By Shivansh Viswakarma , third year student (5 year B.A.LL.B.), National Law Institute University, Bhopal
Covid-19 or Kung Flu, as Trump calls it,[1] has surely affected our lives in one way or the other. It indeed is a menace troubling people globally. However, this pandemic has not been completely nasty. The environment has started healing itself and suddenly, people have time for people. Additionally, people have turned digital and virtual in whatever possible way they can. One instance proving this point would be an increase in digital transactions. It could be said that what demonetization failed to achieve has been quite easily achieved by Covid-19.
Digital transactions were touted to be the best-paying means after demonetization happened in India, but this, however, was not well received then. This scenario took a complete turn as digital transactions skyrocketed from April, 2020 onwards. One plausible explanation could be the presence of Coronavirus. Coronavirus has instilled in people a fear of touching others and this fear has led to the increase in digital transactions.
Digital transactions can be done through a variety of means. Credit cards, debit cards, net banking, mobile banking, e-wallets, RTGS (Real-Time Gross Settlement), NEFT (National Electronic Fund Transfer), etc are some of the means by which transactions can be made digitally. Among all these lies Unified Payment Interface (UPI) which is considered to be a flagship scheme for digital transactions.
The increase in digital payments is in close proximity to the increase in the usage of UPI as a means of payment. The relation is so intimate that in the last financial year, i.e., 2019-2020, almost 27.4% of the total digital transactions were made through UPI. The latest stats show that in May 2020, transactions of about Rs. 2.2 lakh crores were made through UPI and in June 2020, the figure rose to Rs. 2.6 lakh crores.[2]
The standard of UPI has been used by various digital payment apps including Google Pay, PhonePe, Amazon, and Paytm. UPI has indeed been one of the most popular ways of making transactions. But is it safe and secure? This is one of the questions looming around UPI for quite some time now.
The safety and security of UPI facet heir real challenge when it meets with online shopping, for it is at this platform where frauds and scams usually happen. Platforms for online shopping are a paradise for both buyers and sellers as it allows a wide variety of choices for the former and a wide consumer base for the latter. Amidst them are found fraudsters who are in search of an opportunity to make quick money by defrauding others. Such fraudsters target users who are frequent in conducting digital transactions. However, the most worrying thing is that people are consenting to get duped.
People may not consent voluntarily to these frauds but sometimes because of the technicalities involved in sending money digitally people may fall into the trap. To further the point, instances of cyber fraud are cited. One woman wanted to sell her bed for Rs. 28,000 on OLX. The buyer contacted her and agreed to pay her half the amount in cash and the other half through PhonePe (UPI). The buyer kept her engaged on the call while he very smartly pushed the send option instead of receiving option. This may have resulted in a fraud being committed but she was aware enough to notice the difference and stopped herself at the right time. When she asked the buyer about all this, the buyer quickly disconnected the call.[3] In a more recent incident, one man lost over Rs. 1 lakh in one of the UPI frauds. The man sent the amount to the fraudster instead of receiving it.[4]
No matter how these frauds were committed or prevented, these instances show the omnipresence of fraudsters and scammers. The question that arises then is whether the UPI platform is prepared to meet challenges like these or not. To answer this, let’s have a look at the UPI model. UPI model is one of a 4-party based. These parties are enumerated as follows:
a. Consumer; using the UPI app,
b. Tech company; providing consumers with the platform to make payments,
c. Banks; having a contract with the tech company to ease transactions, and
d. NPCI; having a contract with banks.[5]
Tech companies have built upon this basic model to facilitate transactions from their respective apps enabling them to survive the competition. They compete with their peculiarities in a bid to appear more comprehensive than others. Several specialized features like audio QR, talk-back feature, multilingual interfaces, voice-driven payments, etc. try to make the user experience better day by day. Despite all the improvements and advances made, cybercriminals find a way to get away with it. They tend to get around this system and exploit it for their own use. For instance, a cybercriminal can easily send payment requests from a legit website if a user’s virtual payment address (VPA) is with the former.
Believe it or not, the UPI system is prepared to meet such challenges. It ensures end-to-end encryption despite the payload being decrypted at each stage (that is, from the user of UPI app to tech-company to banks to NPCI). It is the NPCI who operates the UPI switch. As a result, it has knowledge of all the details of the transaction including the following:
a. Aadhaar number, since it is associated with the bank account;
b. Device details, from which the payment is made;
c. IP address, which helps in detecting where the payment is received;
d. Operating system, which helps in knowing the OS platform in use;
e. Bank account numbers; and
f. GPS location of the user while making a transaction.[6]
The spectrum of data collected while making a single transaction is quite wide and helps in the identification and even prevention of scams or frauds. However, with the amount of data collected, one can easily assume the consequences of the breach of such voluminous data.[7]
To counter this problem of security and privacy simultaneously, a possible solution should be brought up soon by the lawmakers of the country. With India still in the process of making a sound data protection law, it is very difficult to assume that the problem related to privacy and security of transactions could be addressed any time soon. One possible suggestion to protect the privacy and enhance the security of the transaction could be coming up with a system that allows de-encryption only at the user’s stage and at NPCI’s stage. In this way, the data and privacy of the user will be maintained and NPCI will be able to identify frauds. In the meantime, advisories from the banks must be followed to avoid any mishap happening from the user’s end. Users must remain vigilant and aware while making transactions.
Endnotes
[1]Many Names for COVID, Kung Flu One of Them: US Prez Trump at Rally, The Quint, (July 16, 2020),https://www.thequint.com/news/world/many-names-for-covid-kung-flu-one-of-them-us-president-trump-at-rally.
[2]UPI Payment Statistics, (July 17, 2020), https://www.npci.org.in/product-statistics/upi-product-statistics.
[3]S. Aadeetya, People Losing Lakhs Due to UPI Scams, Here’s How You Can Avoid It, The Quint, (July 16, 2020), https://www.thequint.com/tech-and-auto/tech-news/mobile-upi-apps-bank-fraud-robber-user-prevent-money-loss. [4]UPI Frauds: How to protect yourself from online scams on GooglePay, PayTM and more, India TV Tech Desk, (July 16, 2020), https://www.indiatvnews.com/technology/news-upi-frauds-online-stay-safe-on-apps-google-pay-bhim-android-ios-580146.
[5]Sunil Abraham, Unified Payment Interface: Towards Greater Cyber Sovereignty, ORFIssue Briefs, (July 17, 2020), https://www.orfonline.org/research/unified-payment-interface/#_edn16. [6]See Id. [7]Sanghamitra Kar, Data of over 7 million BHIM users exposed in CSC website breach: Report, ETtech, (July 16, 2020), https://tech.economictimes.indiatimes.com/news/mobile/bhim-app-data-breach-exposes-data-of-over-7-million-users-report/76131461?redirect=1.