from his phone to an unknown number, following which ICICI Bank sent an SMS that read, “Your registration for UPI app has started”. Note that there are banks which work with UPI providers to enable the registration process, and you can have a UPI ID with a bank that you don’t hold an account with. UPI essentially unbundles the account ID from the bank with which you have an account. You could have an HDFC bank account and a UPI ID on PhonePe with Yes Bank.

On being contacted by MediaNama, Truecaller first said that they had “discovered a bug” that affected the payments feature. Following that, they issued the following statement:

“The bug only affected a small fraction of Truecaller’s Android users in India. The rollout of the update was halted immediately after user’s reported the issue. Any users who have been registered for UPI services will automatically be deregistered at the back end. An updated version with the fix will be rolled out to all users soon.”

NPCI told MediaNama that it was aware of the issue with Truecaller and that it’ll take action against the app is found non-compliant:

“There was an issue in the app [Truecaller] observed today. We have been updated that last night’s migration had resulted in a bug in the workflow. We understand that it [is] being fixed and till then user on-boarding has been stopped in this app. NPCI ensures to take action if found non compliant”.

Truecaller ‘bug’ bypasses 2 steps in UPI registration

The “bug” that Truecaller is referring to is overriding two steps in creating an UPI ID. I tried registering for an UPI ID using PhonePe and had to follow the following steps:

Step 1. I was asked to first select the bank account for which I wanted to create my UPI ID.

Step 2. Following that, the app displayed a ‘Validate Mobile Number’ message which asked for my consent if I wanted to use that particular phone number

Step 3. Upon Validation, the app opened up the Messages app and requested that I send an SMS to register my UPI ID.

Step 4. After sending the SMS, the app had this message

Step 5. Following verification, my UPI ID was created.

In Truecaller’s case, it already has your mobile number, validated, and the bug is allowing the app to bypass two of the first three steps: Selecting your bank account, and manually sending the UPI SMS. What is not clear here is, what is the process through which a user’s bank accounts is being identified, and then selected?

Several people on Truecaller’s Google Play page have also highlighted the same problem in the review section, fearing that the app is accessing personal data and banking information.

*

Updated on August 8, 2019 (10:17 am) with NPCI’s response (above). Originally published on July 30, 2019.