| Filename | Are enough safeguards built within BHIM? |
| Permission | rw-r--r-- |
| Author | Asylum |
| Date and Time | 10:13 AM |
| Label | Are enough safeguards built within BHIM?| E Hacking News - Latest Hacker News and IT Security News| free| google| hacking| IFTTT| new| news |
| Action |
About BHIM:
BHIM (Bharat Interface for Money - Bhim App) is a Mobile App developed by National Payments Corporation of India (NPCI), based on the Unified Payment Interface (UPI). It was launched by Narendra Modi, the Prime Minister of India, at a Digi Dhan programme at Talkatora Stadium in New Delhi on 30 December 2016. (source:Wikipedia)
Issues:
The BHIM application has an option to create a payment address(Virtual ID). It auto suggests a persons name+(value) as a many of the typical Indian Names are already taken.
Example if a person called Vijay Kumar R is trying to create a personal payment address he will be suggested "vijaykumarr" . This is the primary identifier and during transfer it does not do any further checking. A simple mistake in the name might cause a catastrophe for the sender.
If a person by mistake types in "vijaykumart" (instead of "vijaykumarr") the application will show the proper full name as "Vijay Kumar" and it is highly probable that a person would send the money to the wrong person as the name is matching. Since the BHIM application is mostly targeted towards "New Adopters" mostly from rural locations they might not be able to find the difference or spot a mistake on what they are typing.
The application should ask for a secondary detail (Eg:Mobile Number,Bank Name etc) about a person and cross check it with the database and only process it if the details are matching.
When it comes to NEFT and IMPS it has multilayer verification , even if the user gives a wrong inputs it will not send the amount if any of the details are incorrect.
There is an option to refund the money back to the senders only on the receivers end. It does not have any option to raise a complaint on the senders side. Many of the banks are unable to get the money back if it is wrongly sent to another person. There is no option in the UPI ecosystem for such cases. How can this be ? Why did they not think about this?
We recommend that people stick to the traditional NEFT and IMPS for any high value transactions as there is no support in the UPI system for raising issues during transactions.
BHIM (Bharat Interface for Money - Bhim App) is a Mobile App developed by National Payments Corporation of India (NPCI), based on the Unified Payment Interface (UPI). It was launched by Narendra Modi, the Prime Minister of India, at a Digi Dhan programme at Talkatora Stadium in New Delhi on 30 December 2016. (source:Wikipedia)
Issues:
The BHIM application has an option to create a payment address(Virtual ID). It auto suggests a persons name+(value) as a many of the typical Indian Names are already taken.
Example if a person called Vijay Kumar R is trying to create a personal payment address he will be suggested "vijaykumarr" . This is the primary identifier and during transfer it does not do any further checking. A simple mistake in the name might cause a catastrophe for the sender.
If a person by mistake types in "vijaykumart" (instead of "vijaykumarr") the application will show the proper full name as "Vijay Kumar" and it is highly probable that a person would send the money to the wrong person as the name is matching. Since the BHIM application is mostly targeted towards "New Adopters" mostly from rural locations they might not be able to find the difference or spot a mistake on what they are typing.
The application should ask for a secondary detail (Eg:Mobile Number,Bank Name etc) about a person and cross check it with the database and only process it if the details are matching.
When it comes to NEFT and IMPS it has multilayer verification , even if the user gives a wrong inputs it will not send the amount if any of the details are incorrect.
| BHIM | NEFT/IMPS | |
|---|---|---|
| Checks Full Name | No | Yes |
| Checks Bank Address | No | Yes |
| Checks Account Number | No | Yes |
There is an option to refund the money back to the senders only on the receivers end. It does not have any option to raise a complaint on the senders side. Many of the banks are unable to get the money back if it is wrongly sent to another person. There is no option in the UPI ecosystem for such cases. How can this be ? Why did they not think about this?
The same issue was faced by us when we sent about 9200 to the wrong ID. The bank (Axis) that we used could not get our money back, even though we made a compliant within few minutes. It was also not possible for us to track who it was sent to and request them to send it back.
We recommend that people stick to the traditional NEFT and IMPS for any high value transactions as there is no support in the UPI system for raising issues during transactions.
via E Hacking News - Latest Hacker News and IT Security News Are enough safeguards built within BHIM? http://ift.tt/2lOFsJy
0 comments:
Post a Comment