BHIM app: Three-factor authentication is key safety feature on this

BHIM’s launch comes at a time when the government has given a massive push to digital payments and the idea of a cashless economy.

Written by Shruti Dhapola | New Delhi | Updated: January 3, 2017 2:09 pm
BHIM, BHIM app, modi bhim app, UPI, Bheem app, BHIM UPI app, bhim mobile app, BHIM app safety, latest bhim app, latest modi app, news, india news, tech news, modi app launch, Prime Minister Narendra Modi at the launch of mobile app ‘BHIM’ in New Delhi on Friday. (Source: PTI Photo)

To boost the cashless transactions across the country after demonetisation, over 30 banks have, so far, launched their Unified Payments Interface (UPI)-enabled mobile applications. UPI, a payments system, was first announced in April 2016 by the National Payments Corporation of India (NPCI) along with the Reserve Bank of India (RBI). While mobile wallet companies such as Paytm and MobiKwik cashed in on demonetisation, UPI did not that get that much of a push. Now the government has introduced a unified app for UPI called BHIM, which will let users transfer money to anyone with a UPI-enabled bank account, or even a regular bank account through IFSC code.

“Encryption for BHIM is in line with what a Google Wallet or Apple Pay will be using, but let’s remember this is just one aspect of the overall security,” says Saket Modi, CEO and co-founder of Lucideus Tech, one of the security vendors involved with the UPI system as well as the BHIM app. “We worked on the security of UPI’s common library. When (Erstwhile RBI Governor) Raghuram Rajan launched UPI, NPCI had made a library which it shared with all banks with net banking. They were asked to embed that common library inside their net banking application. So if you want to use UPI with just your bank, it means you have to download Pockets or the ICICI net-banking application which is UPI-enabled, to do these transactions,” explains Modi.

Modi said before BHIM there was no common application for UPI alone. “This common library was always there, but now the only difference is that NPCI has its own app as well. This app will facilitate a lot more transactions using a uniform app,” says Modi whose Lucideus worked on the security of the library.

The BHIM apps has three levels of authentication. For one, the app binds with a device’s ID and mobile number, second a user needs to sync whichever bank account (UPI or non-UPI enabled) in order to the conduct transaction. Third, when a user sets up the app they are asked to create a pin which is needed to log into the app. Further, the UPI pin, which a user creates with their bank account is needed to go through with the transaction.

“From a consumer point of view, there are three levels of authentication that are required in this app. One is the device ID and mobile number, then the bank account which you are linking to this app, and the finally the UPI Pin which is needed to complete the transaction. There are three factors of authentication versus a normal net banking app or a chip-pin debit card which will only have two factors of authentication,” points out Modi.

“Even if your phone gets stolen nobody can transact, until they know your UPI pin,” he says.

BHIM’s launch comes at a time when the government has given a massive push to digital payments and the idea of a cashless economy. It also means that for smartphone users, there is now a government authenticated app to carry out payments, without always having to rely on third party players.

However, the app is facing teething troubles. NPCI’s official Twitter account for BHIM app tweeted earlier saying they have a high server load, due to which they are facing intermittent issues. The tweet also said they will be releasing a new version to resolve this.

For all the latest Technology News, download Indian Express App

  1. R
    Raghav Rajaraman
    Jan 1, 2017 at 8:50 am
    Nope.lt;br/gt;Netbanking has real two-factor authentication because the OTP is sent to a *different* registered device than the computer you are accessing your account.lt;br/gt;If you forget your pword, a reset will send the OTP to your phone.lt;br/gt;lt;br/gt;Here, it's all in the same phone.lt;br/gt;If you forget your pin, you use the same phone to reset it. There is no second independent authentication device.lt;br/gt;lt;br/gt;So if you lose your phone, the person with access to your phone can reset the pin. And how will the authentication for the new pin be done?lt;br/gt;Using the same phone. The perpetrator will use the same phone to contact the bank and get the pin reset.lt;br/gt;lt;br/gt;Overall UPI is a great idea. But designing a secure system is no child's play.
    Reply
  2. S
    Shakri
    Jan 1, 2017 at 7:01 am
    Hahaha UNESCO declared this or what ?? :p :p
    Reply
  3. A
    Avinash
    Feb 10, 2017 at 6:38 pm
    In case your phone is lost,block your sim card,and your BHIM is secure.
    Reply
  4. R
    Raman
    Jan 1, 2017 at 1:03 am
    Good. But why no one talks on whether any cost is involved for the user of this app as well as others. Why should one incur expenses to pay through these apps. If this is to succeed it must be without any cost for the user. That only will encourage the use. Private apps are easy money spinners for the operator with very little investment.
    Reply
  5. K
    kishore
    Jan 2, 2017 at 12:45 pm
    Correct ... This BHIM app is a great risk factor, if one looses mobile, because all things are contained in one app. Better somebody teach technically MODIJI that this is not 100% secure, as all things are in one handset only. So beware... hackers are ready to hack all your hard earned money.
    Reply
  6. R
    RAVINDER
    Jan 8, 2017 at 4:40 pm
    not woking in state bank of patiala, othewise good but not use in electricity bill, water bill etc.
    Reply
  7. R
    RAKESH
    Jan 4, 2017 at 4:09 am
    Add the bank sbbj state Bank of Bikaner and Jaipur for bhim app
    Reply
  8. S
    suryavanshi
    Jan 1, 2017 at 7:48 am
    the mobile number is with you...the app can be used from a handset with your SIM..same as net-banking OTP mechanism...so even if someone hacks into your mobile or access your mobile, he/she will still need the 4 digit PIN. case of net-banking you have to login to your account...not sure if one needs the netbanking pword as well to do the transfer...
    Reply
  9. Load More Comments