Protect yourself from unauthorized EPF apps

0
205

Most of us like to check our provident fund corpus frequently. We may also like to stay up to date about progress of the processes that are involved in transfer of money from one account to another or in withdrawing money. And there are many apps out there that claim to help us do all this over a mobile phone. Plus, they are all free of cost.

But did you know that the ease of accessing all this information comes at a price? You pay for it by sharing crucial personal details such as the Universal Account Number (UAN) and password. That’s not all. You are likely to be sharing it with mobile apps or third-party applications, which do not have the Employees’ Provident Fund Organisation’s (EPFO’s) sanction or certification to receive this information. We are not saying that these are illegal, just that they have not been certified by the EPFO. And some of these apps are very popular too. We came across at least six such apps on Google’s Play Store—providing some EPFO-related information or service—which have seen over 500,000 downloads each.

These apps are: EPF Check Balance by Technical Likes; EPF Passbook, EPF Balance, PF Claim Status and UAN by factoB; PF Balance and Claim Status by Arbaz Alam; EPF Balance, Passbook and EPFO Claim status by ampower; EPF Balance Online | PF Status by EPF Office; and Check Your EPF Balance by S4 IT Tech. Mint Money sent a set of questions through email to these app developers and got a reply only from ampower.

Graphic: Vipul Sharma/Mint
Click here for enlarge
One reason for the popularity of these apps could be that the EPFO does not have a dedicated app of its own. A user review of the factoB app mentioned above sums it up. It reads: “Such a great app which gives the information regarding the PF, which the original one (Govt PF app) isnt useful in doing (sic).”

Till recently, the EPFO had an app called m-EPF. It was unpublished because its services are now hosted on the Umang app. Apart from the apps mentioned above, there are several others that have downloads of over 100,000.

Just what drives the app developers to build these apps? And, is it wise to share critical information with them? Let’s look into the details.

Checking PF without apps

The EPFO has two websites for providing services to employees. One is a UAN Member Portal, which can be used to update Know Your Customer (KYC) details, link Aadhaar number, link or update bank account, and place and track transfer or withdrawal requests.

The other one is primarily used by employees to check their EPF passbook. The user ID for both the websites is your UAN. And while activating the UAN through the UAN member portal, you create a unique password, which can be used across both the EPFO sites mentioned above. These services are also available on the Umang app, which gives access to over 200 services offered by central, state and local government bodies. Despite these avenues, many other apps also offer to give you access to your EPF data; if you share your personal details with them. So, is your personal information at risk?

Checking PF with apps

Amit Jaju, head of forensic technology, EY India, said that a lot of these apps are not really independent apps. They just provide an interface to access EPFO websites. The developer of one of these apps said that these applications, essentially, act like web browsers with the EPF websites already bookmarked. “Either that, or they are querying EPFO data in the background from the EPFO website and providing the resulting information in their interface,” said Jaju.

In response to our questions, ampower said it does not have any tie-up with EPFO or the government and all the services “are provided by the EPFO through different websites and other means which we have brought under one app for user convenience.” This means, the app works as an aggregator of EPFO-related information.

So, how are these apps able to access all the information so easily? V.P. Joy, central provident fund commissioner of the EPFO, said, “When somebody makes an app and sends a request to our website, the website doesn’t know if the request is coming through an app or if someone is typing directly on the website. So our website will give the answer.”

This raises a question. Is it possible for these apps to save your user ID (UAN) and the related password (credentials)? “None of the user information is stored in our system. The app works on a stand-alone basis and is not connected to any external system. User data is stored only on (a user’s) mobile. The information is as safe as the other information stored on mobile,” said the developer ampower. Jaju, however, said that it is possible for an app to trick users and capture their credentials. “Possibly many of these apps are malware and they have been put out there just to steal information. These apps can be smart enough to bypass compliance and security checks of the application stores,” he added.

The app business model

Jaju said that there could be two possible business intents in building these apps. One is advertising revenue. “But I don’t think we need to check EPFO balance every day. So the ad revenue potential is very limited in such apps, which are not of daily use,” Jaju explained. “The second objective is cross-selling products, which is a better business opportunity for these app developers. So the moment you check your balance, it will give you investment advice or will suggest you to move your money to some other product as a follow-on email or a telemarketing campaign,” he added. These are all, broadly speaking, legitimate activities.

There could also be malicious intent behind building these apps. This intent, in extreme cases, could be to steal information that can be used to withdraw money from your provident fund in an unauthorised manner, Jaju said.

You know that when you download an app from the Play Store, the app asks for various permissions for a variety of things, which could also include access to your SMS inbox. This is typically true for apps that require an OTP for transactions to go through.

If you are using an uncertified app for using EPFO services and the app has permission to read the SMSs on your phone, apart from other things, it leaves your EPF account vulnerable to hacking. This is so because the UAN member portal authorizes requests like transfer or withdrawal of funds using an OTP sent on the mobile phone linked with the UAN.

While most apps seek access to your UAN and password (which they need to do anything useful) in good faith; when they also access your SMS inbox, there is a possibility that someone with criminal intent could place a request and authorize the withdrawal of your EPF money.

Official and unofficial apps

The EPFO now hosts its services on the Umang app, which is not exclusive to EPFO. It is published by the Ministry of Electronics and Information Technology; and is available on Google Play Store for Android devices, App Store for iOS, and Microsoft Store for Windows devices. It is a common platform for various government services such as gas booking, Aadhaar, crop insurance, EPF and National Pension System.

With the de-publishing of m-EPF app, now Umang is the only officially approved app providing EPFO services. “Our only official app now is the Umang app. We have not authorized anyone else to make any app,” said Joy, adding that the unauthorized apps have come to the notice of EPFO and it is exploring ways in which these can be controlled or taken down.

“Some of these apps are using our name and even our emblem. They have no right to do that,” Joy said. One of the apps listed above is even using a misleading publishing name ‘EPFO Office’ and uses ‘[email protected]’ as its email ID. The fine print, in description, however mentions, “This is an Unofficial App!”

So the next time you want to check your EPF balance, your EPF passbook, or want to make an online request to the EPF, use the official Umang app. Not just for EPF, make it a standard practice to use apps only from reliable developers and check their authenticity.

NO COMMENTS