Several Founders, Co-Founders, CXO Bankers, CXO Fintech professionals & people who participated in the ePanel discussions:

  • Mr. Bharat Panchal, Chief Risk Officer – India, Middle East & Africa, FIS
  • Mr. Amitabh Rai, Deputy General Manager, Punjab National Bank
  • Mr. Kishore Mohnani AGM , Abhyudaya Co-operative Bank
  • Mr. Alok Bhargava, former Senior banker, Bank of Maharashtra
  • Mr. Satish Patel, Associate Vice President-Technology, AGS Transact Technologies Ltd
  • Mr. Bhawani Singh, Principal Solutions Architect – APAC, Checkmarx
  • Mr. Alok Karkera, Group Head – Government Coverage Group West & South at Axis Bank
  • Mr. Nabunkar Sen, External Consultant (Cyber Security), HSBC
  • Mr. Ramasubramanian S, Deputy Vice President, Axis Bank
  • Mr. Zulkernain Kanjariwala, Head- IT Applications, IDFC FIRST Bank
  • Mr. Prashant Sinha, General Manager-Banking, India Transact Services Limited
  • Mr. Sharad Goklani, President and CTO at AU Small Finance Bank
  • Mr. Taron Mohan, Owner, NextGen Telesolutions Pvt Ltd
  • Mr. Rajiv Rai, Former Chief Digital Officer, Edelweiss Financial Services
  • Mr. Ishan Vaish, India & UK Partnership Manager – Worldwide Developer Relations, Apple
  • Mr. Ajay B Panicker, CEO & Founder, NetPay Limited
  • Mr. Vikas R Panditrao, Co-Founder, Forum of Industry and Academic Knowledge Sharing (FIAKS)
  • Many other CEO/CXO Bankers & Fintech professionals on FIAKS Forum requested to remain anonymous

Cybercrime is no longer a new term for a layman, albeit innocent people are still getting duped because fraudsters are just getting smarter with their tricks.  According to a report, 59% of Indian adults fell prey to cybercrime in a year[1] And this pandemic has just paved the way out for cyberfrauds. Check this new type of fraud that has been reported;

Long story short: Almost everyone is now aware that OTPs are not to be shared with anyone. Now in this case, while the user ordered food online and then for making the payment the user was convinced by the fraudster to install an SMS forwarder app known as SPRING SMS through which all the messages received by the user also gets forwarded to a number specified by the fraudster who then misuses the OTP to complete the financial transactions from the user’s account. Although the cyber police mentioned that they needed to check how the OTPs were accessed by the fraudster as the victim had not added any number in the message forwarding app.

Like how is this possible? Here are various conjectures made by members, need to dig up for specifics though;

  • So while the user didn’t forward the SMS, the spring app on android takes SMS inbox permission, and then it forwards the message to some specified numbers which are misused by the perpetrators.
  • Looks like the fraudster was able to get the victim to download this app and then set it up to forward the OTP to his number. The victim agreed to set up an unknown app to make an Rs. 375 payment. This is a cardinal mistake. Here the control of mobile too seems to have been taken over by the hacker through SPRING SMS. There are even more dangerous software like AnyDesk with which you can cede control of your phone. AnyDesk is used by various companies by the tech support team. Tech support team members are low-cost resources taking access to branches. What happens if he leaves the tech company appointed by the bank. Can he not take access of branch head PC from remote or maybe he can walk inside the bank premises and connect his personal laptop to move the funds?
  • A rogue app, possibly had a “registration” process, during which it sent some “hidden” SMS messages, or maybe asked for some permissions, and used that as a proxy to link with some bank account. Similar stuff happened in the beginning when UPI was launched.
  • It seems SPRING SMS App, once installed, forwards a copy of the SMS received on the cell to a predestinated number/site under the control of the hacker. If I am not incorrect, the app must be using UPI services in the background. Well if this is the case then it is very dangerous to do UPI itself.

What is the security with UPI then?

Register and Read the complete discussions 

Please register to unlock the full content!

Related Post