5 takeaways from Bank of Maharashtra INR6.4 crs UPI fraud
As
reported in newspapers Bank of Maharashtra has filed an FIR against 50 people
for illegally pulling money using the Unified Payments Interface (UPI) and
causing a loss of Rs 6.14 crore to the financial institution.
Bank
of Maharashtra filed the FIR on March 8th.
The accused
(in many cases their own accounts held with Bank of Maharashtra) used the UPI
app to "collect" money from the accounts of the bank's customers,
which did not even have requisite balance. They exploited a bug or a loophole
in the bank's UPI app developed by Mumbai-based IT Solution Provider.
Few of the
accused immediately transferred money received into another bank accounts
through Real Time Gross Settlement (RTGS) channel.
It seems this
was a well thought strategy, as few accused seemed to have procured mobile SIM
cards for these transactions as most of the numbers are now switched off.
The 50 accused
persons (possibly un-related to each other) started sending "receive (transfer)
money" requests in batches of up to Rs 1 lakh each over a period of 48
days, beginning December 1, 2016, to accounts held with BoM through UPI.
When the UPI
app received the query and customers accepted the request, the app checked with
the backend to see if there were funds in the accounts linked to UPI. When the
bank's software noticed insufficient funds in most cases, it sent out a message
citing so.
The app sent
forth two messages to the National Payments Corporation of India (NPCI). One
message read "success" and the second message read "error:
insufficient funds".
NPCI — the
clearing agency for online transactions in case of UPI — read only the first
message automatically and gave a green signal. As a result, BoM's pool account
with the RBI was deducted about 672 times over a period of 48 days.
The gap was
flagged to the IT Solution Provider by Bank of Maharashtra on January 18, 2017
and the IT Solution Provider immediately plugged the gap.
However by
than a damage of INR6.4 crores was already done.
Investigation
by Bank of Maharashtra IT Team and the IT Solution Provider is still on for the
root cause.
This Post is
only to highlight the vulnerabilities of Digital Banking and to encourage
stakeholders to have strong audit mechanisms.
Any laxity in
controls will have disastrous results.
Takeaway 01)
--- Test cases for all possible scenarios to be published and tested for the
particular product
Takeaway 02)
--- Multiple rounds of testing to be done by different teams to ensure no
miss-outs
Takeaway 03)
--- Product Rollout to be done to internal teams and teams to be encouraged to
put in a good number of transactions. This minimises surprises after the actual
roll-out.
Takeaway 04)
--- Manual monitoring of the transactions associated with the Product at least
for a couple of weeks after the launch to avoid any surprises.
Takeaway 05)
--- The most important, tallying of all the associated Accounts should be done
on a daily basis.
Will this
incident be covered under Insurance Policy??
Bank of Maharashtra
celebrated its 82nd Business Commencement Day on February 8. As part of the
festivities, the bank launched a prepaid card for its customers. The card,
launched in partnership with RuPay, will offer an alternative to cash
transactions, promoting the adoption of digital economy.
Comments
Post a Comment