No loophole in UPI App: NPCI

The National Payments Corporation of India (NPCI) has claimed that there are no loopholes in its United Payments Interface (UPI) mobile application using which individuals in Pune and Bhayander are believed to have siphoned off more than Rs 7 crore from Bank of Maharashtra. However, the firm that developed UPI termed the incident “an aberration and not a systemic issue”. The UPI App was developed by Mumbai-based banking software company firm InfrasoftTech for the NPCI.

The Pune police booked 50 people for siphoning off Rs 6 crore from the bank earlier this month. And last week, the police in Bhayander booked 22 people for allegedly hacking the bank’s server and siphoning off Rs. 1.42 crore through transactions using the UPI App. The transactions took place between December 2016 and January 2017, before they came to the notice of the bank.

In a statement, the NPCI said, “There is no vulnerability or loophole reported in Bharat Interface for Money (BHIM) application or UPI system. NPCI has done intensive testing, robust design of security controls and continuous monitoring of its UPI infrastructure. The environment in which BHIM or UPI is run by NPCI is highly secure and certified with best global practices. The packages have also been audited by reputed IT security firms. NPCI has put in place adequate governance mechanism for banks to report any fraud or system issues and its redressal.”

Responding to queries from The Indian Express, InfrasoftTech said that the application was tested both by NPCI and the bank before it went live. “This incident was an aberration and not a systemic issue with our solutions. When the incident was reported by the Bank of Maharashtra to us, we provided the fix to the manner of presentation of the message, in a matter of hours,” a spokesperson for InfrasoftTech said. Adding that it was assisting the police to track down the fraudulent transactions, the firm declined to comment on the manner in which the money was siphoned off as it is under criminal investigation.

However, cyber crime expert Vijay Mukhi termed it a “massive security breach”. He said, “The problem is with the UPI app talking to Bank of Maharashtra’s servers while approving transactions. Something like this should not have happened.” InfrasoftTech also claimed to be working to be “proactively highlight fraudulent behaviour” and that Bank of Maharashtra and other banks continue to use the UPI App, without requiring its operations to be suspended.

“Our App is secure and we have enhanced the surveillance of transactions to highlight fraudulent behaviour using our AI based Anti-Fraud solution. It has now been over two months of the fix being in place and we have processed millions of transactions securely in this period with no further incidents occurring to the best of our knowledge,” the firm’s spokesperson said.

While Mukhi added that the government should contemplate taking action against the firm and the Apps testers, cyber law and cyber security expert, advocate Prahsant Mali claimed that the firm did not “behave responsibly when handling public money and data.” However, the firm’s spokesperson said, “It would only be after the investigations are completed that one would be in a position to establish responsibilities. Our responsibility is to provide the solution and the bank responsibility is to reconcile on regular basis.

[Copyright by Srinath Rao ]