[Abishek_Muthian]

I tell about UPI to my friends in Western countries, When they tell how easy and seamless Apple Pay has made their payments, they're often surprised that such system exists here. One can download GPay or plethora of other apps to setup UPI to sync with the bank accounts within minutes and conduct transactions.

With vernacular support/affordable cellular data, these apps have found its users even among those who have never used a computer in their life to login to their banking portal or used debit card before to conduct any online transactions earlier.

Now, what 'I' don't like about it,

Extraordinary dependence on 'Mobile Number' for security, RBI(India's central bank) requires personal phone number to be synced with the bank account, so these 'UPI' apps send SMS from the phone at random to 'verify' that it's actually you i.e. if the phone number matches its you. If you are like me, who has the phone in aeroplane mode 24*7 or use cellular on-demand be prepared for transaction failures at best to getting locked out of the UPI apps at worst.

Then there is the question of SMS OTP as the backbone of Indian banking infrastructure's 2FA security, we know SIM-Jacking attacks are getting prevalent every passing day, coercing an employee of a Telecom who earns minimum wage is not that difficult and especially since there is zero 'cyber-security' awareness among much of the population; attackers just dupe many of them into giving them the OTP[1].

It's high time banking infrastructure here start supporting hardware tokens or at least TOTP apps and UPI has to hedge its unique id dependence to email id as well.

[1]https://economictimes.indiatimes.com/wealth/save/beware-of-t...

[sorbits]

> I tell about UPI to my friends in Western countries, When they tell how easy and seamless Apple Pay has made their payments, they're often surprised that such system exists here […]

Western countries in your statement is probably mainly USA, as most of Europe has been using contactless payment via NFC for many years.

Apple Pay is effectively just using the phone’s NFC chip instead of that embedded in the debit/credit card, although it does bring one advantage: Because the iPhone has its own authentication system, you’re never asked for PIN code when paying with your phone, whereas paying with a debit/credit card will ask for PIN if the amount is above a certain threshold, or if it hasn’t asked for a long time.

I have been using payment apps in Asia, not India, but Apple Pay is definitely more seamless (or NFC enabled cards), as these only require you to hold them near the terminal, whereas a payment app require first being launched, and then either scanning a QR code and confirming, or bringing up your QR code to have the cashier scan it.

Don’t get me wrong: I am very much a fan of the concept of UPI, I am commenting just to clarify that universal payment interface with third party apps is different than NFC enabled payments, where I think it is really the latter, that your friends in Western countries are describing as seamless.

[harpratap]

Google/Apple pay are still not as seamless as something like Osaifu Keitai from Japan. Google/Apple are beholden to Visa & Mastercard and the banks issuing the correct kind of cards. Japan's Osaifu Keitai tech stack + business model completely gets rid of these old institutions.

One example is Visa Japan has some ongoing fallout with Apple and JR East, so you cannot use your Visa credit card to top up your Suica transit card with Apple pay, but it works fine on Android with Google pay. Lot of merchants get confused between NFC/Apple Pay/Google Pay/Visa Pay and so many spin offs of something that's essentially just NFC A-B mode of payment.

With Osaifu Keitai you just choose one provider - Passmo, Suica etc and just top up money in any form you want - cash, credit card, debit card, points etc. And it just works. No internet, no middlemen and sub millisecond latency which is very crucial transit payments.

[ZeikJT]

Last time I was visiting Japan my friends with Apple phones were able to add their physical cards to their phones and then top up their suica/pasmo cards digitally but I had Android and it was impossible.

[rnotaro]

It's available on Android since March. ^_^

https://www.pasmo.co.jp/mp/and/

[lmz]

That's a stored value card. Which does work in a limited context (Japan). You can't use it internationally, unlike contactless EMV.

[harpratap]

There's nothing technically stopping it from being used in other countries though, Hong Kong has implemented the same system with same level of success as Japan.

> You can't use it internationally, unlike contactless EMV.

Technically it's incorrect. Visa/Mastercard works internationally, I have a RuPay card from India and it didn't work internationally until recently. So it depends on the reciprocal agreement between networks - https://en.wikipedia.org/wiki/Card_reciprocal_agreements

[lmz]

Yes HK has its own stored value card, but you can't use Octopus in Japan, can you?

Also I'm sure you'd agree it's easier to trust something issued internationally if there was some element of online verification to it (admittedly probably not much of an issue for transit applications).

[harpratap]

This is where Apple and Google step in, you can load Octopus pay on your phone and start using it like a local. Apple even notifies you about Suica as soon as you land in Japan.

[Abishek_Muthian]

During 2010 I was working for a payments company in India and we already had NFC based payment system based on Nokia 6131(2007) and J2ME app which was used for demonstration to Government; Obviously we were too early and it got nowhere(except in Singapore I think).

So, I completely understand when you mean NFC payments vs UPI. I made my statement not as a direct technical comparison, but to inform that there is a way for seamless payments in India now which wasn't available earlier. Btw, Apple has put its plans to integrate UPI with Apple Pay on hold due to disagreements with data storage, I wonder what its doing in China.

Interestingly, it's not my friends in US who raved about Apple Pay but those in England(Not sure what's that about).

[signal11]

Social engineering attacks work quite well too. A quick glance through Google News reveals many attacks by which scammers coax a PIN out of unsuspecting victims [1,2].

UPI withdraws money out of your bank account -- in that respect it's like a debit card with no way to "claw back" wrongly-sent money short of going through the justice system, which is notoriously slow in India.

