Twitter
Advertisement

Got a UPI app? Guard your mobile

The UPI handle on your mobile phone can be hacked and money can be siphoned off from your account if you are not careful

Latest News
article-main
FacebookTwitterWhatsappLinkedin

Payments or fund transfers using mobile apps have made life easy for consumers. But it has also made it easier for fraudsters to siphon money from your accounts. After hacking into net banking accounts and credit cards, fraudsters are now targeting Unified Payments Interface (UPI) apps.

There have been reports of customers losing lakhs of rupees from their bank account through the UPI app. But negligence on the part of customers also has a role to play, say experts DNA Money spoke to. Let us understand how the fraud is carried out and what we can do to prevent such incidents.

How does UPI work

UPI is relatively a new payment mechanism. It allows a third-party application to support its functionality, which is backed by a bank/ payment ecosystem.

"It could possibly be compared to wallets, but it has an inherent nature of a stored value account where money has been explicitly moved, and therefore in that sense it is not the actual bank account that is at potential risk/exposure,'' says Ramaswamy Venkatachalam, managing director – India, FIS.

Each bank provides its own UPI app for Android, Windows and iOS mobile platforms. But not all such applications are created keeping the security of the application in mind. "Often poor programming results in vulnerabilities of the applications that are then attacked,'' says Venkat Krishnapur, vice-president of engineering and managing director, McAfee India

How the fraud happens

(1) Fraudsters work in conjunction with techies or bank officials and retrieve sensitive client information such as the customer's name, address, bank account and card details, PAN and mobile phone number. This is the primary data sufficient to carry out an attack.

(2) Then the fraudster poses as an owner of the specific mobile number and extracts duplicate SIM cards from the network providers. This happens because SIM upgrades do not require any verification of KYC documents. The fraudster then downloads the UPI app on his mobile using the victim's duplicate SIM card

(3) The fraudster then sets the victim's mobile in the airplane mode, following which SMS sending would fail, but the unique code would be available with the fraudster on his mobile.

This action binds the victim's mobile number to fraudster's device and thereafter, the fraudster gets victim's details through social engineering techniques -- details such as last six digits of the debit card + expiry date or the customer's UPI PIN and carries out transactions from victim customer's account

(4) In the process, the original SIM card gets deactivated resulting in all bank related communication being received on the duplicate SIM card in possession of the fraudsters, enabling the fraudster to start transferring funds.

(5) Fraudsters can also use phishing/vishing methods (using voice telephone to de-fraud customers to reveal sensitive details) to get user data like credit card/account number along with CVV/OTP (one-time password)

(6) Fraudsters can also use malwares to target mobile banking apps and wallets to get information that can be used to siphon off funds from user accounts

"Some of the newer apps that show the name of the caller on the phone have also played a part. They seem to show that the caller is a legitimate one showing the bank name," says Venkatachalam.

Any rogue applications or software is in itself incapable of siphoning off customer's money without the consent of the victim, points out Ritesh Pai, chief digital officer, YES Bank. "Customers should beware of covert ways that fraudsters employ to gather details from them; even if it's a bank employee, the customer should never divulge important information like credit/ debit card details, pin, account details with password, UPI PIN, etc,'' he cautions.

What you can do

Since the transfer of funds is instantaneous, there is nothing much you can do while the fraud is being carried out, says Nirajnan Upadhye, general manager, fraud risk management division-Worldline.

"You will get to know in almost real time, within a few seconds of the funds being transferred. But you will not be able to reverse it or stop it because the money flows out immediately,'' he says.

But you will get to know only if you have registered your mobile number with your bank for SMS alerts. In the case where a customer lost over Rs 6 lakh through the UPI app, he had not registered his mobile for SMS alerts, and hence got to know of the fraud days after it happened.

"One should never let out details that are known only to you, such as the OTP number you receive, your card's expiry date, last digits, etc. You should also never leave your mobile phone unattended or the screen unlocked. While the UPI app by itself is secure, often fraudsters are able to get around it due to customer's negligence,'' Upadhye adds.

Customers should reach out to their bank where they hold the account in such cases. Their bank will raise a dispute as per National Payments Corporation of India (NCPI) dispute resolution guidelines and the turn-around-time as per NPCI process will be followed for investigation/resolution. "With respect to compensating customers for the loss, typically banks will follow the RBI guidelines on limiting customer liability. If it is proven that the customer has compromised any details which has aided the fraudster in perpetrating the fraud, then the concerned bank may not compensate the customers,'' says Pai.

Basic hygiene practices to follow

  • Enable SMS alerts for different types of transaction, ATM withdrawal, POS, etc
     
  • Use only official apps from banks. Use third party apps only if you are aware of how they work and are able to distinguish them from fraudulent apps
     
  • Don't trust information that comes from caller identification applications
     
  • Banks never seek sensitive information from customers. If you sense that the caller is able to provide information such as bank account balance, act urgently and contact your bank report it as suspicious action
     
  • Do not share your debit /credit PIN with anyone. You should use the POS machine and enter the PIN yourself
     
  • Protect your mobile phones, cards and ensure they do not leave your sight if handed over to anyone during a transaction activity
Find your daily dose of news & explainers in your WhatsApp. Stay updated, Stay informed-  Follow DNA on WhatsApp.
Advertisement

Live tv

Advertisement
Advertisement