CashlessConsumer runs a fortnightly series of deep dive sessions on the technology powering payments, policy implications and real-world practice of digital payments. In the current session, the author of the paper, Renuka Kumar, University of Michigan will be presenting the work followed by discussion on paper, more broadly security in mobile payment apps.

Security Analysis of Unified Payments Interface and Payment Apps in India

Since 2016, with a strong push from the Government of India, smartphone-based payment apps have become mainstream, with over $50 billion transacted through these apps in 2018. Many of these apps use a common infrastructure introduced by the Indian government, called the Unified Payments Interface (UPI), but there has been no security analysis of this critical piece of infrastructure that supports money transfers. This paper uses a principled methodology to do a detailed security analysis of the UPI protocol by reverse-engineering the design of this protocol through seven popular UPI apps. We discover previously-unreported multi-factor authentication design-level flaws in the UPI 1.0 specification that can lead to significant attacks when combined with an installed attacker-controlled application. In an extreme version of the attack, the flaws could allow a victim’s bank account to be linked and emptied, even if a victim had never used a UPI app. The potential attacks were scalable and could be done remotely. We discuss our methodology and detail how we overcame challenges in reverse-engineering this unpublished application layer protocol, including that all UPI apps undergo a rigorous security review in India and are designed to resist analysis. The work resulted in several CVEs, and a key attack vector that we reported was later addressed in UPI 2.0.

Who should participate:

• Practitioners from fintech and digital payments, including engineers and product managers.
• Bankers, Academics interested in security of payment systms
• Journalists who report on Fintech and are looking for education on industry trends and practices.
• Anyone interested in knowing more about security in UPI / payment applications.

About the Speaker, Discussants:

• Renuka Kumar is a second year PhD student at the Computer Science and Engineering department at the University of Michigan, advised by Atul Prakash and Roya Ensafi. She is also a member of the Censored Planet Lab at UMich. Her research interest spans different facets of mobile software and systems security, and mobile measurement studies. She currently works on the detection and analysis of Android malware in the wild, the security of mobile payment systems, and the phenomenon and impact of geofencing in the mobile domain.

• Anand Venkatanarayanan is a security researcher and cybersecurity expert with interests on critical information infrastructures

• Abhay Rana aka Nemo is a developer at Razorpay with keen interest in UPI / payments security.

About CashlessConsumer: CashlessConsumer is a consumer collective working on digital payments to increase awareness, understand technology, produce / consume data, represent consumers in policy of digital payments ecosystem to voice consumer perspectives, concerns with a goal of moving towards a fair cashless society. Read more on the website, blog, follow @cashlessconsumer on Mastodon, join our chatter group on Telegram and watch our older conversations on Youtube

Paper

• Security Analysis of Unified Payments Interface and Payment Apps in India Paper - Slides - Video
• Disclousures of vulnerabilities in mobile payment apps - Repo