A computer science student from Mahendragarh, Haryana, has unveiled an innovative alternative to the Unified Payments Interface (UPI) system, aiming to significantly reduce online payment fraud and prevent erroneous money transfers. Ankit Thakur, a BTech student, embarked on this project after his father allegedly lost ₹20,000 in an online scam in 2020.
Thakur has generously offered his proposed system to the Government of India free of charge, hoping to benefit millions of UPI users across the country. He emphasizes that the model is designed to make digital payments inherently safer for users, virtually eliminating avenues for cyber fraud and mitigating losses from mistaken transactions.
Identifying Key Vulnerabilities
Ankit's interest in cybersecurity intensified following his father's incident. His research led him to identify three critical vulnerabilities in existing UPI applications that cyber criminals could exploit:
- Chrome Intent Vulnerability: This flaw allows malicious webpages to open sensitive applications, such as UPI apps, directly without user permission or a single click, providing scammers direct access to the payment interface.
- Authentication Bypass: Thakur found that attackers could bypass the initial layers of authentication, including app locks or biometric security. While Google Pay and Paytm reportedly fixed this issue after his report, he notes that similar loopholes might still exist in other applications.
- Audio Hijacking: Described as particularly dangerous, this vulnerability occurs when UPI apps fail to 'lock audio focus' during a transaction. A hidden, fake app can then play misleading audio—for example, 'Enter your PIN to receive money'—causing users to believe the prompt originates from the legitimate payment app and fall victim to fraud.
Ankit reported these issues to Google's security bot, which acknowledged one of the bugs and implemented corrective measures. Beyond his alternative payment model, he has also developed a complementary mobile UPI application. He believes that government support could greatly enhance his contribution to combating cyber fraud in India's rapidly expanding digital payments landscape.