How reliable is UPI?
India’s biggest answer to payments puzzle.
Few banks in India have released Unified Payment Interface (UPI) apps.
I tried using some of them, and even wrote about my experience on the app. While most of the people are as enthusiastic as me about the future of digital payments as a result of UPI, there are also few concerns on the security aspect of it.
Multiple aspects of reliability.
When we say if an application is reliable and secure it could mean one of the below.
- App works like it should — transferring the amounts properly from one account to another and swiftly.
- Clarity on the outcome — what will happen at the end of any transaction — especially in complex cases like group payments.
- Safety— meaning no body other than the authenticated user should be able to access secure information or money.
Most of the conversations is about the third point — I have had people ask me literally, can UPI be hacked? Will our accounts be secure on our mobile phones? The real straightforward is answer is we do not know, at least yet.
But there are some aspects to phone banking that is different to ATM transaction and even net banking.
When your phone becomes an ATM card.
What UPI essentially does is, it makes your phone as important as your ATM card. YOUR PHONE IS YOUR ATM CARD. And the MPIN you set in the app is your actual pin.
Like any technology security analyst would tell you, there there are two parts to security —
a. Security of the technology
b. Understanding of security by the users.
Security and reliability is not only about the technology. Its also about user behavior and technology usage in the context of culture.
The user cultural problem.
Will you leave your ATM card alone on a table anywhere? Will you show your ATM card to your friends? Will you take all your ATM cards all the time with you?
But you will do that with your phone. Many of us do not lock our phones with a pass code. Many of us keep our phones on tables while eating in a restaurant, some times leaving it alone on charging mode in our houses or offices.
But there is MPIN to authenticate right? Yes, but how many of us use common pin numbers for many of our accounts for the sake of remembering it? Or write it down on a piece of paper?
We all know of people who lost money by revealing their OTPs to an unknown caller who disguises himself as a banker. And heard of cases on how our information gets tracked online by scammers.
There are talks about how even ATMs could be hacked these days.
Coming to the major part — how many of us look at the permissions of an app before installing it? How many of us make sure that the apps we use are trustable?
If an app has access to your SMS box, it can read any SMS. Your OTPs including.
Its not difficult to imagine that a scammer can put a sniping app on your phone and get enough information to hack into your accounts[not as easy as it sounds, but we have seen similar phishing sites online that was able to take up your password]
The first important thing is to make users realize that their phones have just evolved from a device to something of “ATM” card importance. But it could also have the un intended consequence, not sure how many will install the apps if we give this “alarm”.
Another thing is to educate users to regularly check the sanitation of their phones — the apps they use, securing the phones using pass codes, keeping pin information secure etc. And communicating this to a population where many have not gotten formal or just minimal education is a humongous task.
What’s the way forward?
So any scams, when they happen [not if they happen] will make many people shy of trying anything that changes their behaviour like mobile payment transactions for example.
So its important to bring better “authentication” systems in addition to what we have today.
Why? Because today’s authentication systems are similar to ones’ for the computer backed online transactions. But they do not take into account the role phones play in our lives culturally. Especially when millions will go mobile first and internet first on mobile, in the country.
Secondly, the dispute request and resolution should be made simple and quick by the banks. This would give the users the confidence to start using mobile apps for transactions.
If we have to be successful in our aim of digital India and financial inclusion, we have to have bigger discussions on human aspects that affects the use and implementation of any technology that is trying to accomplish these goals.