Indian Bank Loses Rs 25Cr Due To A Bug In UPI Payments App – Is BHIM Safe?

It has been reported that the India-based Bank of Maharashtra has incurred financial losses amounting INR 25Cr (roughly $4 million). It happened due to a technical flaw in the bank’s UPI Payments app designed by the Mumbai-based company. The bank has lodged FIR against 50 suspects, and they are trying to recover the funds from other banks.

The state-owned Bank Of Maharashtra (BoM) has reported a loss of INR 25Cr roughly $4 million) due to what is being called as one of the biggest financial frauds in India. This is another big blow on a financial body after almost five months. Earlier, a data breach compromised the details of around 3.2 million debit cards.

According to the reports, the fraud happened due to a bug present in the bank’s payments app based on the Unified Payments Interface (UPI). The payments app was developed by a Mumbai-based company Infrasoft Tech.

The financial fraud was first reported on February 22. It has been known that the said bug was discovered by around 50 people – with no known inter-connection – in the city of Aurangabad by trial-and-error. They were able to pull funds from their bank accounts with insufficient balance and transfer them to accounts belonging to other banks.

A government body known as NPCI (National Payments Corporation of India) validates all the transactions made using the UPI on the basis of a confirmation send by the payments app. According to BoM, the transactions were declined by the bank in the first place due to insufficient balance. However, because of the bug, the app sent two consequent messages to NPCI. The first message reading “success” and the second one as “error: insufficient funds”.

NPCI’s systems are configured to validate transactions on the basis of the first message. This cleared the way for the uninterrupted transfer of funds. The exploit was used to transfer funds 672 times in a period of 48 days starting on December 1, 2016.

In regards to such technical malfunction reports, NPCI issued a statement on March 20. The corporation stated that there exists “no vulnerability or loophole reported in Bharat Interface for Money (BHIM) application or UPI system.”

“NPCI has done intensive testing, robust design of security controls and continuous monitoring of its UPI infrastructure. The environment in which BHIM or UPI is run by NPCI is highly secure and certified with best global practices like PCI DSS ISO 27001.”

Infrasoft first notified the bug on January 18, 2017. The company also provides UPI-based payments solutions to two other Indian banks which haven’t reported any incident of financial fraud. Infrasoft is working with BoM to find the cause of the bug. The company also declined the possibility of any internal person being involved in the financial fraud.

The bank has lodged an FIR against 50 people. They have received little success while trying to recover funds which were illegally transferred to 19 other banks.

If you have something to add, drop your thoughts.