[Newpunter]

Quote:

Originally Posted by jayguar

No, it was a new bank account and had just installed Google pay and never have used UPI before. All I was asked for was Bank name and my phone number. Entered OTP received as sms and that is it. It actually sounded scary to me how my bank account was linked with just my phone number.

Exactly. It seems to me that UPI can be easily exploited with just a little social engineering. Besides, the message that we get from UPI is from some random mobile number and it is just a bunch of random characters. There is no way to identify the purpose of the message. Usually, when i receive an OTP from my bank, I get a message telling me a little about the purpose for which the OTP was triggered. With UPI, it says nothing and we cannot even identify if the message is from the sender. This was the message that i got when the scamster triggered the UPI message this week (I have deleted some of the characters from the screenshot).

[DigitalOne]

Quote:

Originally Posted by jayguar

No, it was a new bank account and had just installed Google pay and never have used UPI before. All I was asked for was Bank name and my phone number. Entered OTP received as sms and that is it.

You won't be able to do any transactions unless verified by your linked debit card number.

Quote:

Originally Posted by Newpunter

Exactly. It seems to me that UPI can be easily exploited with just a little social engineering.

I have been using UPI even before BHIM app was introduced.

I have used UPI with ICICI Bank and HDFC bank accounts. Have used BHIM, app; now using Google Pay, and ICICI iMobile app.

And switched 2 phones in this period, which means re-installed the apps

Every time I register with a new App, or reinstalling apps on a new Phone it asked for my Debit card digits. I frankly have not seen a flaw in the UPI design as such.

Of course a social engineering scam, which unfortunately many of our senior citizens or ill-informed people fall to and reveal the UPI Pin to scamsters, does happen very frequently.

[binand]

Quote:

Originally Posted by Newpunter

It seems to me that UPI can be easily exploited with just a little social engineering.

Quote:

Originally Posted by jayguar

It actually sounded scary to me how my bank account was linked with just my phone number.

My understanding is that it is not that easy as you folks make it out to be. UPI is linked not just to the mobile number; it is linked to the physical SIM sitting inside your phone. Anyone attempting to take over your UPI access needs both your SIM card and your PIN (true 2-factor authentication).

UPI attempts to solve one of the problems that OTP-based 2FA hasn't been able to, yet. Which is probably the reason companies like Google are pushing for its adoption elsewhere too.

[Newpunter]

Quote:

Originally Posted by binand

My understanding is that it is not that easy as you folks make it out to be. UPI is linked not just to the mobile number; it is linked to the physical SIM sitting inside your phone. Anyone attempting to take over your UPI access needs both your SIM card and your PIN (true 2-factor authentication).

I understand your point, but I got the SMS for resetting the pin without me requesting it. So I'm assuming the scamsters might have access to some specialized equipment that let's them trigger the password reset option for different phone numbers?

[ishan12]

I am not sure about UPI, but I am sure paytm does not require anything to reset the password. This happened to my sister a couple of months ago. She posted something to sell on olx, and got a call back from a fraudster posing as a buyer. He asked her her paytm number which she shared, and tricked her into forwarding the OTP message. (Which was actually the password reset message). She lost Rs 800 from her paytm account and the entire family learned a valuable lesson.

[DigitalOne]

Quote:

Originally Posted by Newpunter

I understand your point, but I got the SMS for resetting the pin without me requesting it. So I'm assuming the scamsters might have access to some specialized equipment that let's them trigger the password reset option for different phone numbers?

SMS is one of the initial steps to reset the password. It can't be done without debit card. Even if you had forwarded the SMS to the scamster he would have made a call next pretending to be the bank employee and asked for your debit card number.

If you lose your phone and debit card together, and don't block both in time, then you are in big trouble, but otherwise I have not seen a major design flaw in the UPI system.

[binand]

Quote:

Originally Posted by Newpunter

So I'm assuming the scamsters might have access to some specialized equipment that let's them trigger the password reset option for different phone numbers?

Don't know; tough to say without seeing the SMS or the sender. What I know is that the UPI specification requires apps to ensure that (a) the SIM on the phone matches the number being used, (b) all communications have a public-private keypair based encryption (in addition to HTTPS throughout) and (c) requires validation of 6 digits of the debit card and its expiry date for PIN reset.

In addition some banks (Citibank is the one that I know of) require one to change the UPI PIN at ATMs only; they reject all requests for PIN change that are initiated from the apps.

Quote:

Originally Posted by ishan12

I am not sure about UPI, but I am sure paytm does not require anything to reset the password.

Yep, Paytm's wallet side has sacrificed security in favour of convenience. Once you authenticate yourself on a given mobile they don't do any further per-transaction authentication either.

