Enable bank UPI with #Aadhaar OTP
timesofindia.indiatimes.com/articleshow/90… . This is a frankenstein monster, under the garb of supporting UPI123Pay / feature phone #UPI support and is compromising security risk for a majority of users. Lets understand in a #Thread
cc @suchetadalal @dilipasbe
timesofindia.indiatimes.com/articleshow/90… . This is a frankenstein monster, under the garb of supporting UPI123Pay / feature phone #UPI support and is compromising security risk for a majority of users. Lets understand in a #Thread
cc @suchetadalal @dilipasbe
This week @RBI launched #UPI123Pay aka a set of options to support #UPI on feature phone
rbi.org.in/Scripts/BS_Pre…
UPI PIN in addition to device binding constitute the 2 factors of authentication. As any #UPI user would know, (re)setting #UPI PIN requires debit card authentication
rbi.org.in/Scripts/BS_Pre…
UPI PIN in addition to device binding constitute the 2 factors of authentication. As any #UPI user would know, (re)setting #UPI PIN requires debit card authentication
Did you know banks don't issue debit cards in rural india? How will they use the feature phone UPI then ?
livemint.com/industry/banki…
Push for a UPI ecosystem minus debit cards as RBI vows inclusion
livemint.com/industry/banki…
Push for a UPI ecosystem minus debit cards as RBI vows inclusion
The @timesofindia story at the start of thread refers to compliance of this @UPI_NPCI circular is due by Mar 15 and customers can (re)set UPI PIN without debit card, just by #Aadhaar OTP. This might help the feature phone user, who was denied debit card
https://twitter.com/logic/status/1438054033390977024
But what does it do for you? Lets take a hypothetical scenario and see what can happen?
You have misplaced your mobile with UPI apps installed in a bus / train. The person can actually open UPI app (Not all UPI apps are password locked), request reset of UPI PIN
You have misplaced your mobile with UPI apps installed in a bus / train. The person can actually open UPI app (Not all UPI apps are password locked), request reset of UPI PIN
and now, since debit card is no longer required for reset, at best might need to enter Aadhaar (which leaks like anything, you / app you use might have saved offlineAadhaar in downloads folder too) and OTP will be sent to same device, after which UPI PIN can be reset
Now - you did not just lose your mobile, but also lost access to your bank account. The person can wipe off your balance by going to nearest shop and getting costliest mobile available and walk away. All in < 30 mins?
The question to ask if - Do you have opt out of this? if you have linked your bank account to Aadhaar / Aadhaar to mobile number?
Answer is yes - you should get #Aadhaar unlinked from your bank account.
But what if you need subsidy? You will be put to risk for UPI to grow
Answer is yes - you should get #Aadhaar unlinked from your bank account.
But what if you need subsidy? You will be put to risk for UPI to grow
The @RBI gives granular controls on cards to block. But same is non-existant for Aadhaar and partially existing for UPI (You can turn off UPI, in a complicated manner if you have registered once).
Until this outright preferential treatment is fixed, your account is at risk.
Until this outright preferential treatment is fixed, your account is at risk.
Do tell as many as you can about the risks, otherwise starting Mar 15, its going to be a field day for fraudsters and lot of people are going to lose access - for UPI growth.
Lets just see the specific delta this move have caused to same misplaced-phone scenario. What is needed to reset?
1. Last 6 digits of debit 💳(Even charge slips have only last 4)
2. Expiry (Saved 💳)
3. Debit card PIN 🤩Secret🤩
4. Bank OTP (Same 📱, so that is delivered)
Safe
1. Last 6 digits of debit 💳(Even charge slips have only last 4)
2. Expiry (Saved 💳)
3. Debit card PIN 🤩Secret🤩
4. Bank OTP (Same 📱, so that is delivered)
Safe
After this circular, whats needed
1. Last 4 digits of Aadhaar (Most cases it will in SMS history,open file explorer and search 'offlineaadhaar'), Public even by #Aadhaar masking standards
2. Aadhaar OTP (Same 📱, so that is delivered)
3. Bank OTP (Same 📱, so that is delivered)
1. Last 4 digits of Aadhaar (Most cases it will in SMS history,open file explorer and search 'offlineaadhaar'), Public even by #Aadhaar masking standards
2. Aadhaar OTP (Same 📱, so that is delivered)
3. Bank OTP (Same 📱, so that is delivered)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
