Twenty-two residents of Bhayandar allegedly took advantage of a bug in a bank’s Unified Payment Interface (UPI) mobile application to transfer Rs 1.42 crore from the Bank of Maharashtra into several bank accounts belonging to the accused, a report by The Indian Express said.
UPI has been developed and launched by the National Payments Corporation of India (NPCI) after the government decided to give digital payments a push, in the aftermath of demonetization. UPI lets you send and receive money through your mobile phone by only using the other party’s cell phone number.
The report said that the Bank of Maharashtra has filed a complaint against 22 individuals for allegedly hacking the central server of the bank in South Mumbai and exploiting a bug in the UPI app to make 142 transfers of Rs 1 lakh each between December 26, 2016 and January 18, 2017. The bank realised it had lost of over Rs 1 crore in January, after which it froze the accounts of the accused and sent them notices to appear at the bank. After they failed to turn up, the bank went ahead and filed the police complaint.
The report said, “Navghar police station booked Bhayander residents Jaswant Damania, his sons Raj Damania and Pritest Damania, Prateek Poojary, and Bharat Gawale, an Aurangabad resident identified only as Deepak apart from 16 others.” They have been charged with cheating, forgery, and criminal conspiracy under the Indian Penal Code and for identity theft under the Informational Technology Act, the report said.
How did these hackers siphon off Rs 1.42 crore?
According to the report, the police said that Gawale and Deepak managed to hack in to the Bank of Maharashtra’s servers last year and gathered the account details of account holders of the Bhayander East branch and added them as beneficiaries. Once they had the account numbers, all they had to do was download the UPI app on their mobile phones and link their bank details. They also got several sim cards and linked the “hacked” account numbers to those sim cards.
The police complaint noted that the two accused all the transactions. “The accused would instantly approve the transfers once OTPs were sent to those sim cards,” the police said.
While the police has not made any arrests yet, the bank said all the money was transferred to the Damania family accounts. In fact, Jaswant Damania also allegedly transferred Rs 2 lakh back to the bank feigning ignorance about the source of the money into his bank account.
According to a report in MoneyControl.com, earlier in the month, the Bank had filed an FIR in Pune against 50 people for misusing the bug in its app, causing a loss of Rs 6.14 crore. In this case, the fraudsters allegedly sent Rs 1 lakh to themselves over a period of 48 days.
On March 22, according to a FirstPost report, NPCI and iSpirit put out a joint statement about the breaches, saying that the reason was certain bugs in the specific Bank of Maharashtra’s UPI app. After the news of the two cases came out, there were questions raised about the security of UPI and the other government developed app – BHIM.
NPCI said there was no vulnerability in the UPI framework as it had carried out intensive testing and continuous monitoring of the UPI infrastructure.