A man speaks on a mobile phone as signage for digital payment services Paytm, operated by One97 Communications Ltd., top left, JD Pay, operated by Just Dial Ltd., top right, and Airtel Payments Bank Ltd., operated by Bharti Airtel Ltd., are displayed at a store selling electronics in Bengaluru, India. (Photographer: Dhiraj Singh/Bloomberg)

RBI Cautions Against Fraudulent Transactions On UPI Platform 

The Reserve Bank of India has issued an alert to all banks and payment system operators about potential fraudulent transactions on the unified payments interface platform. The cautionary notice, the RBI said, was being issued against a backdrop of rising instances of fraud using the UPI platform.

In an alert dated Feb. 14, the banking regulator said that a mobile application called 'AnyDesk' is being allegedly used to target customer phones.

In a comment on Feb. 19, AnyDesk acknowledged that its product had been used for fraud, but denied that its application steals money from user accounts.

“We object to advice saying not to download our software. This accusation is completely false and harms our company’s great reputation,” said the company.

According to the alert issued by the cyber security and IT examination cell of the RBI, once the application is installed on customer phones, it seeks permission to access controls of the phone, like all other applications. However, the application then allegedly proceeds to steal confidential data on the phone to carry out fraudulent transactions through other payments applications installed.

BloombergQuint has reviewed a copy of the alert issued by RBI.

According to a senior official of the National Payments Corporation of India, the alert is not just limited to the UPI platform but also covers other forms of mobile payments. The official spoke on conditions of anonymity as the matter is still confidential. While the NPCI cannot issue notices to mobile app stores to remove the application, it is planning to issue cautionary notices to the public at large, to avoid any such transactions, the official said.

“It appears that either the app is compromised or fake apps were created which capture passwords and gives a third person control of your mobile phone,” said Prashant Mali, high court lawyer and cyber expert. Mali, however, added that he has not heard of any consumer falling prey yet.

The issue is that even if there are victims they don’t reveal how their money was stolen. Because if they reveal that they downloaded the app or clicked on a hyperlink then it becomes gross negligence on their part and the banks/finance companies don’t need to pay.
Prashant Mali, Cyber Expert

In its alert the RBI mentioned that it had sent out a similar advisory in January 2019. That circular was originally issued by NPCI to ensure that genuine payments applications makers put some controls on the kind of data they access on customer phones, the official quoted above said.

Since its launch in April 2016, UPI has become a preferred platform for digital payments. A number of payment apps, including the government promoted BHIM app, is built atop the UPI platform. According to data available on the NPCI website, the UPI platform saw 388 crore transactions worth over Rs 6.4 lakh crore between April 2018 to January 2019.