UPI and BHIM: Why NPCI needs to kick in, and weed out potential loopholes

There is a loophole in BHIM and the UPI platform, and the NPCI needs to plug it by reserving certain virtual payment addresses.

As India moves towards a digitally enabled economy, the UPI platform by NPCI is a solution India really needed. However, before it becomes a one-stop solution for a cashless society, BHIM and the UPI platform have to first iron out a few creases. These include blocking of critical VPAs (virtual payment addresses) to ensure security and prevent malicious activities. The lack of such a measure could lead to serious repercussions from private testing data of e-commerce products getting compromised, to people being duped by phishing-like attempts using fake VPAs.

VPA is the ‘username’ that is registered for users of UPI platform, such as ‘****@upi’ or “****@icici’. By using a VPA for financial transactions, you don’t need to share your bank account details while carrying out any transaction. Hence, UPI provides a higher degree of security as scamsters, spammers and marketing agents aren’t able to get hold any of your private details such as bank account number, debit or credit card number, or even your phone number.

On Sunday afternoon, software engineer Jaseem Abid posted on Twitter that he was getting notifications of ‘payment collect requests’ from Flipkart. All because he registered ‘example@upi’ as his VPA. I opened the BHIM app on my phone and searched for the id ‘example@upi’ and verified that it is indeed associated with Abid. I spoke to him over the phone, and he told me that it could either be Flipkart or someone else running tests on UPI. He added that it could also be someone other than Flipkart running a test, but the VPA of FKRT@ybl led him to speculate that it’s the e-commerce site.

While it seems like neither Flipkart nor Abid are at fault here, it has exposed a grave scenario where seemingly innocent VPAs can be exploited in the future by individuals with malicious intent. This is exactly why, the NPCI needs to reserve certain VPAs to prevent them from being misused. It is common practice among organizations such as Visa and MasterCard to reserve dummy test credit card numbers for developers to test e-commerce apps and websites, and it is an essential part of testing and quality assurance.

I spoke to cyber security consultant Niranjan Patil, Director of VSR Tech Solutions, and he explained the use of dummy test credit card numbers, and how it is relevant for BHIM and UPI. For end-to-end testing, typically many ids/usernames/VPAs should be kept reserved, which can be safely used by developers.

In this case, Flipkart might have unwittingly used “example” for testing, assuming it to be reserved by BHIM UPI as an internal one. As it now turns out, that was incorrect. By not keeping certain VPAs reserved, the information generated by tests run by e-commerce players could land in the wrong hands, which can then be used against the companies. Similarly, someone could simply register his VPA as ‘rbi’ or ‘pmo’ or even ‘adgpi’ (Additional Directorate General of Public Information, Indian Army) and then dupe the general public into sending donations under the guise of disaster relief or such similar causes.

Patil added that this is a serious concern, and the NPCI needs to quickly reserve VPAs to avoid any untoward incidents. We have contacted NPCI for their comments, and shall update the story as we receive them.