lucknow

Updated: Jul 01, 2017 15:57 IST

Aadhaar-based mobile payment application - BHIM (Bharat Interface for Money) - and other similar unified payment interfaces (UPI), all of which were launched to make digital transactions easier for people, are not as safe as most people think them to be.

The UP Special Task Force (STF) on Friday busted a gang of online fraudsters who have been cheating people through gaps in the UPI and banking systems.

The two arrested on Friday include a former employee of Axis Bank in Lucknow.

“Multiple people are involved in this racket, but the key operatives are operating from Mumbai, Delhi and the National Capital Region,” said an STF official.

How the scam worked Customer information like account number, registered mobile number, debit card number and its expiry date were passed on by the bank employee to his contact.

A duplicate SIM of the customer’s phone number was applied for, citing cell phone upgrade or other reasons.

On receiving the new SIM, a fake unified payment interface app (like BHIM) was downloaded and an account created using stolen customer details.

Money was transferred to these fake UPI accounts.

The scam worked as bank accounts are linked to mobile numbers.

Additional superintendent of police (ASP) - STF, Triveni Singh told HT that 13 cases have been detected in UP.

“These are from Kanpur, Gorakhpur, Siddarthnagar, Mahoba and Behraich. At least ₹ 45 lakh was withdrawn fraudulently, using BHIM and other UPIs between November 5, 2016 and March 6, 2017, in over 240 online transactions. The modus operandi has exposed banks’ vulnerability to frauds. There’s a possibility of more cases surfacing.”

He said only four people lodged FIRs. “The local police filed the final report in all cases after the banks concerned refunded their clients. But the fraudsters were untraceable.”

However, the STF cyber cell working on these cases discovered a common link in all 13 cases -- the involvement of Vijay Pandey, a customer support officer of Axis Bank branch.

When quizzed, Pandey said that one Dharmendra Pathak of Ghazipur used to pay him for leaking customer information.

“Pathak, in turn, was associated to another person, who was linked to key operatives in Mumbai, Delhi, Noida and Gurgaon. The key operatives were using the leaked information to download BHIM and other UPIs in the clueless customers’ names, and transferring money to different fake banks accounts,” explained Singh.

MODUS OPERANDI

For this sort of a fraud, four key pieces of customer information are needed — account number, registered mobile number, debit card number and its expiry date. The fraudsters got this through a bank employee, who took screenshots of customer details and passed it on to his contact through whatsapp.

Then, duplicate SIMs were applied for by blocking the customers’ phone numbers, and applying for new connections on the pretext of cell phone upgrades to 4G connection and other such reasons.

As soon as the new SIMs were procured, money was transferred to fake UPI accounts. The scam worked as bank accounts are linked to mobile numbers. All notifications are received on one’s registered phone number.

LOOPHOLES

Some key loopholes that have emerged from these cases is that sensitive information of customers was made available to a third party banking partner. The third party banking employees has access to details like customer name, address, account number, card number and expiry, PAN and mobile phone details.

The second big gap is the ease with which duplicate SIMs were arranged - without a thorough document verification. A re-verification of customer documents before issuing of a duplicate SIM should be made mandatory.

STF SECURITY SUGGESTIONS

ASP Triveni Singh said a letter will be sent to the authorities of the National Payment Corporation of India, the Reserve Bank of India, and other banking agencies, recommending additional security measures to safeguard customer details. “We will recommended that all customer details should not be available on a common platform. Also that only responsible people should be allowed access to such information.”