To boost the cashless transactions across the country after demonetisation, over 30 banks have, so far, launched their Unified Payments Interface (UPI)-enabled mobile applications. UPI, a payments system, was first announced in April 2016 by the National Payments Corporation of India (NPCI) along with the Reserve Bank of India (RBI). While mobile wallet companies such as Paytm and MobiKwik cashed in on demonetisation, UPI did not that get that much of a push. Now the government has introduced a unified app for UPI called BHIM, which will let users transfer money to anyone with a UPI-enabled bank account, or even a regular bank account through IFSC code.
“Encryption for BHIM is in line with what a Google Wallet or Apple Pay will be using, but let’s remember this is just one aspect of the overall security,” says Saket Modi, CEO and co-founder of Lucideus Tech, one of the security vendors involved with the UPI system as well as the BHIM app. “We worked on the security of UPI’s common library. When (Erstwhile RBI Governor) Raghuram Rajan launched UPI, NPCI had made a library which it shared with all banks with net banking. They were asked to embed that common library inside their net banking application. So if you want to use UPI with just your bank, it means you have to download Pockets or the ICICI net-banking application which is UPI-enabled, to do these transactions,” explains Modi.
Modi said before BHIM there was no common application for UPI alone. “This common library was always there, but now the only difference is that NPCI has its own app as well. This app will facilitate a lot more transactions using a uniform app,” says Modi whose Lucideus worked on the security of the library.
The BHIM apps has three levels of authentication. For one, the app binds with a device’s ID and mobile number, second a user needs to sync whichever bank account (UPI or non-UPI enabled) in order to the conduct transaction. Third, when a user sets up the app they are asked to create a pin which is needed to log into the app. Further, the UPI pin, which a user creates with their bank account is needed to go through with the transaction.
“From a consumer point of view, there are three levels of authentication that are required in this app. One is the device ID and mobile number, then the bank account which you are linking to this app, and the finally the UPI Pin which is needed to complete the transaction. There are three factors of authentication versus a normal net banking app or a chip-pin debit card which will only have two factors of authentication,” points out Modi.
“Even if your phone gets stolen nobody can transact, until they know your UPI pin,” he says.
BHIM’s launch comes at a time when the government has given a massive push to digital payments and the idea of a cashless economy. It also means that for smartphone users, there is now a government authenticated app to carry out payments, without always having to rely on third party players.
However, the app is facing teething troubles. NPCI’s official Twitter account for BHIM app tweeted earlier saying they have a high server load, due to which they are facing intermittent issues. The tweet also said they will be releasing a new version to resolve this.