Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Bank Information Security. Show all posts

RBI Announces Draft Norms to Ensure Security of Payment System Operators


Reserved Bank of India (RBI), India’s central bank and regulatory body is all set to enhance the safety and security of digital payments amidst the raising cyber risks, the draft regulations for payment system operators (PSOs) announced on Friday.

The draft, Master Directions on Cyber Resilience and Digital Payment Security Controls for PSO, proposes a governance mechanism for the identification, analysis, monitoring, and management of cybersecurity risks.

RBI confirms that these norms will be implemented from April 1, 2024, for large non-bank-PSOs. For medium-sized non-bank PSOs, the norms will be implemented by April 1, 2026, as for the smaller ones, the deadline is April 1, 2028.

The key responsibility of the draft circular will be designated to a sub-committee of the board that must meet at least once every quarter.

"The PSO shall formulate a board-approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised," the draft note said.

“The directions will also cover baseline security measures for ensuring system resiliency as well as safe and secure digital payment transactions[…]However, they shall endeavour to migrate to the latest security standards. The existing instructions on security and risk mitigation measures for payments done using cards, Prepaid Payment Instruments (PPIs) and mobile banking continue to be applicable as hitherto,” the RBI noted.

What are the Draft Norms? 

As per the proposed norms, the PSO will define relevant key risk indicators (KRIs) to identify possible risk events and key performance indicators (KPIs) to evaluate the efficacy of security controls.

According to the RBI, the PSO must conduct cyber-risk assessment exercises pertaining to the launch of new products, services, and technologies along with initiating innovative changes in infrastructure or processes of existing products and services. The central bank is seeking feedback on the draft norms by June 30.

In order to manage potential information security risks involving all applications and products related to payment systems, the PSO has been asked to develop an Information Security (IS) policy that has been authorized by the board.

According to the proposed norms, the PSO was required to create a business continuity plan (BCP) based on several cyber threat scenarios, including the most unlikely but conceivable occurrences to which it might be subjected. To manage cyber security events or incidents, the BCP should be evaluated at least once a year and include a thorough response, resume, and recovery plan.

Moreover, a senior-level executive like the chief information security officer (CISO) will be in charge of implementing the information security policy and the cyber resilience framework as well as continuously reviewing the overall IS posture of PSO. According to the draft norms, the PSO must implement safeguards to keep its network and systems safe from external assaults.

The PSO must also implement a thorough data leak prevention policy to ensure the confidentiality, integrity, availability, and protection of business and customer information (both in transit and at rest), in accordance with the importance and sensitivity of the information held or transmitted.  

Hackers switched to combined cyber attacks on the Russian financial sector

Experts began to note the particular interest of cybercriminals in the Russian banking sector as early as mid-summer 2021. In July, the Bank of Russia reported about the risks of "infecting" financial institutions through members of their ecosystems.

In August, FinCERT noted a series of large-scale DDoS attacks on at least 12 major Russian banks, processing companies and Internet service providers. The requests came from the USA, Latin America and Asia.

In early September, the Russian financial sector was attacked again. So, large banks and telecom operators that provide them with communication services were attacked.

Since August 9, the Russian Cyber Threat Monitoring Center (SOC) of the international service provider Orange Business Services has recorded a big increase in the number of requests. Attackers combine not only well-known attacks such as TCP SYN, DNS Amplification, UDP Flood and HTTPS Flood, but also only recently discovered ones, for example, DTLS Amplification.

In total, more than 150 attacks were recorded during the month, from August 9 to September 9, 2021. At the same time, their intensity is constantly increasing. Criminals are constantly trying to increase the power of attacks in the hope that telecom providers will not be able to clean up traffic in such large volumes.

In addition, the attackers used large international botnets. So, SOC Orange Business Services identified one of the networks based in Vietnam and South America, with more than 60 thousand unique IP addresses, and which was used to organize attacks like HTTPS Flood on the 3D Secure payment verification service.

The attackers also used the HTTPS Flood attack to make it impossible to use the banks' application, in this case, the attack was carried out from the IP addresses of Russia, Ukraine and France.

“Based on how persistently and ingeniously cybercriminals act, we can say that we are dealing with a complex planned action aimed at destabilizing at least the Russian financial market,” said Olga Baranova, COO of Orange Business Services in Russia and the CIS.


Money stolen from bank accounts of Russians twice as much as last year

In Russia, for the period from January to August 2020, more than 100 thousand thefts of funds from a Bank account were recorded, twice as much as last year. The number of cases of fraud using electronic means of payment has also doubled.

