Enable bank UPI with #Aadhaar OTP timesofindia.indiatimes.com/articleshow/90… . This is a frankenstein monster, under the garb of supporting UPI123Pay / feature phone #UPI support and is compromising security risk for a majority of users. Lets understand in a #Thread
UPI PIN in addition to device binding constitute the 2 factors of authentication. As any #UPI user would know, (re)setting #UPI PIN requires debit card authentication
Did you know banks don't issue debit cards in rural india? How will they use the feature phone UPI then ?
Push for a UPI ecosystem minus debit cards as RBI vows inclusion
The @timesofindia story at the start of thread refers to compliance of this @UPI_NPCI circular is due by Mar 15 and customers can (re)set UPI PIN without debit card, just by #Aadhaar OTP. This might help the feature phone user, who was denied debit card
But what does it do for you? Lets take a hypothetical scenario and see what can happen?
You have misplaced your mobile with UPI apps installed in a bus / train. The person can actually open UPI app (Not all UPI apps are password locked), request reset of UPI PIN
and now, since debit card is no longer required for reset, at best might need to enter Aadhaar (which leaks like anything, you / app you use might have saved offlineAadhaar in downloads folder too) and OTP will be sent to same device, after which UPI PIN can be reset
Now - you did not just lose your mobile, but also lost access to your bank account. The person can wipe off your balance by going to nearest shop and getting costliest mobile available and walk away. All in < 30 mins?
The question to ask if - Do you have opt out of this? if you have linked your bank account to Aadhaar / Aadhaar to mobile number?
Answer is yes - you should get #Aadhaar unlinked from your bank account.
But what if you need subsidy? You will be put to risk for UPI to grow
The @RBI gives granular controls on cards to block. But same is non-existant for Aadhaar and partially existing for UPI (You can turn off UPI, in a complicated manner if you have registered once).
Until this outright preferential treatment is fixed, your account is at risk.
Do tell as many as you can about the risks, otherwise starting Mar 15, its going to be a field day for fraudsters and lot of people are going to lose access - for UPI growth.
Lets just see the specific delta this move have caused to same misplaced-phone scenario. What is needed to reset?
1. Last 6 digits of debit 💳(Even charge slips have only last 4) 2. Expiry (Saved 💳) 3. Debit card PIN 🤩Secret🤩 4. Bank OTP (Same 📱, so that is delivered)
Safe
After this circular, whats needed 1. Last 4 digits of Aadhaar (Most cases it will in SMS history,open file explorer and search 'offlineaadhaar'), Public even by #Aadhaar masking standards 2. Aadhaar OTP (Same 📱, so that is delivered) 3. Bank OTP (Same 📱, so that is delivered)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
en.m.wikipedia.org/wiki/Ration_st… is digitized food stamps, but crucial digitization difference is it converts a bearer instrument like stamp / coupon into a person / purpose specific instrument, embedding automatic data emission about beneficiary upon use.
The naming of this is curious. When countries around the world are discussing #CBDC / issuing new digital currency, naming a private payment instrument #eRUPI is sign of things to come (?). One can only speculate at the moment.
Are these countries also importing vaccines from India? Is #CoWIN being bundled here for vaccine access in the name of demand management tech? cc @anivar@asdofindia
The proposed regulations will supersede the Aadhaar (Authentication) Regulations, 2016 uidai.gov.in/images/regulat…
Context : This is the regulation relating to Authentication coming after #Aadhaar Amendments and the Aadhaar Good Governance Rules 2020
TLDR - This regulations is around authentication framework, including offline verification appointment of requesting entities and AUA/ASA, Obligations of Offline Verification Seeking Entities (OVSE), eKYC guidelines, regulations around logs, audit, transaction data