It's useful for what it is, but needs way more work (especially in the ability to recall payments and/or address fraudulent transactions) to become a payment system that protects even the technically less proficient.

[1] https://timesofindia.indiatimes.com/city/bengaluru/customers...

[2] https://indianexpress.com/article/technology/tech-news-techn...

[Abishek_Muthian]

Yes, that's what I meant by,

>attackers just dupe many of them into giving them the OTP[1]

I also think there is no way to change the upper limit of the transactions with UPI i.e. its Rs.1,00,000 in most banks/transaction/day. Where as for Debit/Credit card we can set it to even Rs.1000 and other sub-limits as fraud prevention methods via the bank portal.

So if someone has set such limits for Debit/Credit card(everyone should), if the card gets stolen/cloned and if the hacker/thief tries to withdraw it in an ATM even in other side of the world, all they would get is a maximum of Rs.1000 when compared to Rs.1,00,000 via UPI.

Also private companies are not that great in protecting the card details, like remember when Paytm wanted us to enter our card details on the merchant's phone during demonetisation? I disclosed it as security vulnerability[1] to them, they withdrew the PoS feature, told me that it was done due to business decision and not because of any security implications. When News media enquired about my disclosure to its CEO, he told them “This news is false” although the the News site had independently verified my claim[2].

Then again, if the SIM gets jacked or the telecom employee gets compromised all bets are off in India, everything from the identity to savings could be lost.

[1]https://abishekmuthian.com/paytm-says-to-me-that-its-pos-fea...

[2]https://www.medianama.com/2016/12/223-paytm-merchant-payment...

[achow]

> these apps have found its users even among those who have never used a computer in their life

The only internet connected device these users have are the cheap smartphones and within the phone perhaps only complex apps that they are familiar with is messaging (apart from entertainment and 'selfie' related ones).

So any other authentication mechanism (email or others) would see the usage plummet.

[Abishek_Muthian]

>So any other authentication mechanism (email or others) would see the usage plummet.

True, but Security > Friction; especially when it comes to hard earned wealth in a poor country like ours, where even daily wage earners use UPI now, especially because of COVID-19 induced lockdowns(COVID-19 themed UPI frauds for OTP are also increasing at the alarming rate for the same reason).

More over email is Federated, not owned by any single entity, I can run my own email infrastructure with minimal expenditure if needed. But for phone number itself I have to depend upon a Monopoly, Duopoly or an Oligarchy at best who if needed can screw me up if they want at anytime.

[murukesh_s]

>cheap smartphones disagree. you get surprisingly powerful smartphones within 100-150$ range. Since you anyway have to shell out close to 100$ for a decent smartphone, many extend that to 130$ (10,000 Rs - a phycological barrier) to get a quite good smartphone - thanks to plenty of Chinese mobile manufacturers.

Few phones with more than decent specs:

https://www.flipkart.com/oppo-a5s-black-64-gb/p/itmffhgzsqac...

https://www.flipkart.com/redmi-8-emerald-green-64-gb/p/itme0...

https://www.flipkart.com/realme-narzo-10-that-blue-128-gb/p/...

[achow]

The argument was not that cheap smartphones cannot handle email apps (or such); but these phones can only have so many things and definitely no expectation to have hardware based security features.

[kevincox]

You probably don't need hardware security features. OS-based software U2F would probably be a step up (prevents sim-jacking, but physical access to the phone is possibly more vulnerable)

[lazycouchpotato]

> Extraordinary dependence on 'Mobile Number' for security

Yeah this sucks. I haven't been in India since 2018 and I'm locked out of UPI after my previous phone died.

[captn3m0]

> be prepared for transaction failures at best to getting locked out of the UPI apps at worst

Can you clarify on this? I’ve made transactions with UPI over in-flight Wi-Fi and no cellular coverage. The entire protocol does not require cellular/SMS coverage beyond the initial setup. Unless your specific PSP is doing some risk checks and signing you out, I don’t see why this would happen. The SIM-bindings are supposed to be persistent in nature.

Maybe your PSP is over-eager and you should try switching?

[Abishek_Muthian]

> I’ve made transactions with UPI over in-flight Wi-Fi and no cellular coverage

Not sure whether aeroplane mode interrupts app's ability to fetch unique hardware ID like(IMEI, MEID, ESN, IMSI) but I've had such troubles multiple times, but as I said my phone is always on Aeroplane mode.

>Maybe your PSP is over-eager and you should try switching?

Could be. But the choice of apps according to me range from, less trustworthy to totally not-trustworthy and so I'm out of luck there as well. Nowadays, I just enable cellular services for few minutes, recharge that damn thing, before UPI transactions.

[manoj_venkat92]

I think you're a non-resident dude, sady they didn't expand the whole UPI protocol to include non-Indian numbers which is a shame, we could've showed off to people.

[Abishek_Muthian]

I am as resident of India, as that Iron pillar at Qutb Minar:)

[ramraj07]

One counterpoint is that the concept of an OTP is now so widespread that even the most senile of my relatives know not to share it with anyone. Im yet to hear a single case of socially engineered forgery happening from my friends and family circles, but almost every one of my friends in the US including myself have had fraudulent charges on some credit card once every few years. So this system seems far more secure than whatever cluster* is in the US.

[signal11]

> Im yet to hear a single case of socially engineered forgery happening from my friends and family circles

Search Google News for [upi fraud India]. It happens far more than you think.