UPI bug costs Bank of Maharashtra about Rs25 crore

Moneylife Digital Team 31 March 2017

A bug in its unified payment interface (UPI) cost state-run Bank of Maharashtra (BoM) about Rs25 crore, say media reports. This exactly is the kind of 'rush' to join the digital platform bandwagon about which the Reserve Bank of India (RBI) had warned. But more about it later.

Quoting AP Hota, Managing Director and Chief Executive of National Payment Corp of India (NPCI), the company behind UPI, a report from Economic Times says, "Total amount of loss, as reported by BoM, is about Rs25 crore. They've recovered some amount and some amount is still pending. They've filed a police complaint also and the investigation is on."

Explaining the fraud, Mr Hota told the newspaper that the Pune-based Bank had procured an UPI solution from a vendor (reported to be city-based InfrasoftTech), which had a bug that resulted in the fund moving out of the accounts without the sender's account having the necessary funds.

Bank of Maharashtra had also accused 22 residents of Bhayander for hacking its central server in Mumbai and exploiting a flaw in the UPI mobile app to siphon off Rs1.42 crore from the bank. As per a report from Indian Express, investigations into the siphoning off of Rs1.42 crore from the Bank revealed that two of the accused allegedly committed a similar crime in Pune earlier this month.

"The bank lost Rs6 crore between December 2016 and January 2017. In the latest case involving the Bhayander residents, exploiting a bug in the UPI app launched last year, the accused, having hacked the bank’s central server in Mumbai, made 142 'request money' transactions between 26 December 2016 and 18 January 2017," the report says.

Explaining the 'bug', a report from Times of India –ToI says, the 50 accused sent 'receive (transfer) money' requests in batches of up to Rs1 lakh each over 48 days.

As per the procedure, when the UPI app receives such request, it sends a query to the other party (customer) and after obtaining acceptance, it checks fund availability in the UPI linked bank account. However, the UPI app used by Bank of Maharashtra, send two messages to NPCI, one as 'success' and other as 'error:insufficient funds'. In these fraudulent transactions, NPCI only read the first message and cleared the payment.

"As a result, BoM's pool account with the RBI was deducted about 672 times over a period of 48 days," the report from ToI says.

Earlier in January 2017, SS Mundra, Deputy Governor of RBI had warned that banks need to have a robust defence mechanism against cyber incidents at all times. He had said, "...our observation, however, is that many a times, certain finer details such as configuration of devices, patch management, OEM supported software, password management or port management, are ignored or entirely left to the vendors resulting in an undesirable impact. Statistics suggest that it takes on an average about six months to detect cyber-attacks by outsiders and longer in cases where attacks are by insiders. Thus, early detection and response assumes significant importance. Banks need to build capabilities to detect cyber-attacks early and respond to them quickly. Recovery from the incident is another aspect that needs to be well thought out."

Hope other banks are listening to the advice given by the apex bank and are doing the needful to safeguard customers.

Comments

User

Sunil Ghotge

6 years ago

Anyways THE WORST BANK when it comes to service, in Branch or otherwise. Net Banking is full of hassles, what with the "additional layer" of "MahaSecure" ! Customers are left to fend for themselves with even the "support teams" either clueless or just acting as postmen to Branch, directing Customers to Branches which are ill-staffed with callous indifferent and disgruntled employees, with Branch Managers conspicuous by absence. Old Stone Age Banks, with ample scope for fraudsters while Customers are made to suffer.

Simple Indian

6 years ago

This is what happens when Banks jump on to the new tech platforms without sufficient IS audit of their systems. There are plenty of 3rd party vendors developing UPI Apps for various Banks. But, the onus of testing these thoroughly ought to be on the Banks before they choose to implement them for their customers. This is the flip-side of the Govt's Digital India push, as most PSU Banks are attuned to stone-age Banking practices and adopt new IT solutions reluctantly, if not grudgingly (often thanks to their status quoistic Employee Unions, who want Banks to remain in the stone-age to protect jobs of its staff, rather than move on to new-age cutting edge tech solutions to make Banking more efficient). RBI should have stringent guidelines for Banks on UPI and other such technological platforms, as unpleasant experiences will only make Banking customers switch back to cash-transactions.

SRINIVAS SHENOY

6 years ago

When detection of cyber-attacks by outsiders and insiders take such a long time, it would be prudent for allowing the system to stabilise, as banks are already reeling under huge mounting NPA losses, with recovery moving at a snails pace.

Ramesh Poapt

6 years ago

many a times, blessing become curse, and vice-versa!