[shipnil]

On the discussion of UPI, I'll share my 2 cents. I was always worried about apps fetching my bank account details just based on my mobile number. So I tried to dig deeper.

I have 2 sbi accounts. One Maxgain home loan account, which for transactional purpose is treated as current account and the other one is a savings account. The savings account is linked to debit card but the current account isn't. As I had used sbi account for UPI earlier, any UPI app just asks me for pin once I enroll with them. The same app also pulls in details of current account as well, but it asks me to set up a pin and for that it asks debit card which is not there. So neither me nor anyone else can set it up for UPI.

Also, sbi offers a nice feature. You can disable an account for linking to UPI through their online banking. This is, only if it has been enrolled for UPI earlier and also has debit card linked.

As regards UPI re-authentication, I have changed my sim cards multiple times, due to porting of number. The good apps like Google pay, Amazon asked me to re-authorize but Paytm UPI did not.

[Sherlocked]

Received one fraudulent message a while ago:



Didn't call the number and no idea about their Modus Operandi.

[blackwasp]

Quote:

Originally Posted by shipnil

I was always worried about apps fetching my bank account details just based on my mobile number.

I was one of the early adopters of UPI thanks to BHIM app. The moment I got my account made, I got a custom UPI ID made (xyz@upi) and disabled the default ID (number@upi / number@bank). This way, even if I change the linked bank accounts, my upi ID is both bank and phone number agnostic.

Not sure if you can do it these days thats to more number of users on the platform, but I'm sure you can get an ID thats independent of you phone number.

I have also stopped giving out copies of my Aadhaar card for anything. I instead give PAN, Passport or something else. Only case I'm ok with Aadhaar is when there is a fingerprint scanner to authenticate on the spot and I don't have to give out any copies.

[DigitalOne]

Quote:

Originally Posted by blackwasp

I was one of the early adopters of UPI thanks to BHIM app. The moment I got my account made, I got a custom UPI ID made (xyz@upi) and disabled the default ID (number@upi / number@bank). This way, even if I change the linked bank accounts, my upi ID is both bank and phone number agnostic.

Not sure if you can do it these days thats to more number of users on the platform, but I'm sure you can get an ID thats independent of you phone number.

I don't think it is possible with any of the Apps now like G Pay or PhonePe. It was possible to create an @upi id with BHIM. It is not even possible to link an existing UPI id, when you are using a new app. For e.g. I had created an UPI id with ICICI on their website, which is myname@icici. This was even before BHIM app popularized UPI. Google Pay did not allow me to use the same UPI id. It has created a new UPI id myname@okicici.

[navpreet318]

I'd like pitch in my own experience.

So I run a two wheeler dealership. We are quite literally the softest targets anyone can see around. It is a public place. Anyone can walk in. And since we deal in customers calling in, we have our bank account details out there in the public domain. Mostly printed on the quotation sheets.

So a guy calls in saying he wants to buy 5 motorcycles.
Our sales executive explains the features, colours available etc.
The phone caller says I'll RTGS you the amount, give me the account details.
The sales executive gives the details.
After half an hour the executive gets another call saying that there is something wrong in the account transaction and he requested for another account number.
The executive gave him another number of another bank.

Mind you both the banks are government run national banks. The first one is the largest and the second one is one of the small players right next door to us.

Next in 15 minutes my father gets a message that a NEFT of Rs.3.8L has been done from our account. He calls me and my accountant runs off to the bank next door.
On asking details, the bank manager says that they got a call from an unknown number saying that it is me and I need some money to do some registry.

Now we have never done any transaction on the phone ever. Always the instrument like cheque is presented for any transaction. Moreover this account is operated by my father alone and not me!

And the bank manager and/or executive gave all the details as to available balance as well as running cheque number to the caller and sent him the NEFT of Rs.3.8L.

We had the cheque corresponding to the cheque number mentioned in the NEFT details with us and this was a clear fraud by even the bank to do the transaction without the instrument.
And BAM! We are poorer by a full 3.8L which was in the bank to be accumulated running up to the salary day for my dealership for all my employees.
In these bad times this was a bad hit!

Off we went to the police station! The application was taken but they were reluctant to file a FIR.
Off went complaints and written acceptance of the bank manager via email and registered posts to the Head Honchos of the bank. The CEO, Directors, Complaint HO, Vigilance HO, Banking Ombudsman, Bank ZO. Don't even remember how many people were brought into the loop.
The police cyber crime said we can help you trace the details but cannot accept the complaint as this isn't a cyber crime!

Again and again the complaints went and we got no reply from anyone whom we had mailed. We got it printed in the news paper as well.

