How secure is India’s Unified Payment Interface?

Cashless payments and digital transactions have been in India from long ago in the form of NEFT (National Electronic Fund Transfer) and others but that never reached the small business and mass market. Mainly because of internet accessibility and the hassle in providing so many details such as account number, IFSC code etc. Since the introduction of UPI (Unified Payment Interface) by NPCI (National Payments Corporation of India) back in 2016, cashless transactions grew at an amazing rate.

The value of transactions taking place on UPI service - Courtesy: https://www.npci.org.in/

Multiple things helped for this amazing growth.

• Ease of use. It is extremely simple to use. All you need is just the UPI handle of others that you want to send the money to. This extreme simplicity is the reason that brings up the question “How secure is this?”
• Growth in the mobile internet with Jio leading the way in making the mobile internet cheaper along with smartphones becoming affordable added fuel to this growth
• UPI Payment mobile apps such as GooglePay and PhonePe etc helped the adoption by building easy to use apps and adding additional integrations with other consumer bill payment services such as utility payments and mobile recharge etc

It is super easy to set up and start using this payment service. All you need is your smart phone with the mobile number linked to your bank account. All the validations work over OTP including identifying your bank account connected with your mobile number. This raises many questions on how secure is this?

Security is provided at multiple levels. The first level is your regular phone locking mechanism. You need to unlock your phone to get access to these UPI based payment apps. Second, Apps like Google Pay require you to go through the phone unlock step one more time to get into the app. Even if you share your unlocked phone with a friend to watch a video or play a game, they won’t be able to open these UPI Payment apps unless they know how to unlock your phone. The third level is the UPI-PIN. At the time when you are ready to click on the send money button in these UPI payment apps, that is when it will ask you to enter your UPI-PIN. This is something that you need to keep it more secure and shouldn’t share with anyone. Also, the point to note here is that even if you switch your UPI payment app, you will carry this UPI-PIN with you. This won’t change between the apps.

What if I lost my sim card which linked to my bank account?

Like if I lost my mobile phone and someone got hold of the sim card with the mobile number attached to my bank account. Will they be able to set up UPI payment using that mobile number and get hold of my entire bank account? Sounds super scary right?

There are two possibilities here

1. If you had already set up a UPI payment service by the time you lost your sim card then you must have already set up your UPI-PIN which is a 6 digit personal identification number kind of like your ATM pin number. Getting access to your sim card is like someone found your debit card but they can’t do anything without knowing your ATM Pin. Your UPI-PIN is the savior here. As it is a 6 digit number, protected by not more than 3 failure attempts before it gets locked is how it secures your account.
2. If you haven’t had a chance to set up your UPI payment service but you already linked your bank account with your mobile number and lost your sim card then the person who get hold of your sim card can setup your account on UPI but the initial setup requires to input account linked debit card details such as card number and cvv. If you lost your sim card along with your debit card linked both of which linked to the same bank account then you are in trouble. Someone else can completely take over your account in this case. You should make sure to call your bank and block your account.

What if your mobile network provider assigned your mobile number to someone else because of your inactivity or failed to keep your number active?

This case is similar to one of 2 cases described above except that some else officially got hold of your sim card in this scenario. If you link your bank account with your mobile number, it is your responsibility to keep that number active or detach that number from your bank account if you wish not to use that mobile number anymore.

Think of it this way. Your mobile phone along with the sim card are similar to your debit card and your UPI-PIN is equivalent to your debit card PIN. Losing your phone or sim card is equal to loosing your debit card.

It is always a challenge to maintain the right balance between convenience vs security. They can’t play very well together. One of them needs to step down to make the other possible. In the UPI payment service case, NPCI did their best job of trying to keep the right balance between security and convenience but at the end it is the responsibility of YOU to do the right job and take the right actions to protect your hard earned money. Be responsible and enjoy the convenience of these life changing online services.