Tool uses three-factor authentication, making it easier to trace fraud

Allaying security concerns over the Centre’s flagship digital payment application BHIM, the CEO of cybersecurity solutions firm Lucideus, said it was currently among the most secure ways to make digital payments.

Saket Modi, CEO of Lucideus, one of the many firms involved in testing the UPI-based application’s safety, said that the increasing adoption of Unified Payments Interface (UPI) payment mechanism would spell doom for mobile wallets, which saw a surge in their usage in the past two months owing to the cash crisis following the demonetisation of high-value currency on November 8.

‘Not in haste’

Comparing the BHIM App’s features with larger apps like Facebook, Mr. Modi said that testing an app for the latter with 200-odd features may take a year, but the BHIM App has only two features so the argument that it was released hastily without appropriate tests doesn’t hold water.

“The security of an application definitely requires a particular time frame, but that isn’t a valid argument. BHIM has only two main features — send or ask for money and see your account balance or previous UPI transactions. Somebody who says this, needs to find a flaw and report it,” he told The Hindu.

“We have been working on UPI for many months. BHIM is only an abstraction layer on top on UPI. UPI common library — a piece of code that NPCI made and gave to every bank to be embedded into their net banking application, was already there,” he said, stressing that this should quell concerns about the application’s security based on its creation in a short span of time.

The encryption used for the application to communicate with the payments server is the same that is used in Google Wallet or Apple Pay.

While e-wallets use a one-factor authentication mode by default, both net banking and credit or debit cards use two-factor authentication.

“BHIM uses three-factor authentication and hence, is relatively more secure from a consumer point of view. It also combines the convenience of a mobile wallet with the security of net banking,” he said.

When a user opens BHIM application for the first time, the application automatically binds itself to their device ID and phone number — both of which are unique. This means that the same UPI cannot be used from two phones. The BHIM application will also not work on a phone which doesn’t have a SIM card.

“This uniquely identifies not just the device but the active number. If there is some fraud…you have an operational number plus the device ID, which in some cases can be masked, but a combination of both makes it easy to track the cell phone and law enforcement agencies can physically trace the person, if needed.” Mr. Modi said.

“The third factor is the UPI PIN, set by the user, which will be required for every transaction through the application.” No user would be able to do transactions without the UPI PIN, he said.

M-wallets doomed?

“You can send and receive money in real time very conveniently and securely. So you don’t require m-wallets now as UPI and BHIM are there. Once everybody gets a Virtual Payment Address, why would you ever want to upload money into a wallet from your bank when you can pay directly?” he said, pointing out that UPI eliminates the need for a third party wallet.

Once the BHIM App is installed, the user can select her bank out of the 35 listed banks.

The application, which already knows the phone number, runs a check to match the mobile number against the selected bank’s data base to automatically detect the account whose KYC details you have already filled in while opening the bank account.

For consumers, before UPI, there were three popular options of digital payments — net banking, mobile wallets or plastic cards.

Net Banking allows a users to access the bank account without going to the bank, but a third party transfer even within the same bank takes a minimum of 30 minutes.

“The entire net banking process is lengthy and complex… That is where e-wallets came in. They are far more convenient (don’t even ask for a KYC). But convenience always comes at a cost,” Mr. Modi said. “With cards, there is an issue of limited PoS terminals along with the physical logistics of manufacturing and delivering a card,” he explained.

Mr. Modi’s firm Lucideus has also been involved in the security of the UPI common library. “We have done the security for the code… which is the heart of UPI.”