Aadhaaritis effects on PayTM usability & security
So Paytm Payments Bank recently introduced entry of Aadhaar for password resets. As with many, I had been a PayTM user for years now, I was so convinced of its utility, that I chose to upgrade myself to a full KYC status providing my PAN card, back when eKYC didnt exist. In this post, I go through the problems PayTM shot on itself with what Anand Venkatanarayanan describes as
Problem 1: Usability post Wallet — Payments Bank convergence & KYC status
PayTM has been an app, always, for non-KYC / KYC user. The KYC users had a higher monthly wallet limit upto 1 Lakh. Its simple. When Payments Bank was launched, it would have been a strategic decision to retain the same app and offer customer option to access both a wallet and bank through the same app. Very few apps do this (Ex: Pockets from ICICI). This is because, while anyone with mobile number can be a non-KYC wallet user, bank users are KYC users. But the regulatory arbitrage has caused a confusion, as a wallet user can be KYC’d using *any acceptable banking PoI and any PoA*, a payments bank user can be KYC’d only using aadhaar e-KYC. The option to open a payments bank account doesnt work unless one provides aadhaar. Fair enough, regulations are beyond company.
As part of their migration, PayTM probably made Aadhaar as sole ID used for KYC, forgetting there were a small set of users who had KYC’d wallet without aadhaar. So this led to removal of blue tick for non-aadhaar KYCd customers, as small as it would sound, for a bank / trust store, this is breach of trust, with no intimation.
Upon conversations with customer care, we were assured that our KYC status is completed** and wallet is still a premium wallet. But the problems of aadhaaritis messed up KYC user data management gets complex when it gets plugged into authentication system and is requirement for resetting password.
** Update : After this post went up, PayTM calls me up and says, due to a “technical fault”. I have to redo KYC and my wallet account is downgraded to a normal account. I suspect this technical fault will be the case for everyone who had performed paper-KYC with PayTM.
Problem 2: Password Resets
As part of a “security feature”, while resetting a password for PayTM wants one to enter aadhaar number that was used while creating the account so as to verify if its indeed the genuine user requesting password reset.
There are multiple problems with this, because aadhaar is not a confidential information and so any thief knowing aadhaar can successfully reset the password.
There are multiple problems with security model of PayTM.
- Unlike a traditional bank app, PayTM (wallet / PB has same app), persists sessions, so a thief would never have to even reset password.
- A secret question (even if its mother’s maiden name) is more secure than as fixed query-able, decipherable aadhaar number as the answer to mother’s maiden name could actually be aunt’s name which only the user who set it might know, while aadhaar number is at least known to dozen people and thousand databases.
Problem 3 : Same auth service for bank + wallet
I tried to reset my own paytm account for verifying the above claim, I got myself locked out. I understand there is a paytm password and then there is a paytm passcode, both of which I forgot. A link was sent to me on my email after a phone call to IVRS number mentioned. Upon opening it, it says “no documents submitted” and I cant reset my password. While I had submitted my PoI, PoA during KYC, when aadhaaritis attacked PayTM, they had reset that data, so on PayTM user database, I don’t have documents submitted. When this requirement was plugged into auth system for password resets, I am locked out.
The problems highlighted in this post is not of Aadhaar itself, but change management that gets into plugging in aadhaar can be complex and if not well thought out, one loses business.