This post is for payment system application developers & product managers, online merchants, and anybody else who wants to understand how to protect against a UPI fraud.
There are various kind of tricks used by fraudsters to loot unaware users on internet. Following are some steps a payment system can do to protect the innocent users against UPI frauds.
- Dynamic
QR: If payment system is generating a unique QR for each transaction with a
condition that only one payment can be made against a QR, then it limits
the fraudsters that they will not be able to re-use the same QR again
and again.
- Dynamic Intent URL: As a payment system you
can also generate a unique UPI intent URL for a unique transaction, this
will also limit the fraudsters. A new kind of fraud pattern has been
observed where user gets the impression that the user is getting payment
via the intent flow, but actually the user is making the payment. This
user only gets to know only after the amount gets deducted from the
user's bank account. For example, the attacker makes a post on social
media with an intent URL linked with an image, asking users to get
cashback after tapping the image, rest is the story. If the intent URL
can be used only once then the attacker will have to create many such
posts, this limits the attacker
- As a payment system, you
should also block all such merchants & customers who have done any kind
of frauds, this way your payment system will not be an easy target for
the fraudsters
- Permitting right mode (collect, QR,
intent) of UPI transaction for a merchant only after understanding the
use case of the merchant. For example, if use case of the merchant does
not require collect flow, then do not allow the merchant to initiate a
collect request
- Do not allow a push payment (payment via QR or Intent) which has not not been initiated by the payment system. For example, if UPI ID of the merchant on the payment system is merchantname@bankname then do not allow any one to push a payment on this UPI ID. It's better allow push payment only for the transactions initiated by your payment system. This will also help in reducing duplicate payments & charge-backs. Will also help easy reconciliation of the payments
Feel free to comment about your understanding/question in this regards.
iMoney Pay provides these kind of solutions to protect the innocent users and merchants against frauds.
Author : Surender Kumar, Click to see his profile details and more such content