According to the Prosecutor General's Office, now every fifth fact of theft is associated with the theft of funds from accounts.

The Central Bank said that hacker attacks are more frequent in 2020, but the effectiveness of attacks on banks has not increased. Fraudsters are now increasingly trying to deceive citizens using social engineering, so the number of calls has increased four times. At the same time, new criminal schemes have not appeared, but now criminals have begun to actively use the topic of COVID-19.

Vitaly Trifonov, Deputy head of the Group-IB Computer Forensics Laboratory, explained the reasons for the increase in attacks: "On the one hand, this is facilitated by the gradual digitalization of life, when more and more people make purchases online, pay with a card and use an ATM less. On the other hand, there are simple and working fraud schemes that do not require special skills or investment”.

Moreover, in the past year and a half, cases of theft of money from citizens using social engineering methods have become more frequent in Russia. According to a study by Digital Security, when files are transferred via email and cloud services, metadata about them is saved and used by fraudsters.

Experts identified flaw that allows criminals to steal money using Faster Payments System (FPS)


Experts have identified a flaw that allows criminals to steal money from accounts of clients of banks through the Faster Payments System (FPS),  which is often opposed to the idea of a crypto-ruble.

The experts found out that when the function of transfers via the FPS in the mobile bank was activated, one of the credit institutions was left vulnerable. Fraudsters were able to take advantage of this error and get customer account data.

Then the attackers launched the mobile bank in debug mode,  logged in as real clients, and sent a request to transfer funds to another bank, only instead of their account they indicated the account number of another client for debiting. Since the system does not verify the ownership of the account, it debited the money and transferred it to the fraudsters.

According to market participants, this is the first case of theft of funds using the FPS. The vulnerability could only be known by someone familiar with the application: an employee or developer.

The Central Bank noted that the problem was found in the mobile app of only one credit institution and promptly eliminated. 

Yaroslav Babin, head of web application security analysis at Positive Technologies, said that using the FPS is safe, but there may be problems in the applications of individual banks.

According to him, if hackers found a vulnerability in the application of a credit institution, the client will not be able to influence the safety of their funds in any way. All responsibility lies with the Bank that developed and released the app.

Babin recommends that banks pay more attention to system security analysis, implement secure development methods, and analyze the source code of all public applications or their updates before publishing them.

It is worth noting that the Faster Payments System is a service that allows individuals to instantly transfer money by mobile phone number to themselves or others. At the moment, all the largest credit organizations in Russia and more than 70 banks are connected to the FPS.

The Central Bank will strengthen control over IT-security of credit institutions


In Russia, hackers may be involved in measures to strengthen control over the stability of credit institutions to cyber attacks. IT-auditors may be obliged in a test mode to crack the security systems of Russian banks with the involvement of white hackers.

Artem Sychev, Deputy head of the information security department of the Central Bank, said that the regulator, together with the FSB and the Federal Service for Technical and Export Control, is currently developing standards to assess the quality of work of independent companies that verify the reliability of bank infrastructure.

The representative of the Central Bank refused to clarify any details, however, sources say that one of the main standards for IT auditors will be a "full simulation of cyber attacks" with the participation of specialists with the same skills as potential hackers.

It is assumed that during such tests, specialists will reproduce the actions of real attackers, from penetration into the company's network to gain full control over its infrastructure or individual applications.

The head of the information security department of the Moscow Credit Bank Vyacheslav Kasimov agreed that the only way to qualitatively assess the security of the Bank's IT system can only be a complete simulation of a hacker attack.

Banks often make checks of their stability not for themselves, but for the regulator, so it has the right to set its own rules for conducting IT-audit, said Viktor Dostov, head of the Electronic Money Association.

According to Dostov, additional control will strengthen the protection of Russian money in the conditions of regular leakage of information from credit organizations.

Earlier E Hacking News reported that the Central Bank has a new punishment for banks for poor cyber defense. It will launch a new feature for credit institutions, it will be the risk profile on the level of information security. Depending on the risk profile on the level of cyber security, the Central Bank will give recommendations to banks. A financial institution that receives a low-risk profile will have consequences ranging from enhanced supervision to penalties.

RBI AnyDesk Warning; here's how Scammers Use it to Steal Money



In February, Reserve Bank of India (RBI) issued warning regarding a remote desktop app known as 'AnyDesk', which was employed by scammers to carry out unauthorized transactions from bank accounts of the customers via mobile or laptop.

