A bug in its unified payment interface (UPI) cost state-run Bank of Maharashtra (BoM) about Rs25 crore, say media reports. This exactly is the kind of 'rush' to join the digital platform bandwagon about which the Reserve Bank of India (RBI) had warned. But more about it later.
Quoting AP Hota, Managing Director and Chief Executive of National Payment Corp of India (NPCI), the company behind UPI, a report from Economic Times
says, "Total amount of loss, as reported by BoM, is about Rs25 crore. They've recovered some amount and some amount is still pending. They've filed a police complaint also and the investigation is on."
Explaining the fraud, Mr Hota told the newspaper that the Pune-based Bank had procured an UPI solution from a vendor (reported to be city-based InfrasoftTech), which had a bug that resulted in the fund moving out of the accounts without the sender's account having the necessary funds.
Bank of Maharashtra had also accused 22 residents of Bhayander for hacking its central server in Mumbai and exploiting a flaw in the UPI mobile app to siphon off Rs1.42 crore from the bank. As per a report from Indian Express
, investigations into the siphoning off of Rs1.42 crore from the Bank revealed that two of the accused allegedly committed a similar crime in Pune earlier this month.
"The bank lost Rs6 crore between December 2016 and January 2017. In the latest case involving the Bhayander residents, exploiting a bug in the UPI app launched last year, the accused, having hacked the bank’s central server in Mumbai, made 142 'request money' transactions between 26 December 2016 and 18 January 2017," the report says.
Explaining the 'bug', a report from Times of India –ToI
says, the 50 accused sent 'receive (transfer) money' requests in batches of up to Rs1 lakh each over 48 days.
As per the procedure, when the UPI app receives such request, it sends a query to the other party (customer) and after obtaining acceptance, it checks fund availability in the UPI linked bank account. However, the UPI app used by Bank of Maharashtra, send two messages to NPCI, one as 'success' and other as 'error:insufficient funds'. In these fraudulent transactions, NPCI only read the first message and cleared the payment.
"As a result, BoM's pool account with the RBI was deducted about 672 times over a period of 48 days," the report from ToI says.
Earlier in January 2017, SS Mundra, Deputy Governor of RBI had warned that banks need to have a robust defence mechanism against cyber incidents at all times. He had said, "...our observation, however, is that many a times, certain finer details such as configuration of devices, patch management, OEM supported software, password management or port management, are ignored or entirely left to the vendors resulting in an undesirable impact. Statistics suggest that it takes on an average about six months to detect cyber-attacks by outsiders and longer in cases where attacks are by insiders. Thus, early detection and response assumes significant importance. Banks need to build capabilities to detect cyber-attacks early and respond to them quickly. Recovery from the incident is another aspect that needs to be well thought out."
Hope other banks are listening to the advice given by the apex bank and are doing the needful to safeguard customers.