5 takeaways from Bank of Maharashtra INR6.4 crs UPI fraud

-

              As reported in newspapers Bank of Maharashtra has filed an FIR against 50 people for illegally pulling money using the Unified Payments Interface (UPI) and causing a loss of Rs 6.14 crore to the financial institution.

              Bank of Maharashtra filed the FIR on March 8th.


The accused (in many cases their own accounts held with Bank of Maharashtra) used the UPI app to "collect" money from the accounts of the bank's customers, which did not even have requisite balance. They exploited a bug or a loophole in the bank's UPI app developed by Mumbai-based IT Solution Provider.

Few of the accused immediately transferred money received into another bank accounts through Real Time Gross Settlement (RTGS) channel.

It seems this was a well thought strategy, as few accused seemed to have procured mobile SIM cards for these transactions as most of the numbers are now switched off.

The 50 accused persons (possibly un-related to each other) started sending "receive (transfer) money" requests in batches of up to Rs 1 lakh each over a period of 48 days, beginning December 1, 2016, to accounts held with BoM through UPI.

When the UPI app received the query and customers accepted the request, the app checked with the backend to see if there were funds in the accounts linked to UPI. When the bank's software noticed insufficient funds in most cases, it sent out a message citing so.

The app sent forth two messages to the National Payments Corporation of India (NPCI). One message read "success" and the second message read "error: insufficient funds".

NPCI — the clearing agency for online transactions in case of UPI — read only the first message automatically and gave a green signal. As a result, BoM's pool account with the RBI was deducted about 672 times over a period of 48 days.

The gap was flagged to the IT Solution Provider by Bank of Maharashtra on January 18, 2017 and the IT Solution Provider immediately plugged the gap.

However by than a damage of INR6.4 crores was already done.

Investigation by Bank of Maharashtra IT Team and the IT Solution Provider is still on for the root cause.

This Post is only to highlight the vulnerabilities of Digital Banking and to encourage stakeholders to have strong audit mechanisms.

Any laxity in controls will have disastrous results. 

Takeaway 01) --- Test cases for all possible scenarios to be published and tested for the particular product

Takeaway 02) --- Multiple rounds of testing to be done by different teams to ensure no miss-outs

Takeaway 03) --- Product Rollout to be done to internal teams and teams to be encouraged to put in a good number of transactions. This minimises surprises after the actual roll-out.

Takeaway 04) --- Manual monitoring of the transactions associated with the Product at least for a couple of weeks after the launch to avoid any surprises.

Takeaway 05) --- The most important, tallying of all the associated Accounts should be done on a daily basis.  

Will this incident be covered under Insurance Policy??

Bank of Maharashtra celebrated its 82nd Business Commencement Day on February 8. As part of the festivities, the bank launched a prepaid card for its customers. The card, launched in partnership with RuPay, will offer an alternative to cash transactions, promoting the adoption of digital economy.



Comments

Post a Comment

Popular posts from this blog

CERTIFICATE EXAMINATION IN INTERNATIONAL TRADE FINANCE

-
Image
          This certification is essential for all members of a Bank Trade Finance Department.   The syllabus covers key aspects required by team members to effectively discharge their duties. Trade Finance is one of the traditional forms of bank finance in India. In view of reforms and liberalisation, this has gained a new significance.   Many of the practices in trade finance have evolved over a period of time and some are guided by Ministry of Commerce and Reserve Bank of India, besides WTO and International Chamber of Commerce through UCPDC 600. With the increase in the volume of trade both domestically and internationally, there is a need for trade finance professionals from banks as well as corporates. The Objectives of this IIBF Examination is as under:   (i) To provide candidates with competencies required to function as trade finance practitioners. (ii) To enable candidates to possess the needed skill and knowledge to understand clients' needs
Read more

IIBF-Certificate Examination in Foreign Exchange Facilities for Individuals

-
          The primary objective this IIBF course is to make the branch officials familiar with the FEMA provisions that impact their day to day functioning at the branch level.     This exam is being introduced pursuant to the recommendation of a committee of RBI.           Normally foreign exchange transactions pertaining to individuals are handled at branches only and are not referred to specialised forex cells.           The course covers ‘Foreign Exchange Facilities for individuals under FEMA1999’ RBIs FAQs’ on Forex Facilities for Residents (Individuals) (updated up to November 21, 2014) For full details refer to Reserve Bank of India website: Introduction : The legal framework for administration of foreign exchange transactions in India is provided by the Foreign Exchange Management Act, 1999. Under the Foreign Exchange Management Act, 1999 (FEMA), which came into force with effect from June 1, 2000, all transactions involving forei
Read more

IIBF introduces Self-Paced E-learning courses (SPeL) for its two certificates

-
Image
          Indian Institute of Banking Finance (IIBF) has taken a quantum leap in disseminating knowledge to its members and non-members.           IIBF in April 2019, introduced the Self-Paced E-learning courses (SPeL) concept for banking enthusiasts to be familiar with banking concepts.           In the first stage, IIBF has launched   two certificate courses i.e 1. Digital Banking and 2. Ethics in Banking.           The objective of this self-paced e-learning mode are as follows: • Participants can make the best use of his or her time, in order to meet his or her learning objectives. • Participants can access the course   anywhere/anytime with an internet connection. • Participants need not travel to give their examinations. It saves time and money of the participants. • Opportunity to individuals to obtain new certifications; improve their knowledge in the subject. • With self-paced learning, subjects can be thought in different learning styles. Part
Read more