We need more than constant updates on UPI apps, to address security issues

Unified Payments Interface or UPI has become a sort of buzzword since the prime minister’s demonetisation announcement on 8 November last year. We have seen an increase in the number of UPI focussed apps released by banks. But according to a latest report in the The Economic Times, around half of the total UPI apps on Android have not been updated in the last 45-55 days .

The report goes on to state that around six out of the 38 apps tested, were not updated in 150 days according to data from Cashless Consumer. This data was collated as of 25 January.

Now, how frequently an app is updated should not ideally be an indicator of how safe or unsafe it is. We all know that not every app update deals with security issues. According to app developers we have spoken to in the past, most software goes through iterative development cycles . So it’s fine if it goes to market in not the best of forms. But essentially there needs to be enough effort to address issues after it goes to market.

“Mandating an updating cycle is overkill. As long as known security risks are patched on priority and newer security features are integrated on a timely basis, the app developer can provide for adequate security coverage,” says Naresh Bharadwaj, app developer and COO Racoon Digital.

So calling out UPI apps as unsafe, just because they have not been updated in 50 days, is not really fair. Specially, when they are being used extensively.

There has certainly been an uptick in the amount of digital financial transactions that have taken place since the demonetisation announcement. According to this PTI report, digital transactions have increased by close to 1000 percent since demonetisation. According to IT Minister Ravi Shankar Prasad this number excludes transactions done via Master and Visa cards, which are seen on our debit and credit cards. e-wallets have seen transactions increase from 17 lakh per day to 63 lakh per day. The number of transactions made through UPI and USSD have grown by 3574 percent and 1060 percent respectively, till 18 January. The government backed Bhim UPI app has seen over 10mn downloads in under a fortnight.

These are unprecedented numbers.

But this does not mean that every issue has been addressed. For instance, digital transactions have yet to become mainstream in the rural areas , where connectivity is an issue. Madhavan Narayanan has addressed some of the key questions pertaining to security, regulations, intermediaries and other aspects wonderfully in this story . Security is a major issue in this regard, as getting a whole population to do digital transactions, without having the necessary technical knowledge could prove to be a thriving ground for perpetrators of digital fraud . Even the Bhim app for instance has some scope for improvement .

So how do the digital payments features stack up against the global best practices?

Global best practices

McKinsey’s ‘Trailblazing trends in global payments report 2015 (available as PDF) does shed some light on the security aspects of moving on the digital payments route. It talks about how peer-to-peer payments will be a big focus going forward where entities such as AliPay, PayPal and others will tend to threaten traditional banks. We are already seeing that happen in India with digital wallets now becoming banking entities - Paytm Bank and Airtel Payments Bank , for instance.

“In Europe, real-time direct-to-account payments solutions are becoming the norm, with Denmark, Sweden and the UK in the lead. Current discussions among regulatory bodies aim for a pan-European real-time payments infrastructure,” says the report. It states that by letting non-banking technology companies enter the fray, there will be quicker innovation and setting new benchmarks in this sphere.

The report also warns of cyberattacks and payments companies will need to invest heavily in their cybersecurity departments.

Where do our UPI apps stack up

UPI apps as well as digital wallet apps have to follow the same kind of norms that are followed by banking institutions or debit/credit card companies when you do online transactions with them. A lot of the digital wallet and UPI apps use two-factor authentication methods to protect user data. In fact, Bhim app, which has seen quite a number of downloads and transactions, will also bring in fingerprint verification on its app soon.

NPCI stresses on the need to download these UPI apps only through legit app stores. It would really be inviting trouble if you side-load any apps pertaining to digital transactions, and apps which are capable of holding your banking information.

Nandan Nilekani, the former chairman of the Unique Identification Authority of India (UIDAI) and an honorary advisor to the NPCI said that unlike with the physical cards, in UPI transactions, the payment is based on tokens without the merchant receiving credentials such as the account number. Also UPI being an open source platform, on which other banks and payment service providers can build on and allows inter-operability, is very different from wallets which do not allow inter-operability.

According to Bharadwaj, there are no additional security standards that need to be met by wallet and UPI app developers to feature higher on app stores. It is treated at par with other apps on the app store. “Google Play Store is an open platform where apps can be published with minimum restrictions. However, Google reserves the rights to remove an app from the store if it’s found violating terms through intrusive behaviour – phishing and fraud. Apple has more stringent policies for app publishing,” said Bharadwaj.

Bharadwaj says that app updates may not necessarily reflect on the user’s phone - he or she may take up to three months on many occassions. This can be attributed to the fact that a lot of users prefer to manually update the apps when they have a Wi-fi connection, over a data connection.

Issue-redressal mechanism

Considering we are in the nascent stage of getting on to the digital payments highway, there are bound to be some roadblocks along the way. Considering the UPI framework has been developed by the NPCI, it also mentions a clause in its procedural guidelines regarding non-refund for failed transactions and/or non-credit for successful transactions: the entity responsible will be the bank or the payment service provider (PSP).

“Any complaint about credit not being given to a beneficiary should be dealt with conclusively and bilaterally by the remitting and beneficiary banks as per the guidelines circulated by NPCI from time to time,” says the UPI  procedural guidelines document .

Specifically for UPI transactions, the first point of contact should be the customer’s PSP. It is mandatory for the PSP to provide an option in their app for customers to raise disputes or complaints by providing transaction reference or ID number.

“However, if customer decides to approach his/her remitter/beneficiary bank instead, the respective banks shall entertain all such requests and help to resolve the complaint to the customer’s satisfaction. The PSP must provide to customers, the option of checking the current status of a transaction in the PSP App,” says the guidelines.

But according to Nandini Chami, senior research associate at IT for Change, payment service providers have told the media in the past that the system of co-ordination with banks to batch process refund requests of failed transactions is still a challenge.

“There’s a lack of clarity about the status of such requests. Also, since there are no arbitration guidelines in place for receiving banks, there seems to be much confusion in working out responsibilities for failed transactions. This is a gap, that the NPCI must address,” said Chami.

As the apps mature with time and more people get on the UPI bandwagon, one should realise that frequency of app updates isn’t everything. It is how pro-active the app is in recognising the flaws and bugs inherent in it and taking corrective measures.