A fortnight ago, in an email advisory, the National Payments Corporation of India (NPCI) - the central switch and umbrella organisation for retail payments - reiterated a simple message to all large banks.
It said that everyday a bank must match transactions on its UPI apps with data it receives from NPCI. Reconciling outflow of money with inflow is a practice that every banker learns during the first week in the job.
The communiqué, however, was a grim reminder of the price a bank may have to pay if it ignores this ancient tradition of the trade; and, it follows the bitter experience of a government-owned bank in Maharashtra which recently discovered that Rs 25 crore was quietly pilfered from multiple accounts over a few months by a gang of 50.
Just armed with smartphones and a few GBs of data, the members of this syndicate were spread over smaller towns like Aurangabad, Latur, and Nashik to execute their plan.
Fraudsters don't have to necessarily hack into a bank's system and IT network to rob it; they can still manage a neat job to pull out money with the age-old technique of spotting a chink.
Contrary to popular belief and some media reports, the fraud in the Maharashtra bank wasn't a cyber crime: the bank's system was not hacked and no virus found its way to divert funds from one account to another or make its ATMs spew out cash. What took place was amazingly simple.
Think how the bank's app works. It's based on United Payment Interface (UPI), a technology that helps to move money from one bank account to another with a few clicks on a mobile phone. When money is transferred from one account to another - say when a shopper keys in the 4-digit PIN to 'push' money from her account to a grocer's account - certain IT systems 'talk' with each other to complete the transaction.
First, the mobile app system of the shopper's bank communicates with the bank's core banking system to make sure a few basic things are in place - such as, the shopper's account is active and there's enough balance.
Once this is done, the bank's UPI system sends a message to the NPCI system (that acts as a hub-n-spoke body through which communication from one bank to another pass); the NPCI system then reaches out to the shopkeeper's UPI app which in turn signals the core banking network of the shopkeeper's bank to finally credit the money and close the transaction.
UPI also offers a 'pull' transaction that's unique to the technology. This is used when the grocer 'pulls' money from the shopper's account. Here too, banks' IT systems talk to each other in exactly the same way; the money transfer is complete only after the latter shopper approves the 'pull' request with a simple PIN.
No bank talks to the other directly, but communicate through NPCI; secondly, a transaction goes through (rather supposed to) only after a bank's core banking system okays the fund transfer initiated by the same bank's UPI app.
Virtual Money
The loophole in the Maharashtra bank was the gap between its core banking system and the UPI app system; the UPI system could not accurately interpret the message from the core banking system.
What does it mean? If someone tries to pull money out of an account that has little or no balance, the core system of the bank should normally sent out a 'decline' signal and reject the transaction.
In this case too it sent out a signal. But the bank's UPI system read the 'decline' message as 'accept'. Thus, money moved from UPI accounts of the Maharashtra bank to accounts in other banks even though there was no money in the Maharashtra bank's accounts.
The absence of adequate fund could not stop the fraudster from pulling virtual money out from multiple accounts to other banks' accounts and spend. It's like a bank clearing a string of cheques on accounts with no fund, instead of letting the instruments bounce.
How did the fraudsters go about?
The one solid information they had was the gap - or the security mismatch - between the core and UPI systems of the bank; armed with this information they opened hundreds of accounts with very little balance, and 'pulled' funds -- far more than what was there in the accounts - using the UPI handle of these accounts.
The accounts from which funds were pulled out as well as the accounts into which the money flowed into belonged to the group of swindlers. It was a fraud where money moved despite the fact that there was no money .
Perhaps, one in the gang stumbled upon the information by sheer luck. May be, he tried to pull out Rs 1,000 when only was Rs 50 lying in an account. It worked.
The rest was a bit of planning and luring others looking for easy money. Perhaps, bankers of 'Digital India' may note that fraudsters can beat new age toys with old world tools.
0 comments:
Post a Comment