UPI bug costs Bank of Maharashtra about Rs25 crore
A bug in its unified payment interface (UPI) cost state-run Bank of Maharashtra (BoM) about Rs25 crore, say media reports. This exactly is the kind of 'rush' to join the digital platform bandwagon about which the Reserve Bank of India (RBI) had warned. But more about it later.
 
Quoting AP Hota, Managing Director and Chief Executive of National Payment Corp of India (NPCI), the company behind UPI, a report from Economic Times says, "Total amount of loss, as reported by BoM, is about Rs25 crore. They've recovered some amount and some amount is still pending. They've filed a police complaint also and the investigation is on."
 
Explaining the fraud, Mr Hota told the newspaper that the Pune-based Bank had procured an UPI solution from a vendor (reported to be city-based InfrasoftTech), which had a bug that resulted in the fund moving out of the accounts without the sender's account having the necessary funds.
 
Bank of Maharashtra had also accused 22 residents of Bhayander for hacking its central server in Mumbai and exploiting a flaw in the UPI mobile app to siphon off Rs1.42 crore from the bank. As per a report from Indian Express, investigations into the siphoning off of Rs1.42 crore from the Bank revealed that two of the accused allegedly committed a similar crime in Pune earlier this month. 
 
"The bank lost Rs6 crore between December 2016 and January 2017. In the latest case involving the Bhayander residents, exploiting a bug in the UPI app launched last year, the accused, having hacked the bank’s central server in Mumbai, made 142 'request money' transactions between 26 December 2016 and 18 January 2017," the report says.
 
Explaining the 'bug', a report from Times of India –ToI says, the 50 accused sent 'receive (transfer) money' requests in batches of up to Rs1 lakh each over 48 days. 
 
As per the procedure, when the UPI app receives such request, it sends a query to the other party (customer) and after obtaining acceptance, it checks fund availability in the UPI linked bank account. However, the UPI app used by Bank of Maharashtra, send two messages to NPCI, one as 'success' and other as 'error:insufficient funds'. In these fraudulent transactions, NPCI only read the first message and cleared the payment. 
 
"As a result, BoM's pool account with the RBI was deducted about 672 times over a period of 48 days," the report from ToI says.  
 
Earlier in January 2017, SS Mundra, Deputy Governor of RBI had warned that banks need to have a robust defence mechanism against cyber incidents at all times. He had said, "...our observation, however, is that many a times, certain finer details such as configuration of devices, patch management, OEM supported software, password management or port management, are ignored or entirely left to the vendors resulting in an undesirable impact. Statistics suggest that it takes on an average about six months to detect cyber-attacks by outsiders and longer in cases where attacks are by insiders. Thus, early detection and response assumes significant importance. Banks need to build capabilities to detect cyber-attacks early and respond to them quickly. Recovery from the incident is another aspect that needs to be well thought out."
 
Hope other banks are listening to the advice given by the apex bank and are doing the needful to safeguard customers.
 
  • Like this story? Get our top stories by email.

    User

    COMMENTS

    Sunil Ghotge

    3 years ago

    Anyways THE WORST BANK when it comes to service, in Branch or otherwise. Net Banking is full of hassles, what with the "additional layer" of "MahaSecure" ! Customers are left to fend for themselves with even the "support teams" either clueless or just acting as postmen to Branch, directing Customers to Branches which are ill-staffed with callous indifferent and disgruntled employees, with Branch Managers conspicuous by absence. Old Stone Age Banks, with ample scope for fraudsters while Customers are made to suffer.

    Simple Indian

    3 years ago

    This is what happens when Banks jump on to the new tech platforms without sufficient IS audit of their systems. There are plenty of 3rd party vendors developing UPI Apps for various Banks. But, the onus of testing these thoroughly ought to be on the Banks before they choose to implement them for their customers. This is the flip-side of the Govt's Digital India push, as most PSU Banks are attuned to stone-age Banking practices and adopt new IT solutions reluctantly, if not grudgingly (often thanks to their status quoistic Employee Unions, who want Banks to remain in the stone-age to protect jobs of its staff, rather than move on to new-age cutting edge tech solutions to make Banking more efficient). RBI should have stringent guidelines for Banks on UPI and other such technological platforms, as unpleasant experiences will only make Banking customers switch back to cash-transactions.

    SRINIVAS SHENOY

    3 years ago

    When detection of cyber-attacks by outsiders and insiders take such a long time, it would be prudent for allowing the system to stabilise, as banks are already reeling under huge mounting NPA losses, with recovery moving at a snails pace.

    Ramesh Poapt

    3 years ago

    many a times, blessing become curse, and vice-versa!

    Khan Academy: Learn Anything, for Free
    Whatever your age, learning never stops. New thoughts, ideas and aspirations keep us on our toes and on the threshold of new vistas. In fact, our learning is limited only by our imagination. This is where KhanAcademy.org steps in.
     
    Khan Academy believes you can learn anything. Our brain is like a muscle—the more you use it and struggle, the more it grows. Starting from basic learning skills as a three-year-old, to the most complex of learning, Khan Academy guides you all the way. Maths, science, economics, arts, humanities, computing—choose, and Khan Academy will help you learn. The learning is audio-visual, in many cases, which helps absorption and retention over a period. Test preparations for competitive exams like IIT-JEE and training in music and the arts are also available. There is an ocean of learning out there and you will need lots of time and patience to explore.
     
    Khan Academy empowers coaches to better understand what their children or students are up to and how best to help them. See at a glance whether a child or student is struggling, or if she has hit a winning streak and is now far ahead of the class.
     
    The coach dashboard provides a summary of class performance as a whole, as well as detailed student profiles. Recently, they have come up with an Android app which replicates much of the original website, used by over 30 million students—young and old—worldwide. www.khanacademy.org
     
     
  • Like this story? Get our top stories by email.

    User

    COMMENTS

    SRINIVAS SHENOY

    3 years ago

    It is a good article and useful to those who are interested in gaining knowledge and improving their prospects.

    Hackers threaten to wipe iPhones data, Apple says no breach
    After a hacker or group of hackers threatened to remotely wipe data from millions of iPhones including photos, videos and messages, Apple has denied any such breach into iPhones.
     
    The hackers, who call themselves 'Turkish Crime Family', asked for $75,000 in Bitcoin or Ethereum (a form of crypto-currency) or $100,000 worth of iTunes gift cards in exchange for deleting a large cache of iCloud and other Apple email accounts, Vice blog Motherboard reported.
     
    Reacting to the threat, Apple told Fortune on Wednesday: "There have not been any breaches in any of Apple's systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."
     
    The hackers claim to have access to nearly 559 million Apple email and iCloud accounts.
     
    The hackers provided screenshots of alleged emails between the group and members of Apple's security team and threatened to reset iCloud accounts and remotely wipe victim's Apple devices on April 7 unless Apple pay them.
     
    The Apple spokesperson, however, said that Apple is "actively monitoring to prevent unauthorised access to user accounts and are working with law enforcement to identify the criminals involved."
     
    According to reports, several email accounts and passwords may belong to an earlier breach at the professional networking site LinkedIn in 2012.
     
    However, Apple customers who secure their iCloud accounts with the same passwords they use with other online accounts must go for new, strong passwords, the report added.
     
    Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.
  • User

    We are listening!

    Solve the equation and enter in the Captcha field.
      Loading...
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email

    BUY NOW

    online financial advisory
    Pathbreakers
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 3 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)
    FREE: Your Complete Family Record Book
    Keep all the Personal and Financial Details of You & Your Family. In One Place So That`s Its Easy for Anyone to Find Anytime
    We promise not to share your email id with anyone