BHIM allows paying through Aadhaar
NCIP asked all financial institutions to stop the feature
After TRAI Chairman R.S. Sharma’s open challenge in July, which had exposed loopholes in the BHIM app, financial institutions have stopped the feature of making payments through the Aadhaar app. Mr Sharma had put out his Aadhaar number and dared hackers to do him harm.
The National Payments Corporation of India (NPCI) had asked all financial institutions to stop the feature of allowing "Pay to Aadhaar" by August 31. The State Bank of India, earlier this week, removed the Pay to Aadhaar functionality from its BHIM SBI Pay app. It posted an update for those using the app.
However, the BHIM app handled by NPCI itself has not completely removed the feature. This feature was termed as a threat, because anyone could send money without the approval of the sender, which could be used against them. It may be mentioned that a user, Anivar Aravind, used the Pay to Aadhaar feature of BHIM app and transferred `1 to the TRAI Chairman to show him the dangers of sharing the information.
Experts have said that this feature would cause data leaks in the future.
An expert, Mr P. Srikanth, said, “Using this feature, the payer, through their payment service provider like BHIM, gets a notification of the transaction. That means besides BHIM, the payer’s telecom provider also gets the 12-digit UID number. This can be useful information for social engineering attacks. Smaller banks do not own and operate their UPI switch. They licence it from one of the few service providers, who now have a copy of the data.”
The Aadhaar Based Remittance System (ABRS) is the system behind ‘Pay 2 Aadhaar’ present in some banks’ UPI apps.
According to Mr Srikanth, the total number of apps having that feature is fewer than 20. “Except BHIM, other top UPI apps do not have this feature. The cost of supporting data protection and UIDAI regulations for retaining Pay 2 Aadhaar increases the cost to all participating entities in the network,” he added.
However, NPCI said that it had stopped the service but the user interface had the option which would be fixed in the next update. This means even if a person tries to send money using the Aadhaar ID, it would fail.
The NPCI in a statement said, “The National Payments Corporation of India has already stopped this service at Central UPI switch level. All such transactions would be rejected by NPCI.” They added that member banks would be disabling ‘Pay to Aadhaar’ functionality on their apps in the upcoming releases (including BHIM app) based on the circular issued on July 17, regarding ‘removal of Pay to Aadhaar functionality in UPI and IMPS.”