In the wake of RBI's warning, various other banks such as HDFC Bank, ICICI Bank and Axis Bank along with a few others, also issued an advisory to make their customers aware about AnyDesk's fraudulent potential and how it can be used by the hackers to steal money via Unified Payments Interface (UPI).

However, it is important to notice that Anydesk app is not infectious, in fact, on the contrary, it is a screen-sharing platform of extreme value to the IT professionals which allows users to connect to various systems and mobiles remotely over the internet.

How the Scam Takes Places? 

When a customer needs some help from the customer care, he gets in touch via a call and if he gets on line with a scammer, he would ask him to download AnyDesk app or a similar app known as TeamViewer QuickSupport on his smartphone.

Then, he would ask for a remote desk code of 9-digit which he requires to view the customer's screen live on his computer. He can also record everything that is been shown on the screen. Subsequently, whenever the victim enters the ID and password of his UPI app, the scammer records it.

Users are advised not to download AnyDesk or any other remote desktop applications without fully understanding their functioning.

You should also be highly skeptical of the additional apps that customer support executives may ask you to download as besides fraudsters, no one asks for codes, passwords or any other sensitive information.

Fraudsters claiming to be from Bank and offers to assist you via TeamViewer


In Russia, a new way of telephone fraud is gaining momentum. Attackers disguised as a bank employee calls to Bank’s client to suspend a financial transaction but do not require to tell confidential data of Bank cards. They claim that the credit institution identified an attempt to the unauthorized withdrawal of funds from an account in another region.

As a result, the scammers report that they blocked the attempt to withdraw money, and offer to verify the devices that have access to the personal account of the client. Then attackers will find out if the client uses the Android or IOS operating system. Subsequently, the attackers offer to help disable the system, which is not used by the client, using the TeamViewer access delegation program.

The TeamViewer access delegation program allows an outsider to connect and perform any operation on your behalf. Fraudsters need to find out from the Bank's client their user id so that attackers can easily connect and take possession of confidential smartphone information. In this case, it will be extremely difficult, if not impossible to prove an attempt at unauthorized hacking. After all, the Bank's client voluntarily provided access.

It is worth noting that previously a number of large credit organizations recorded a sharp increase in fraudulent calls to customers from banks using the technology of number substitution. In some banks, the activity of fraudsters has increased tenfold.

The banks indicate that telecom operators are not effectively detecting and blocking such schemes. The solution to the problem came to the level of the Central Bank.

It is interesting to note that on August 10, the Central Bank of Russia recommended banks to inform payment systems of the number of the Bank card, account or mobile phone of the recipient. This should help identify fraudsters and block transactions. The requirements relate to P2P transfers and transfers, where a third Bank is involved, as well as payment systems.

If banks and payment systems follow the Central Bank's recommendations, data on the recipient of funds will be sent to the FinCERT (center for monitoring and responding to computer attacks in the financial sphere of the General Directorate of protection and information security at the Bank of Russia).

According to the leading anti-virus expert of Kaspersky Lab Sergey Golovanov, indicating the phone number will track cases when one person has issued many accounts for his number and uses them to transfer funds using social engineering.

Your home wi-fi isn't safe: Hackers know router trick to access bank accounts, card details

Next time when you connect smartphone or a laptop to relatively secure home Wi-Fi, you might actually be surprised how easy it is to hack into your home Wi-Fi network, courtesy that router installed by your Internet Service Provider (ISP). A small vulnerability in the home Wi-Fi network can give a criminal access to almost all the devices that access that Wi-Fi. This could spell trouble for bank accounts, credit card details, child safety and a whole lot of other concerns.

Trouble could come in the form of a neighbourhood kid who piggybacks on your Internet service. While he plays video games online and talks to his friends over VOIP (Internet-based) telephone service, your Internet service may become sluggish.

But an unsecured home wireless system can also be used to commit crime.

According to the US Department of Justice, law enforcement officers will come knocking on your door if someone uses your Internet connection to upload or download child pornography.

And the bad guys don't have to live next door. Powerful Wi-Fi antennas can pull in a home network's signal from as far away as over 4 kms.

According to Finnish cyber security firm F-Secure, for very little money, a hacker can rent a Cloud-enabled computer and guess your network's password in minutes by brute force or using the powerful computer to try many combinations of your password.

The US Computer Emergency Readiness Team (US-CERT) recently issued an alert about Russia-sponsored hackers carrying out attacks against a large number of home routers in the U.S.

