UPI Payments: Top Security Issues & Possible Way Arounds: An Opinion
Blog: NASSCOM Official Blog
Unified Payments Interface, popularly known as the UPI, has been one of the most thrilling inventions in India’s digital payments landscape over the last few years. It is India’s home-grown instant real-time payment system developed by NPCI, regulated by the RBI, and facilitating contactless inter-bank transactions over a mobile platform.
One of the best things about UPI is that it is a single interface that allows seamless interoperability between different payment systems across payment providers, attempting to build a truly digitally connected country.
UPI’s key market success factors:
UPI has some key market success factors that can be attributed to it being revolutionary in true terms. Some of these success factors and key benefits of UPI include:
- A game-changer electronic payment system that facilitates the transition to a cashless economy
- Provides a unique identifier – a virtual unique payment address for each individual
- The unique identifier of each individual provides interoperability across payment systems. Bank accounts, cards, and wallets can be mapped to a unique virtual payment address
- Makes one-click payment a reality
- Unlike internet banking, UPI does not need exchanging of sensitive information, such as bank account numbers, IFSC codes, etc. during a financial transaction
- Also provides an option for scheduling push and pull transactions
Even though UPI is indeed a groundbreaking innovation in the digital payments landscape, reliability and security are still considered to be at stake, keeping many individuals and businesses apprehensive about the payment system.
According to recent research, with the onset and the rise of Covid-19 in India, nearly half of the Indian consumers are more concerned about digital payments fraud now than when the novel coronavirus first emerged.
Certain security parameters that are at stake with the use of UPI for digital payments include the virtual payment addresses of the individuals, the digital identity of individuals, transaction information – the data over the UPI network, and the financial details of individuals that increase susceptibility to financial frauds.
Some of the Top UPI payment frauds doing rounds in India include:
- Misleading UPI handles – Many fraudsters create deceptive handles that have names like NPCI, UPI, BHIM, etc. to make individuals reveal their account details through a fake UPI app leading to frauds
- Request Money fraud – Many fraudsters trap individuals who do not know that for receiving money on a UPI platform, one does not need to scan a QR code or enter the UPI pin. The hackers request to scan some QR code and enter their UPI pin to receive a prize, resulting in frauds on the UPI platform
- Remote screen monitoring frauds – Many unverified apps downloaded from the Google Playstore can extract the phone information and tap all financial information available on the phone, leading to UPI frauds
- Phishing – Fraudsters send unauthorized links through emails or SMSs to the users and once they click on such unauthorized links, frauds happen
Digital literacy and educating individuals on the UPI payment methodology is indeed key in preventing users from falling prey to many of such frauds and the Indian government is regularly working on increasing awareness among the individuals.
Besides this, many fintechs are also working to innovate newer Ways of Securing and Authenticating UPI payments in India. Some of the possible innovative ways in which UPI payments can be made more secure in India:
- Using biometric authentication for UPI payments – New multi-factor authentication for UPI payments could include biometric authentication, possibly through mobile devices, though the challenge at hand is that iris biometrics is not supported by a majority of smartphones in India.
Adding on voice, finger, or face biometric authentication by validating the user’s voice/face with pre-saved audio/pic samples can be a breakthrough in enhancing the security of UPI payments in India.
In 2019, Google Pay had launched fingerprint or face biometric API authentication in some countries, but the feature is not currently available in India. In India, the UPI based Google Pay platform still requires pin-based authentication only.
- GPS tracking based authentication for fraud prevention – Mandating location tracking and using it for authentication of UPI payments can be a good way around in fraud prevention in UPI payments as it will help to distill fraudulent transaction attempts by cross-checking the current transaction location with the location history of the user.
GPS tracking is enabled by most smartphones in India today and some banking apps have already started requiring location tracking to be enabled to complete transactions, as a fraud prevention mechanism on UPI payments.
- Enhanced security and vulnerability detection of the UPI environment and the interfacing systems – Introducing new security tools to protect the interfacing systems and performing advanced and smart analytics for effective monitoring of security risks of the UPI environment and taking preemptive steps can help in mitigating UPI frauds
- Experimenting with soundwave, Bluetooth, NFC based – innovative offline methods for UPI payments – Innovating UPI payments through offline modes like a soundwave, Bluetooth, and NFC can prevent loss of transaction information and financial details over the web network in UPI payments. This can come a long way in making UPI payments not only hyper-local and no-fi or low-fi enabled but also preventing loss of confidential data over the web.
With NPCI’s recent launch of PayAuth Challenge, inviting proposals for innovative solutions to simplify and secure authentication on the UPI platform, the security of UPI payments is sure to be enhanced in the coming months, possibly making it one of the most sought after payment methods in India.
- Financial Express
- Economic Times
- Secondary research
- NASSCOM Research