UPI — SMS Spoofing
Device binding is an important security feature of UPI application. During UPI registration, there is a random string that the mobile app generates and sends to a number for registration.
Fraudsters have found a way to bypass the same time and again. Recently UPI SMS Spoofing cases are observed. Liability of fraud should be on the App provider; as due to a vulnerability, customer loses money.
Step 1: Create a Phishing Link to Harvest UPI MPIN
Step 2: Fraudster generates a string from his phone and sends to victim asking him to forward
Step 3: Victim unknowingly sends the received device string to UPI registration number. Thus, the device of fraudster gets binded to phone number of victim.
Now, fraudster has Mobile App + MPIN, thus will be taking out the money.
Investigation Bits:
- Email to be written to NPCI regarding liability of Bank’s application as due to their negligence, fraud was conducted.
- Get IP details, Device Detail etc from the UPI App which fraudster used.
- Follow fraud money trail and freeze the funds/orders.
*******