According to Sanjay Katkar, Joint Managing Director and CTO, Quick Heal Technologies, cyber criminals are known to exploit vulnerabilities in home Wi-Fi routers by delivering a payload.

"Once infected with the malware, the router can perform various malicious activities like redirecting the user to fake websites when visiting banking or other e-commerce sites," Katkar told IANS recently.

Fraudsters started selling customer data of the Russian Bank that fell under the reorganization of the Central Bank


A database of 70,000 Binbank customers leaked to the Internet, which was merged with Open Bank in early 2019. According to experts, this is the fault of the Bank of Russia, which at the stage of the introduction of the interim administration did not bother to check the information security of the credit institution. According to lawyers, clients who suffered as a result of a data leak have a chance to return funds in court.

It is known that for 5 thousand rubles ($77) dealers can get access to the name and surname of the client, find out passport details and place of residence.

Ashot Hovhannisyan, the founder of DeviceLock, said that the sold base consists of clients who at one time applied for an Elixir credit card. According to him, the database was sold to one wholesale buyer, and now several small underground dealers are engaged in trade in personal data.

In addition, according to law enforcement agencies, since the beginning of 2019, about a hundred former clients of Binbank lost their funds and filed a report. The amount of theft from the accounts is from three to one hundred thousand rubles ($ 46 – $1535). It is possible that the data leak affected the actions of Bank fraudsters.

The Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor) sent a written request to Open Bank to clarify the situation. The letter contains a requirement to provide information on the reasons that led to the leak of personal data of bank customers (name, passport details, telephone number and address of clients), about the persons who committed the leak, as well as on the measures taken to eliminate the consequences of the incident.

According to Roskomnadzor, an untimely warning about leaks of personal data threatens the security of personal data of citizens.

Open Bank has denied information about the leak of personal information about Binbank depositors. The Open Bank Press Service stressed that there is no evidence that the leaked database has any relation to the clients of Binbank.

Sure staff’s bank details stolen

Hundreds of staff at mobile phone company Sure have had their bank details and other personal data stolen in a "targeted" phishing attack.

Current and former employees working for the telecoms firm on the Isle of Man, Guernsey and Jersey have been affected.

The data includes names, addresses, account numbers and sort codes.

A spokesman said "fewer than 400" people were affected but no existing customers' data had been accessed.

The company is one of the main mobile and broadband providers on the islands.

The firm said it was contacting those affected, which includes "suppliers", urging them to be "extra vigilant" and working with the islands' authorities.

The attack is thought to have come in via a staff email account, which has since been shut down."Human error" was partly to blame, the company said.

A spokesman said Sure could not confirm any information about "the location or individual" whose account was targeted, for "confidentiality and security purposes".

Sure has apologised and said it was "constantly reviewing" its training programmes.

The Isle of Man Information Commissioner's office said it had been informed of the attack and an investigation had been launched.

The Central Bank of Russia detected a new type of fraud during the transfer of funds through an ATM




According to the publication of the Center for monitoring and responding to computer attacks in the financial sphere of the General Directorate of protection and information security at Bank of Russia (FinCERT), the Central Bank reported a new type of fraud during the transfer of funds between cards through ATMs.
The document says, "previously expected  TRF-attacks (transaction reversal fraud) did not occur, but a new method of such an attack was recorded based on the imperfection of the scenarios for processing transfers from card to card using ATMs."
The fraud method is connected with the imperfection of the p2p-transfer scenario (transfer between individuals). In particular, when the transaction is cancelled, the fraudster has the opportunity to withdraw the transferred amount from another card and at the same time keep the money in his account.
The algorithm is quite simple. First, a transfer operation between individuals is selected and the card number of the beneficiary is indicated. The terminal sends two authorization messages to the beneficiary's Bank and to the sending Bank. After two approvals have arrived, the actual translation is performed.
However, the ATM then asks the sender for confirmation of the debit fee, but he does not agree, and a message about the return is sent to both Banks. As a result, the temporary holding of funds is removed from the sender's account, he saves all the money, but the beneficiary during this time withdraws the transfer from his card.
The Central Bank advises Banks to check the correctness of ATM scenarios. So, the approval for the cancellation of the operation to the sender should come only after the message about the successful return of the transferred funds from the beneficiary's Bank.
Another measure to combat this type of fraud is to obtain consent to charge a transfer fee before sending authorization messages for the operation.
The sender bank is responsible for the success of such attacks, said Alexei Golenishchev, the Director of e-business monitoring at Alfa-Bank.
In May, Ehackingnews described another type of fraud with Sberbank ATMs. The attacker did not insert a Bankcard into the machine, chose any operation and did not complete it. When the next customer came to the machine, he saw on the screen of ATM a proposal to insert the card and enter the pin code. When he did all, the operation of the attacker was automatically completed, after which the money was debited from the cardholder's account. Later, Sberbank said that Bank solved this problem and the attackers could not withdraw money anymore.

