Tackling UPI Frauds: Security by Design Is the Answer
Nandkumar Saravade 03 February 2022
The Ken, an online publication, recently did a story about unified payment interface (UPI) frauds Quoting an anonymous senior government official, it claimed that not only were reported monthly frauds about 80,000 but that the actual number is five times that figure. The losses to victims, it said, would run up to Rs200 crore per month.
To put in context, the latest edition (2020) of the annual report Crime in India published by the National Crime Records Bureau (NCRB)puts the annual number of cyber frauds at a mere 30,142. The ministry of finance, in response to unstarred question no1188, answered in the Lok Sabha on 6 December 2021, put the year-on-year (y-o-y) numbers, as received from the Reserve Bank of India (RBI), as follows.
It would appear from the above table that the fraud data reported by the banks to RBI has been rising steadily. Crime recorded by the state police authorities is about one-third of what banks report to the RBI.
However, the anecdotal number quoted by The Ken article seems far ahead of official data. From what I have heard, this anecdotal number is closer to the real number. In any case, we seem to have a measuring problem.
I am reminded of the exhortation of Lord Kelvin: “When you can measure what you are speaking about and express it in numbers, you know something about it. When you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind...”
It is thus important to capture the incidence of cyber fraud, in general, (know thy enemy) and UPI fraud, in particular, if we have a get a handle on curbing it.
There is no doubt that UPI has become the main engine for the payment industry and is the prime mover for realising the government’s vision of digital India and achieving financial inclusion objectives. As such, fraud afflicting UPI directly results in a loss of trust and a reduction in business expansion. So, what can be done about it?
To my mind, the payment industry must ensure that the reporting of UPI fraud should become a frictionless activity. This can be easily done by introducing a ‘report a fraud’ button, prominently placed in each payment app, backed by a core application programming interface (API), mandated by the National Payments Corporation of India (NPCI).
Currently, such a feature to dispute a fraudulent transaction is either not provided by payment apps at all, or buried under difficult-to-find and vague menu options (‘Raise Complaint’), possibly generating offline workflows that are handled with a lag.
The absence of putting in place such an interface artefact when the UPI platform was architected is like forgetting to put up a police station in a new township.
Once such a fraud-reporting feature is introduced, the payment apps themselves need to run creative awareness campaigns on how to detect and notify frauds quickly. This should be accompanied by a general information campaign by NPCI at the national level.
A victim should be able to report the fraud to the UPI platform itself (rather than going through her bank) as soon as she becomes aware of it. If required, RBI should suitably amend in its fraud reporting circulars.
The use of well-designed forms, supported by chatbots, can ensure that the victim provides essential information without going through time-consuming documentation in stressful circumstances.
By enabling easy fraud reporting, data relating to fraud can be captured close to the incident. Depending on how quickly the fraud is reported, it can be used to block funds in real-time. This is best done by NPCI itself, rather than leaving it to banks.
The absence of putting in place such an interface artefact when the UPI platform was architected is like forgetting to put up a police station in a new township.
NPCI, as the platform owner, is in the best position to have visibility to aggregate the data and intervene effectively. Banks’ reporting to RBI can also tap into the NPCI repository, save on effort and improve accuracy.
At a suitable stage, access to the fraud repository can be given to law enforcement and telecom companies to initiate action at their end. Once the deterrence is set, the incidence of fraud would decline over some time.
Historically, chargebacks and complaint redressal in credit card payments was an important feature behind their becoming widely accepted. Given that most card spending in the past was on the point of sale (PoS) terminals, the time frame to enable teams from acquiring bank to investigate disputes and respond to chargeback requests were rather long.
Since UPI has brought in instantaneous and remote payments, the need to revamp old and obsolete ways of reporting fraud has to be done away with and replaced by a faster mechanism.
Of course, improving fraud reporting and deterrence is only a significant but small part of the fraud management framework, which sits on the three pillars of Prevent-Detect-Respond. Fraud, like other security categories, is an adversarial risk problem, where the attackers continuously change their tools, tactics and procedures (TTPs) to exploit the environment better.
Much of the preventive work and attendant investments have to go into customer awareness, better app design and secure coding, using hardened IT infrastructure, setting up an industry consortium for information sharing, and so on.
India has set a great example in designing a state-of-the-art payment system like UPI. It is time to incorporate fraud management into it and build further trust to serve the end-customer. We have already missed the bus on creating the financial sector Computer Emergency Response Team (CERT-Fin), announced five years ago by the then finance minister in the Union budget. There is no further time to lose on this front.
(Nandkumar Saravade advises on security, technology, entrepreneurship and governance. Before joining the private sector, he spent two decades in the Indian Police Service (IPS). He has deep experience in fraud management from multiple perspectives. He was the founding CEO of Reserve Bank Information Technology Pvt Ltd (ReBIT) during 2016-2021.)
10 months ago
Excellent suggestions for an existential threat! Hope these are acted upon
10 months ago
Wish to have lived a life of bullock Cart time in 1930's 1940's when the men were free of such technological tensions of today.
10 months ago
In our country, we, somehow, have the culture of "rushing" into new digital platforms,
without adequate thought o their misuse. Hence interface artefacts are not designed
and put in place. We wake up only when we encounter frauds - but by that time the horse
has bolted out of the stable!
10 months ago
Well with this also add the link where the fraud reported also goes straight to Cybercrime police. They will also build the data and should start taking action.
Free Helpline
Legal Credit