UPI bugs again: Bank of Maharashtra hacked, Rs1.42 cr stolen

27 Mar 2017

Twenty-two residents of Bhayandar allegedly took advantage of a bug in a bank's Unified Payment Interface (UPI) mobile application to transfer Rs1.42 crore from the Bank of Maharashtra into several bank accounts belonging to the accused, a report in The Indian Express said.

The UPI has been developed and launched by the National Payments Corporation of India (NPCI) after the government decided to give digital payments a push in the aftermath of demonetization. UPI lets you send and receive money through your mobile phone by only using the corresponding party's cell phone number.

The report said that the Bank of Maharashtra has filed a complaint against 22 individuals for allegedly hacking the central server of the bank in South Mumbai and exploiting a bug in the UPI app to make 142 transfers of Rs1 lakh each between 26 December 2016 and 18 January 2017. The bank realised it had lost over Rs1 crore in January, after which it froze the accounts of the accused and sent them notices to appear at the bank. After they failed to turn up, the bank filed the police complaint.

The report said, Navghar police station booked Bhayander residents Jaswant Damania, his sons Raj Damania and Pritesh Damania, Prateek Poojary, and Bharat Gawale, and an Aurangabad resident identified only as Deepak, as well as  16 others. They have been charged with cheating, forgery, and criminal conspiracy under the Indian Penal Code and for identity theft under the Informational Technology Act.

The police said that Gawale and Deepak managed to hack in to the Bank of Maharashtra's servers last year and gathered the account details of account holders of the Bhayander East branch and added them as beneficiaries. Once they had the account numbers, all they had to do was download the UPI app on their mobile phones and link the bank details. They also got several sim cards and linked the "hacked" account numbers to those sim cards.

"The accused would instantly approve the transfers once OTPs were sent to those sim cards," the police said.

While the police have not made any arrests yet, the bank said all the money was transferred to the Damania family accounts. In fact, Jaswant Damania also allegedly transferred Rs2 lakh back to the bank feigning ignorance about the source of the money in his bank account.

According to a report in MoneyControl.com, earlier in the month, the Bank had filed a First Information Report in Pune against 50 people for exploiting a bug in its app, causing a loss of Rs6.14 crore. In this case, the fraudsters allegedly sent Rs1 lakh to themselves regularly over a period of 48 days.

On 22 March, NPCI and iSpirit put out a joint statement about the breaches, saying that the reason was certain bugs in the specific Bank of Maharashtra UPI app. After the news of the two cases came out, there were questions raised about the security of UPI and the other government developed app - BHIM.

NPCI said there was no vulnerability in the UPI framework as it had carried out intensive testing and continuous monitoring of the UPI infrastructure. (See: BHIM is hack-proof, all loopholes plugged: NPCI).