group-icon
Hacker's Arena
Knowledge base and discussions group for Security enthusiasts
120 Members
Join this group to post and comment.
Naveen Sunil
Naveen Sunil
Information Technology
05 Jan 2019

How safe are UPI payments?

There was lot of news relating to bank frauds through UPI payments. Although NPCI claimes UPI payments to be safe than any other method how does all the fraud happen?

To understand that you need to know what is UPI and how it works. You can read more about the process at BHIM SBI Pay - SBI Corporate Website. New UPI 2.0 has many new features which you can read at

Most UPI frauds happen through SIM swap frauds. In either of the case for the fraud to be successful the fraudster need to know your UPI pin alone. Since he access to your number he can register a new device (Note: UPI allows new device verification but doesn't not allow multiple device usage at same time)

Taking advantage of this he knocks you of your own number and owns all your money.  But for all this to happen there is no magic. The fraudster would try to social engineer you. He might call you as a network provider agent and say you need to swap your sim and need your sim's 20 digit UID. Now a network provider need not ask you for that number. They have it, so be wise and don't give that number.

Read about the recent fraud at If it is legal and useful then how is it a scam? | Gadgets Now

Golden thumb rule:

Don't share any Uniquely Identifiable or confidential numbers or codes to anyone over a phone call or message or mail. Network providers or banks never ask you for such details when they already have it.

Mohit Patil
Mohit Patil
Computer Science
4mos ago

wow, this is quite alarming! I was wondering what happens if you loose your mobile or SIM card..  Someone else could easily transfer your money in his bank account in just a few seconds. That person wont even need any password or any further details to do fraud transaction..

I hate entering OTPs.. all the time.. Guess it just adds one more layer of security that could be make or break..

Naveen Sunil
Naveen Sunil
Information Technology
4mos ago

If you keep your UPI pin, Aadhaar number, SIM UID, Mobile IMEI, Card number, CVV/CVC, Card pin, Online banking credentials, the risk of facing UPI or other bank frauds is almost zero.

4mos ago

Interesting discussion, Naveen. Of course, it's not right to share the information. My question is about general hack-proofness of UPI payments. Do you have any idea about the kind of encryption they use?

Naveen Sunil
Naveen Sunil
Information Technology
4mos ago

Great question Kaustubh! The way UPI works itself is very interesting. NPCI provides the UPI API and SDK for vendors to develop apps on top of UPI platform. There are certain parameters and URL linking method that a vendor should follow to send a request or receive a response from the UPI server for a transaction to happen.

UPI uses Public - private key encrypted communication and also for verification. It requires all info to be hashed with SHA256 and encrypt with RSA512 (SHA256withRSA512() function). More details available at https://www.npci.org.in/sites/default/files/UPI%20Linking%20Specs_ver%201.6.pdf 
Now there are client side application security measures that needs to be done. PwC has got an excellent report on this. Read here https://www.pwc.in/assets/pdfs/consulting/cyber-security/banking/unified-payment-interface-security.pdf