Then we got to know that vigilance has an enquiry started on the bank branch and its staff. The money was transferred into a Kolkata branch of ICICI bank which has been frozen on the same day as the transaction. So things were happening.
In the meanwhile we put tremendous pressure on the police to act and they also started hounding the bank.

15 days of the ordeal had passed and I posted a truly hard written mail to the Bank's Director and held him guilty for this transaction. Same day we got the money back! from the bank's contingency funds I suppose.
But the ordeal ended finally!

The current condition is that almost daily some kind of fraudster is calling one or another dealership in our city. We're discussing this daily amongst ourselves how we're such soft targets and there is frankly nothing being done about it either!

[Sherlocked]

Quote:

Originally Posted by navpreet318

Same day we got the money back! from the bank's contingency funds I suppose.
But the ordeal ended finally!

Glad to know it ended up in your favour and you got your money back. So did the manager gets transferred or suspended yet?

It's disheartening to know honest people getting scammed by these fraudster but what's even more demoralizing is the fact that how many strings one needs to pull to get justice in this country. Without influence and proper contacts it's just suffering and running from pillar to post!

Quote:

Originally Posted by Sherlocked

Received one fraudulent message a while ago:

Didn't call the number and no idea about their Modus Operandi.

Update: He called and wanted to scam me via Team Viewer. I told him repeatedly I only use Team-BHP. So he got fed up and hung up.

Quote:

Originally Posted by navpreet318

.
Presence of mind makes one send complaints to the right people. These addresses, email IDs and phone numbers are easily available on the websites of banks under RTI.
So one needs to keep his cool and get as many people into the loop.

Well said! I totally agree.

[navpreet318]

Quote:

Originally Posted by Sherlocked

................ what's even more demoralizing is the fact that how many strings one needs to pull to get justice in this country. Without influence and proper contacts it's just suffering and running from pillar to post!
...................

I wouldn't say that. It needs presence of mind. We didn't use any contacts. Frankly contacts are useless lately which I have experienced lately.

Presence of mind makes one send complaints to the right people. These addresses, email IDs and phone numbers are easily available on the websites of banks under RTI.
So one needs to keep his cool and get as many people into the loop. I was ready to even rope in the RBI, PM, FM on Twitter had this continued for a couple of more days.

If one is correct and one has all the evidences then one just needs to know who all to tap and how.

[Santoshbhat]

My mobile number is registered with a lot of service providers like insurance, credit cards, banks, AMCs, govt agencies like EPFO (as an employer) etc...

I've received multiple calls from so called
1) Insurance companies - They tell you that you had taken a policy long back and paid a couple of installments and stopped and now the policy has xxx corpus and has matured. I know what policies I've taken and never fall for such tricks.

2) Credit card companies/ Credit card verification dept. - They tell you your CC is blocked and ask for personal details in order to help you

3) PF verification department. : This was the only time I got a call from the "PF verification department" . They had my address etc...They asked whether I have retired from xxx firm a few years back. The name of the firm is my own firm where I am the employer and which is registered with EPFO. I wanted to know what they're upto so I played along, sounding as innocent as possible. She said your xxxx amount is due to be paid to you and your employer hasn't confirmed payment to you so we're calling you directly. I acted innocent and cursed the employer . She said she could help me get the amount and gave me a case no. and asked me to note it down and tell the same to the verification department to whom she was going to transfer the line. She went quite for a few seconds and came back and spoke to me as 'the verifier' and asked me to confirm my name and case number. I faked both with similar sounding words and yet she confirmed that it was a match and quoted the same xxxx amount as sitting in EPFO account in my name and whether I wanted to get it transferred.

Me : Yes, of course.
Her : You want online or offline? Online is immediate. Offline could take months.
Me : Online
Her : You have internet banking facility from which bank?
Me : SBI
Her : OK. I will guide you through the process.
* Somewhere in the beginning she did ask me whether I have internet banking facility and internet access at the time. Only when I said yes, did she continue.
Me : OK please
Her : Please login sir
Me : OK, done
Her : What do you see on your screen?
Me : This....this .... this... (I used common sense and guessed what kind of screens come up on login since I use SBI internet banking for my corporate account)
Her : Sir please add this account as a beneficiary.
Me : Ok. Done
Her : We will need to verify your account. So I will ask you to transfer some amount from your account to EPFO account. This amount is refundable
Me : Ok. How much?
Her : 5,000?
Me : Ok.
She began doubting me by now.
Her : Sir what is on your screen.
Me : Beneficiary added
By now she was on to me.
Her : Mujhe bevakoof samjhte ho? (You think I am a fool?)
Me : No. You are so intelligent that you make a living out of fooling people. How can I doubt your intelligence?
Her : Keep the phone down. Mera time waste kar diya! (You wasted my time!)
Me :