Sunday, March 12, 2017

5 takeaways from Bank of Maharashtra INR6.4 crs UPI fraud


              As reported in newspapers Bank of Maharashtra has filed an FIR against 50 people for illegally pulling money using the Unified Payments Interface (UPI) and causing a loss of Rs 6.14 crore to the financial institution.

              Bank of Maharashtra filed the FIR on March 8th.


The accused (in many cases their own accounts held with Bank of Maharashtra) used the UPI app to "collect" money from the accounts of the bank's customers, which did not even have requisite balance. They exploited a bug or a loophole in the bank's UPI app developed by Mumbai-based IT Solution Provider.

Few of the accused immediately transferred money received into another bank accounts through Real Time Gross Settlement (RTGS) channel.

It seems this was a well thought strategy, as few accused seemed to have procured mobile SIM cards for these transactions as most of the numbers are now switched off.

The 50 accused persons (possibly un-related to each other) started sending "receive (transfer) money" requests in batches of up to Rs 1 lakh each over a period of 48 days, beginning December 1, 2016, to accounts held with BoM through UPI.

When the UPI app received the query and customers accepted the request, the app checked with the backend to see if there were funds in the accounts linked to UPI. When the bank's software noticed insufficient funds in most cases, it sent out a message citing so.

The app sent forth two messages to the National Payments Corporation of India (NPCI). One message read "success" and the second message read "error: insufficient funds".

NPCI — the clearing agency for online transactions in case of UPI — read only the first message automatically and gave a green signal. As a result, BoM's pool account with the RBI was deducted about 672 times over a period of 48 days.

The gap was flagged to the IT Solution Provider by Bank of Maharashtra on January 18, 2017 and the IT Solution Provider immediately plugged the gap.

However by than a damage of INR6.4 crores was already done.

Investigation by Bank of Maharashtra IT Team and the IT Solution Provider is still on for the root cause.

This Post is only to highlight the vulnerabilities of Digital Banking and to encourage stakeholders to have strong audit mechanisms.

Any laxity in controls will have disastrous results. 

Takeaway 01) --- Test cases for all possible scenarios to be published and tested for the particular product

Takeaway 02) --- Multiple rounds of testing to be done by different teams to ensure no miss-outs

Takeaway 03) --- Product Rollout to be done to internal teams and teams to be encouraged to put in a good number of transactions. This minimises surprises after the actual roll-out.

Takeaway 04) --- Manual monitoring of the transactions associated with the Product at least for a couple of weeks after the launch to avoid any surprises.

Takeaway 05) --- The most important, tallying of all the associated Accounts should be done on a daily basis.  

Will this incident be covered under Insurance Policy??

Bank of Maharashtra celebrated its 82nd Business Commencement Day on February 8. As part of the festivities, the bank launched a prepaid card for its customers. The card, launched in partnership with RuPay, will offer an alternative to cash transactions, promoting the adoption of digital economy.