Presentation Material

Abstract

UPI needs no introduction, it is the fastest-growing payment method in the world, with billions of transactions flowing through it every month. This talk presents independent security research on UPI, including major vulnerabilities (disclosed and fixed with NPCI’s cooperation), as well as a threat model of how secure UPI really is.

The talk is based on independent research that the author did while at Razorpay, reversing and debugging multiple UPI applications to better understand the underlying security parameters. The first half of the talk goes over UPI’s payment flows, looking deeply into various security properties of the system, and how they differ between various apps. Peppered with a few demos to showcase the reversing process, the rest of the talk will walk the audience through a major vulnerability disclosure - which allowed mass hacking of bank accounts in India.