Unified Payment Interface (“UPI”), popular mobile instant payment system in India uses Virtual Payment Addresses (“VPAs”) - which do not carry a data security classification by virtue of their usage in practice, and should as such be considered to be public information, similar to how email addresses may be considered to be public information.
UPI-Recon was a tool which allowed users to
- Check the existence of UPI payment addresses,
- Fetch associated information about the account holder, in an automated manner based on provided input.
The functionality is already available (however, not in an automated fashion) through most UPI payment applications available on the Android and/or iOS platforms.
This talk discusses the applications UPI-Recon as OSINT tool, fraud detection, privacy and security impacts of reconnaissance
UPI Recon Project - https://github.com/qurbat/upi-recon
Who should participate:
- Any UPI user / Indian payments enthusiasts.
- Opensource Intelligence (OSINT) enthusiasts, journalists
About the speaker:
Karan Saini - creator of UPI-Recon project is a network and application security researcher and practitioner from New Delhi, India. He is currently employed as a security technologist with the Centre for Internet and Society in Bangalore, India.
Participation: Zoom link will be shared with registered participants. Or, you can watch the livestream on this page.
Code of Conduct: Hasgeek’s Code of Conduct applies to participants and speakers at this discussion.
About CashlessConsumer: CashlessConsumer is a consumer collective working on digital payments to increase awareness, understand technology, produce/consume data, represent consumers in policy of digital payments ecosystem to voice consumer perspectives, concerns with a goal of moving towards a fair cashless society. Read more on the website and the blog. Follow @cashlessconsumer on Mastodon and Telegram.