The Reserve Bank of India (RBI) during its last monetary policy meeting announcement on August 10 proposed to increase the per transaction limit without a pin on UPI Lite to Rs 500 from the current Rs 200. RBI governor Shaktianta Das clarified that the move was to increase the adoption of UPI lite, which is the simplified version of the original UPI payment system, introduced by the National Payments Corporation of India (NPCI) and RBI in September 2022.
While this will make UPI transactions easier, it also comes with the risk of misuse. The Core reached out to cyber security experts and industry experts to weigh the pros and cons of this move.
What Are The Advantages?
UPI Lite was introduced as a simplified version of the original UPI payment system by the National Payments Corporation of India (NPCI) and RBI in September 2022. UPI Lite works as a wallet, where the users need to load the money for its usage.
Currently, only 16 banks like State Bank Of India (SBI), Punjab National Bank (PNB), ICICI Bank, Axis Bank, and a couple of UPI apps like Paytm, PhonePe, and BHIM have the right to provide UPI Lite.
“One of the major advantages of the UPI lite is that the transaction can happen even if the bank server is down. Reloading a wallet is like carrying cash in your physical wallet, so even if there are connectivity issues or no internet connection, the debit can be done. UPI Lite wallet acts as a buffer fund and the amount that can be debited without a pin is very nominal, so not much concern is there,” said Prashant Sahu, cyber security expert.
According to many, the transaction without pins has been made for smaller transactions as it saves time and makes the process hassle-free for many. Moreover, RBI has also introduced pinless transactions on credit cards, and it has been a success, so it can be assumed that UPI transactions without pins won’t pose much of a threat.
“With transaction limits defined, risk will be minimised. Just like we don’t share our card with anyone for PINless tap and pay. With UPI, app-based authentication should be good enough,” Ravi Battula, Vice President of Merchant Acquiring Business, Wibmo, A PayU Company.
According to industry experts, this move follows the trend of faster everyday payment alternatives, promoting financial fluidity.
“To speed up low-value payments and accommodate the growing demand for faster transactions, transactions can be approved without a PIN. This will encourage digital transactions in the coming days. This strategic adjustment meets the increased need for efficient payment solutions, especially for daily spending and small transactions, especially in tier 3 and beyond cities,” said Manan Dixit, founder & CEO FidyPay, a banking solutions company.
What Are The Potential Risks?
Banks have witnessed the maximum number of frauds in the online payment category during the fiscal year 2023-24, according to the RBI annual report 2022-23. Out of the total 13,530 fraud cases in the banking system, 49 percent or 6,659 cases were in digital payment.
In terms of value, banks reported frauds primarily (Rs 28,792 crore) in the advances category in the previous fiscal. The total amount of fraud in the digital payment category stood at Rs 276 crore in FY23.
At a time when such frauds are on the rise, transactions without a pin offer convenience but come with the trade-off of reduced security. While they streamline the payment process, the absence of a PIN increases vulnerability to unauthorised access and fraud.
The number of digital frauds in banking has increased by more than 2.5 times between 2021 and 2023, revealed the data of the RBI Annual Report.
“One of the major drawbacks of the UPI lite is that the wallet gets synced to the device and if the device gets lost, then the amount can’t be recovered, even if you log in using a different phone. And with no pin needed for transactions, one who has stolen the phone can use the amount too. Rs 2000 may appear a small amount, but considering the fact, the facility of pinless transactions has been introduced keeping in mind the crowd from tier 2 and 3 cities, the amount matters to them. For students and low middle-class families, even Rs 2000 has a lot of value,” said cyber security expert Ritesh Bhatia. Experts believe this step may make the target more appealing to hostile actors, thereby increasing cyber-attacks.
The process of recovering money from a UPI Lite wallet in a mobile device that was lost is also difficult. “In case a phone is lost, the customer needs to submit an application to the bank and ask the bank to unload the money. This process may take few takes and with no pin needed for the transaction, fraudsters may use the money meanwhile,” said Rupesh Mittal founder of Cyber Jagrithi and Safety Foundation. He highlighted that if the phone is stolen, then the thief gets some days to use the money in the wallet.
Another feature of the UPI Lite is that the wallet can be loaded using a credit card as well. This feature may act as a double-edged sword. In case a person loses their phone along with their wallet or bag that has their credit card, fraudsters can get access to the credit card details as well. They can use the credit card to reload the wallet too.
According to cyber security experts, transactions on credit cards without pins can’t be compared with this UPI feature. “If users can prove that they were not present when the transactions happened and the card was not with them, then banks are bound to refund them the amount. But no such provisions are there for UPI,” said Bhatia.
With no pin needed for transactions, falling prey to phishing attacks will be more rampant, believe experts. They highlighted, most phishing happened when the user mistakenly clicked links. Phishing can be minimised when the user stops approving the payment using a pin or OTP, but now, if they click the link and UPI lite is linked as the default payment mode, then the amount will get debited easily.