The National Payment Card System (NPCS) of Russia says the Fast Payment System is secure


According to Dmitry Kolesnikov, Director of the FPS project in the NPCS, the Fast Payments System is completely safe.

Earlier, the Head of Sberbank German Gref said that one of the reasons why Sberbank does not join the Fast Payment System is cybersecurity. So, according to Gref, the system is still unsafe.

"The system is safe, secure, fully complies with all standards. There were no incidents during the operation," said Kolesnikov at the International Forum "Remote Services, Mobile Solutions, Cards and Payments - 2019".

The Bank of Russia summed up the results of the first four months of the FPS. According to Maria Krasenkova, the Head of the Development and Regulation of the National Payment System of the Central Bank, from January 28 to May 28, 500 thousand transfers were made through the FPS for a total of 4.2 billion rubles ($ 64 million). Dmitry Kolesnikov noted that during the operation of the system, about 200 thousand people took advantage of it. According to NPCS, 40% of transfers are made between own accounts, 60% between accounts of different clients.

It is worth recalling that the Central Bank launched a competitor to the Sberbank transfer system, it's a money transfer system (FPS) by telephone number between accounts of different banks. First, only 11 financial institutions joined the FPS, including Alfa-Bank, Tinkoff Bank, Gazprombank, VTB and others. Another 100 banks expressed their desire to join the system. However, Sberbank has not yet expressed its desire to join the FPS. The largest Russian Bank was a monopolist in the market of money transfers between individuals. In 2018, Sberbank earned 47.2 billion rubles ($ 722 million) on transfers, and the launch of the Central Bank system has already hit its revenues. In the future, participation in the FPS is planned to be mandatory for all banks.

The Bank of Russia expects to connect important Banks to the FPS before September 1. However, according to Gref, the agreement with the Bank of Russia on the connection of Sberbank to the FPS has not yet been achieved.

Sberbank lists the major trends in cybercrime

Stanislav Kuznetsov, the Deputy Chairman of Sberbank, said that now there are three main trends in the field of cybercrime. The first trend is DDoS attacks, the number of which continues to increase. The second trend is data leakage. "The whole market is developing in this direction," Kuznetsov added.

According to the representative of Sberbank, the third trend called fraud associated with the methods of social engineering. Kuznetsov explained that criminals often play on the trust of citizens.

"Russia is a unique country, the level of public confidence is very high in everything that is done by state institutions, corporations. This is good, but the scammers use this uniqueness of the Russian population, especially the elderly," says Kuznetsov.

For example, a serious threat is phishing (theft of confidential data through e-mail on behalf of financial and government agencies). According to the Deputy Chairman, about 27-30% of office workers in Russia in different corporations can now safely open such phishing emails. And this is a great indicator.

The representative of Sberbank admitted that he does not see the factors that would help to stop the growth of crimes using the methods of social engineering. According to him, the situation can be changed only with the help of educational activities.

Kuznetsov said that the economic damage caused to the country by hackers in 2018 could reach 1.3 trillion rubles (20 million $). Since the beginning of 2019, Sberbank stopped more than 40 intense DDoS attacks, but the financial structure did not finish its activities for a second.

Thus, cybercriminals often use DDoS attacks, social engineering fraud and data leaks. According to Kuznetsov, information security specialists will try to prevent such violations.

It is important to note that from 2020 the Central Bank may begin to conduct stress tests of credit institutions for resistance to cyber threats.

Emotet trojan one of the biggest malware

Emotet is a banking Trojan that started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

Emotet poses a grave risk for individuals and businesses of all sizes. Here's a look at what you can do to safeguard your business against this pernicious Trojan malware.

Emotet infections typically start with a simple phishing email that contains an attachment or a link to download a file. The recipient is persuaded to click the link or open the file and they unwittingly set in motion a macro that downloads a malicious payload. As soon as the device is infected, Emotet starts trying to spread to other devices on the network.

The addition of new capabilities into Emotet, inspired by other successful malware such as WannaCry, has made it a much more potent threat capable of moving laterally and infecting entire networks alarmingly quickly. It’s a modular Trojan that’s often employed as the vanguard of a bigger attack, piercing the outer defenses and then downloading other banking Trojans and spreading them around.

