BHIM UPI Cybersecurity Hackathon that never happened — submissions

In Oct 2017, NPCI along with hackerearth, announced a BHIM / UPI cybersecurity hackathon and invited submissions for ideas / solutions to make BHIM / UPI secure.

Over 1750 teams had registered and several hundred submissions were made, but there was no follow up from NPCI and no one knows if the offline hackathon for selected teams ever happened and prizes distributed. The hackathon also had a very restrictive terms of service with phrases such as

intellectual property rights concerning the idea submissions shall remain with NPCI. Additionally, by submitting your idea, you are granting NPCI an irrevocable, royalty-free, worldwide right and license to use, sub-license, and exploit your idea in any desired way.

Despite this, we at CashlessConsumer submitted our ideas, to make the technology better, so consumers are prevented from fraud. We list our submission in public and urge other participants too to share their (non critical) submissions publicly, given the fact that NPCI has not bothered to follow up. We hope at least in future, NPCI will improve its engagement positively and professionally with developer / security community to make the ecosystem secure through innovation.

1. Avoid phishing in collect request with hashemoji

Problem Statement

Users currently don’t have easy way to distinguish collect requests from visually deceiving ones from similar looking VPAs / identify right collect request to respond to, in case of web-initiated multiple collect requests which come together, but browser is listening to only one collect request.

Suggested Solution

A visual hash-emoji might help differentiate correct collect requests. Each collect request, must be shown with set of emoji’s computed from hash of collect request. In an P2P collect request, person initiating the collect request can share the emoji to user and in case of web initiated collect requests, the collect SDK consuming web frontend must also show the hash-emoji on the page, which helps user select the correct collect request to respond to, in case of multiple requests queued. (Imagine booking IRCTC tatkal ticket on multiple tabs, using UPI, looking up timestamps, transaction IDs are impossible to distinguish).

Detailed Solution

• In case of app initiated collect request, user additionally gets an option to share the hash emoji to the person whom request was sent over whatsapp / other apps, so approving user is sure of which collect request to approve.
• In case of web initiated UPI collect request transactions, the page must display the hash emoji of the current transaction on the screen to which its currently listening to and would process payment. This would help users not paying to collect requests which dont have merchant pages hooked into.
• Since the hash-emoji will change even for small text change in content, phishing VPAs problem will be avoided and users wont be approving collect requests to similar looking VPAs.

Reference

• https://github.com/earobinson/hash-emoji
• https://telegram.org/blog/calls#secure

2. UPI — PIN Reset by Walk2ATM

Problem Statement

UPI PIN can be reset if someone has access to phone and debit card. This is an attack vector which has already been exposed in UP hack case, where criminals, with cooperation of bank staff though) have successfully transacted after getting a duplicate SIM card and knowledge of 16 digits of debit card number.

Suggested Solution with Additional Layer Security

In order to add an extra layer of security, user must be provided an option of locking reset UPI-PIN feature and unlock happens only after a physical ATM transaction on issuer bank ATM. This way, even though someone has got a duplicate SIM, knows full 16 digits of debit card, one cant reset the UPI PIN unless a real ATM request balance transaction is performed using the debit card.

Solution Detail

* Opting In for extra security UPI-PIN reset — ( Walk2ATM reset): In any UPI app, user can opt-in to the “Walk2ATM UPI-PIN reset” feature, which adds an extra lock which needs to be open before reset UPI-PIN screen is available to user. Upon successful UPI-PIN entry, this lock will get enabled and any future reset of UPI-PIN from any UPI app needs this lock to be unlocked before reset UPI-PIN can be performed.

* Resetting UPI-PIN in Walk2ATM reset — : In order to unlock the reset UPI-PIN lock, user needs to visit nearest ATM (For keeping commercial considerations neutral, it can be issuer bank ATM only) and perform a request balance ATM transaction and press unlock reset UPI-PIN button. This new call is routed to issuer bank, which needs to perform a check if the users debit card performed a request balance ATM transaction in previous 30 minutes. If yes, the successful response must allow the user to reset UPI-PIN. Otherwise UPI-PIN cannot be reset.

* Nearest ATM feature — : Using the NPCI’s ATM locator API, nearest issuer bank ATM can be shown to user, upon entry of pincode / city / district and landmark.

Unconsidered Cases

1. This solution is applicable only for banks which have issued physical debit card. So Payments bank / virtual card issued accounts / PPI(In future), would be outside the scope of this additional feature. They can come with their own way to authenticate the user for unlock reset UPI-PIN.