Bank’s UPI app glitches led to fraudulent transactions, says NPCI and iSpirt, following BoM complaint

National Payments Corporation of India (NPCI) and iSpirt have come together to put out a joint statement pertaining to the security aspect of unified payments interface (UPI). According to NPCI and iSpirt, the recent spate of fraudulent transactions occured due to some glitches in the Bank of Maharashtra’s (BoM) UPI app.

Moneycontrol had reported on 21 March that banks may have witnessed some glitches in the UPI and Bhim app, which led to fake transactions although of low value. The report goes on to state that Bank of Maharashtra had reported these fake transactions, but the private banks have refrained from registering a complaint.

BoM had filed an FIR report with the police in Pune, against 50 people for illegally withdrawing money using the UPI app of the bank and causing a loss to the tune of Rs 6.14cr. According to the Moneycontrol report, the fraudsters have exploited a flaw in the UPI app developed by Infrasoft Technologies.

Speaking to Medianama Sharad Sharma, co-founder of iSpirt, said that there is an internal issue with BoM, which allowed a customer to send money to another account, despite the fact that the source account did not have any balance.

“This was an issue with the bank and its core banking system. Due to this bug, payments would have been possible from an account not having balance through multiple payment systems apart from UPI. In effect, this isn’t a UPI issue. Bank of Maharashtra is rectifying the situation,” said Sharma.

NPCI has also come on record and stated that there is no vulnerability in the UPI framework, as it has done intensive testing and continuous monitoring of the UPI infrastructure. According to NPCI, Bhim and UPI run in very secure conditions and they are certified by the best global practises like PCI DSS ISO 27001. Apart from this NPCI also has adequate measures to ensure that banks are easily able to report fraudulent incidents.

UPI is working on developing a mechanism to whitelist merchant virtual payment addresses (VPA) which will ensure that they are verified. This is being done to prevent users from accepting collect requests from dubious entities posing as merchants.

NPCI has also stated that the Bhim app has seen around 19.16 million downloads and over 5mn customers have linked it to their bank accounts.

According to AP Hota, MD and CEO of NPCI, banks are expected to be having mobile numbers of all its customers to ensure universal acceptance of mobile banking services.


[Copyright By ]