Presentation Material
Abstract
UPI needs no introduction, it is the fastest-growing payment method in the world, with billions of transactions flowing through it every month. This talk presents independent security research on UPI, including major vulnerabilities (disclosed and fixed with NPCI’s cooperation), as well as a threat model of how secure UPI really is.
The talk is based on independent research that the author did while at Razorpay, reversing and debugging multiple UPI applications to better understand the underlying security parameters. The first half of the talk goes over UPI’s payment flows, looking deeply into various security properties of the system, and how they differ between various apps. Peppered with a few demos to showcase the reversing process, the rest of the talk will walk the audience through a major vulnerability disclosure - which allowed mass hacking of bank accounts in India.
AI Generated Summary
The talk focused on the security vulnerabilities of the Unified Payments Interface (UPI) system, a popular mobile payment system in India. The researcher demonstrated how they could hack into a bank account using only a mobile number, exploiting a weakness in the setup process of a UPI app. The vulnerability allowed the researcher to create a profile with a spoofed mobile number, bypassing the SMS verification step.
The researcher identified several key issues with the UPI system, including its decentralized nature, which makes it vulnerable to attacks on smaller, less secure apps. Additionally, the system trusts devices and apps to a high degree, making it susceptible to phishing and other types of attacks. The researcher also noted that the UPI system’s encryption keys are not end-to-end encrypted, which could compromise user data.
The talk highlighted the need for open security standards for UPI, better penetration testing, and a vulnerability disclosure program for the banking system. The researcher suggested that pentesters should have access to stripped-down versions of apps without hurdles such as SSL pinning and field-level encryption, which can hinder their ability to identify vulnerabilities. The researcher also encouraged hackers to test and report vulnerabilities in UPI apps, offering help and support for those who want to contribute to the security of the system.