Digital economy: Loophole in UPI payments system allows crooks to loot account holders

Crooks are exploiting loopholes in the Unified Payments Interface mobile application to loot bank customers, police sources told Mail Today on Tuesday, underscoring a spike in cyber crimes as India moves towards a digital economy.

Cops are worried about rising cases of cheats getting a duplicate SIM on the pretext of upgrading a particular cellphone account to a 4G connection and then transferring money by downloading the UPI app.

Unified Payments Interface was launched last year by National Payments Corporation of India - a not-for-profit organisation owned by a consortium of major banks - and is regulated by the RBI.

It allows users to make transactions over their cellphones including cash transfers to other users, and payments to utilities and some merchants.

A person with a smartphone, an account at one of the UPI's partner banks and a mobile number linked to that account can download the platform app. Users are enabled after registering on the application, which usually takes less than five minutes.

MODUS OPERANDI

Cops say withdrawing money fraudulently through UPI is a new trend and all a cyber criminal needs is the basic banking details of the victim.

"Our preliminary inquiry shows that these criminals are working in nexus with bank officials who leak the information of their clients by taking a screenshot and pass it on through WhatsApp," said a senior officer of crime branch in Delhi Police.

The information leaked by bank officials consists of the customer's name, address, bank account and card, PAN and mobile phone details. Criminals pay them based on the data, which varies according to the profile of the account holder.

These crooks, posing as telecom operators, ask the victim to apply for a 4G SIM free of cost for faster internet service.

As soon the customer sends an SMS to their operator to change their SIM to a 4G connection, the criminal goes to the store and collects a 4G SIM and then activates it in the victim's name.

SIM upgrade does not require any verification of know-your-customer (KYC) documents.

LACK OF VERIFICATION A PROBLEM

"The problem lies in the fact that there is no verification of documents and an active SIM can be easily procured," said Uttar Pradesh special task force's additional superintendent Triveni Singh.

"Mostly, our banking accounts are linked to our mobile number. All the notification, password and pin reset details are received on the phone. So, as soon criminals get access to a new mobile SIM, they download UPI or the BHIM app and fill the banking details which they have already gathered and start transferring money."

Singh explained that once a crook is in possession of a SIM card, he only requires the victim's card details for a transaction.

Even the private banks too have been receiving complaints about withdrawal of money using UPI, say sources. They have asked their forensic teams to examine the details of such transactions.

Cops are yet to ascertain if an organised syndicate is behind such crimes but claim that techies and seasoned scamsters are exploiting the loopholes in the banking and telecom system.

UPI was promoted after the government announced the demonetisation drive last November in a bid to boost cashless transactions.

Chinks in the system were exposed when the NPCI admitted this year that Rs 25 crore was moved out of Bank of Maharashtra (BoM) accounts due to a bug in its UPI app.

According to sources, corrective steps have been initiated as well as the process of recovering the money from 19 banks where it was transferred to.

Officials say a bug resulted in the money moving out of the accounts without the sender having the necessary funds.

ALSO READ | WhatsApp may soon allow Indian users to make payments, money transfer through app

ALSO READ | Modi's BHIM: All questions answered about app that will make India cashless