To Trust or Not to Trust?
Fintech has been among the greatest innovations in the financial world in the last decade. It has undoubtedly simplified our daily lives through countless applications. One such application is UPI, which greatly streamlines the payment process for many online and offline transactions. However, as with any new technology and innovation, there exist many concerns over the security of the application and the safety of the consumer. This article aims to address some of these concerns brought about by the advent of fintech and more specifically UPI in our daily lives, and to provide some safety precautions that we should take in order to ensure the privacy and security of our data and finances.
So, what exactly is UPI again?
Unified Payments Interface or UPI is simply a mobile-enabled real-time money transfer mechanism. It makes digital transactions seamless, instantaneous and cost-conscious. Post demonetization in India, there was an increasing demand for an easy and online mode of money transfer with minimum transactional costs. And NPCI (National Payments Corporation of India) said, "Let there be UPI!" The facet of UPI that separates it from other modes of monetary transactions is that within a few seconds, the entire transaction process can be completed anytime and anywhere, given that you have a smartphone, internet connectivity and a bank account. Gone are the days when we needed to carry cash, had to stand in long lines at banks, struggled to understand the differences between IMPS, NEFT and RTGS, or had to endure bad user interfaces of bank websites. Sounds great, right? So everyone, or at least the ones who own smartphones and have a bank account, must have already resorted to this magic bullet, right? Well, not quite.
Since 2016, UPI has managed to change the digital payment ecosystem in India and ever since, UPI transactions have increased exponentially every year. Evidently, UPI is increasingly being accepted owing to its simplicity, usability, ubiquity, convenience and real-time processing. And yet, there appears to be more apprehension than trust in the Aadhar-backed UPI application. Given their dexterity with technology, the tech-savvy users have largely shifted to UPIs and have adopted the click, swipe and pay-as-you-go methodology agreeably. However, there still exists a large number of people who refrain from using, let alone embracing, UPIs. In most cases, they are either not very comfortable with technology or they are normally comfortable with technology but are skeptical with regard to the financial transactions that seem to magically happen in thin air through a smartphone.
I belong to the tech-savvy category, do I need to read further?
We request you do. One of the major reasons why UPI is popular and widely-used is its robust security features. The attributes like mobile number verification, two-factor authentication and UPI verification should take away most of the apprehensions. However, these means of added security are only as good as the user's understanding of these risks. What if your login credentials are at risk? What if someone gains access to your physical device? What if your internet connection isn’t as secure as you hoped it would be? Would UPI’s robust design and secure architecture still be able to protect you?
Tech savvy people too occasionally fall prey to some of the risks associated with technology. Following are some of the generally prevalent tech/fintech safeguards and some concerns and measures pertaining to UPI we think everyone should keep in mind.
Login Information The security risks that exist in the fintech landscape include many different elements. The first is the standard risk of login details, as in any other online account. If your password or PIN is compromised, then your account is at risk. This could be on an individual level or a failure of the company to keep its database secure, causing widespread theft of login details. To avoid any breaches from affecting every account you possess, make sure that your passwords are different for all the different services you use. This ensures that if one of the accounts is compromised, other accounts of yours are not at risk. Also, having passwords that are hard to guess but easy to remember is although a very banal principle, it still makes life much easier.
Two-Factor Authentication Generally, one step of security that stays constant through most use cases is the application of Two-Factor Authentication (Also known as 2FA). This involves the use of a secondary source or device for authorising login details. In practice, this is seen when applications send an OTP (One time password) to your email or phone number in order to log into your account. Enabling this in any application that allows it is one of the most important features for increasing the security level of your accounts. This step also helps in alerting you when someone unauthorised is trying to access your account, since you may receive an SMS code or email that lets you know someone attempted to log in. Some apps and services support third-party 2FA softwares such as Google Authenticator. It generates a time-based secret key that the user needs to enter onto the app/service in addition to their username and password. With such authentications in place, the attacker cannot break into a user’s account with mere username and password. They would also need to either know the secret key which keeps getting updated periodically, or gain physical access to the device running the third-party Authenticator app.
Open Source Software and Expert Reviews One helpful factor in understanding the security level of a wallet or UPI app is whether the program is open source. This means that the source code that the program is created with is made publicly available. When a developer releases the code, it becomes possible to analyse it and understand just how secure it really is. Further, the fact that code is made available shows a degree of transparency, which in itself is more trustworthy than no such transparency. If you are a consumer who does not possess knowledge of programming, you should look out for reviews of the security level of an app from those who specialise in this field. It is through this method that we can most reliably compare the security levels of various UPI applications or crypto wallets in order to understand which one to opt for when you want maximum safety of your finances.
UPI Safety The money transfer on UPI takes place solely with the help of a virtual payment address or a VPA, which is basically a personal identifier that is mapped to the user’s account. For instance, BHIM, Paytm, Google Pay, or any other UPI app will provide you with unique VPAs. Multiple VPAs can link to a single bank account as well as a single VPA can link to multiple bank accounts. Some VPAs may be available only for one-time usage or for a limited time whereas some providers may give you an option to limit VPAs to certain payees only. These techniques surely help in increasing the overall security of the platform. Another thing that needs to be taken care of is that you verify the beneficiary details such as the VPA or the phone number you are transferring money to multiple times. UPI is only a processing interface and unlike banks, it has no provision to reverse a transaction. Because the money transfer happens almost instantaneously, the only resort would be requesting the wrong beneficiary to return the money, without a guarantee. Oftentimes, having a limit on your transaction may alleviate some of the risk associated with this issue.
General UPI Safeguards Here are some general measures to keep in mind while using UPI:
a. You need to enter your PIN only to send money using UPI, never to receive money.
b. Pay attention to the spam warnings that are marked on suspicious UPI requests.
c. Avoid using open Wi-Fi and always ensure that you trust the Wi-Fi connection you are using. Further, you may wish to use a VPN(Virtual private network) when connecting to unfamiliar Wi-Fi networks.
d. Do not let your UPI account sit idle for a long time and pay attention to the SMS messages from your bank. Check both of them regularly and watch out for red flags.
e. Beware of social engineering trickeries and remember that there are no free
lunches. Fraudsters often call customers on the pretext of offering them cashbacks or gift vouchers. They could also claim that your bank account or UPI account has technical issues and may try to manipulate you into divulging confidential information. If they know about an error in your account before you do, something is fishy!
But I already knew all of this. What else am I looking at?
This list is by no means exhaustive and was targeted to be merely an introductory article. Going forward, we’ll be delving much deeper into the technicalities of technology, finance and everything that lies at the intersection of the two. No list of best practices can ever be enough pertaining to Fintech and this is precisely what makes it a tricky domain and causes several individuals to be wary of the fintech applications. Fintech has given us a lot of power in a short amount of time. We (Ashoka Fintech Society) aim to make you more aware of and more responsible for those powers.