As persistent and pernicious as Emotet is, you can take effective action to guard against it.

First, ensure that you don’t have unsecured devices on your network. Take steps to identify and secure unmanaged devices. Eradicate potential blind spots like internet of things devices. Even if Emotet appears to be confined to an unsecured machine, the threat has not been neutralized because it’s polymorphic, constantly updating itself and working towards spreading further. Given enough time, it has a good chance of finding a weakness in your defenses that can be exploited.

Hackers stole 150 thousand rubles from the accounts of Belarusian enterprises through the Client Bank

At the beginning of April 2019, the police received a statement from an employee of one of a metropolitan organization, who reported that an unknown person had made unauthorized access to the computer of the organization, which uses the Client Bank software.

As it became known, the hacker not only made unauthorized access to the organization's computer, but also infected it with malware, which allowed him to make illegal payments to a certain account.

It turned out that the scammer had used RTM malware (Redaman) and sent it by e-mail.

During the investigation, it was found that the attacker made three money transfers to the account of another Bank. The amount of damage was about 30 thousand rubles (470 $). The account to which the amounts were transferred was opened in the name of the foreigner.

The investigators found out that the hacker gained access to the Bank account via a USB key, which the chief accountant had left inside the computer after the end of the working day. This allowed remote access to the system and illegally transfer money.

It was established that such a malicious program was sent by e-mail to more than 90 business entities, the total damage amounted to more than 150 thousand rubles (2 350 $).



Half of the online Banks in Russia does not have enough security

More than half of the Internet applications of Russian Banks were not sufficiently protected. According to the research of Positive Technologies, attackers can view some programs and also edit the information in them.

Cybersecurity Experts analyzed dozens of applications. In their opinion, 61 percent of programs have extremely low or low levels of protection.

It turned out that every second online Bank (54 percent) allows attackers to make fraudulent transactions and theft of money. For example, scammers can spoil the number to which the auto payment is set up or steal the victim's card number.

In addition, according to researchers, almost 80 percent of Banks carry out many operations without additional protection. You can transfer funds or disable the sending of one-time passwords without confirmation by SMS.

Earlier it became known that 85 percent of all ATMs are vulnerable to attacks aimed at stealing money. It turned out that Banks prefer not to update the ATM software, as it requires additional costs.

Information security Experts note that radical measures are needed to correct the situation.

Are enough safeguards built within BHIM?

About BHIM:
BHIM (Bharat Interface for Money - Bhim App) is a Mobile App developed by National Payments Corporation of India (NPCI), based on the Unified Payment Interface (UPI). It was launched by Narendra Modi, the Prime Minister of India, at a Digi Dhan programme at Talkatora Stadium in New Delhi on 30 December 2016. (source:Wikipedia)

Issues:

The BHIM application has an option to create a payment address(Virtual ID). It auto suggests a persons name+(value) as a many of the typical Indian Names are already taken.


Example if a person called Vijay Kumar R is trying to create a personal payment address he will be suggested "vijaykumarr" . This is the primary identifier and during transfer it does not do any further checking. A simple mistake in the name might cause a catastrophe for the sender.

If a person by mistake types in "vijaykumart" (instead of "vijaykumarr") the application will show the proper full name as "Vijay Kumar" and it is highly probable that a person would send the money to the wrong person as the name is matching. Since the BHIM application is mostly targeted towards "New Adopters" mostly from rural locations they might not be able to find the difference or spot a mistake on what they are typing.

The application should ask for a secondary detail (Eg:Mobile Number,Bank Name etc) about a person and cross check it with the database and only process it if the details are matching.

When it comes to NEFT and IMPS it has multilayer verification , even if the user gives a wrong inputs it will not send the amount if any of the details are incorrect.


BHIMNEFT/IMPS
Checks Full NameNoYes
Checks Bank AddressNoYes
Checks Account NumberNoYes

There is an option to refund the money back to the senders only on the receivers end. It does not have any option to raise a complaint on the senders side. Many of the banks are unable to get the money back if it is wrongly sent to another person. There is no option in the UPI ecosystem for such cases. How can this be ? Why did they not think about this?

The same issue was faced by us when we sent about 9200 to the wrong ID.  The bank (Axis) that we used could not get our money back, even though we made a compliant within few minutes.  It was also not possible for us to track who it was sent to and request them to send it back.

We recommend that people stick to the traditional NEFT and IMPS for any high value transactions as there is no support in the UPI system for raising issues during transactions.