I tell about UPI to my friends in Western countries, When they tell how easy and seamless Apple Pay has made their payments, they're often surprised that such system exists here. One can download GPay or plethora of other apps to setup UPI to sync with the bank accounts within minutes and conduct transactions.
With vernacular support/affordable cellular data, these apps have found its users even among those who have never used a computer in their life to login to their banking portal or used debit card before to conduct any online transactions earlier.
Now, what 'I' don't like about it,
Extraordinary dependence on 'Mobile Number' for security, RBI(India's central bank) requires personal phone number to be synced with the bank account, so these 'UPI' apps send SMS from the phone at random to 'verify' that it's actually you i.e. if the phone number matches its you. If you are like me, who has the phone in aeroplane mode 24*7 or use cellular on-demand be prepared for transaction failures at best to getting locked out of the UPI apps at worst.
Then there is the question of SMS OTP as the backbone of Indian banking infrastructure's 2FA security, we know SIM-Jacking attacks are getting prevalent every passing day, coercing an employee of a Telecom who earns minimum wage is not that difficult and especially since there is zero 'cyber-security' awareness among much of the population; attackers just dupe many of them into giving them the OTP[1].
It's high time banking infrastructure here start supporting hardware tokens or at least TOTP apps and UPI has to hedge its unique id dependence to email id as well.
> I tell about UPI to my friends in Western countries, When they tell how easy and seamless Apple Pay has made their payments, they're often surprised that such system exists here […]
Western countries in your statement is probably mainly USA, as most of Europe has been using contactless payment via NFC for many years.
Apple Pay is effectively just using the phone’s NFC chip instead of that embedded in the debit/credit card, although it does bring one advantage: Because the iPhone has its own authentication system, you’re never asked for PIN code when paying with your phone, whereas paying with a debit/credit card will ask for PIN if the amount is above a certain threshold, or if it hasn’t asked for a long time.
I have been using payment apps in Asia, not India, but Apple Pay is definitely more seamless (or NFC enabled cards), as these only require you to hold them near the terminal, whereas a payment app require first being launched, and then either scanning a QR code and confirming, or bringing up your QR code to have the cashier scan it.
Don’t get me wrong: I am very much a fan of the concept of UPI, I am commenting just to clarify that universal payment interface with third party apps is different than NFC enabled payments, where I think it is really the latter, that your friends in Western countries are describing as seamless.
Google/Apple pay are still not as seamless as something like Osaifu Keitai from Japan. Google/Apple are beholden to Visa & Mastercard and the banks issuing the correct kind of cards. Japan's Osaifu Keitai tech stack + business model completely gets rid of these old institutions.
One example is Visa Japan has some ongoing fallout with Apple and JR East, so you cannot use your Visa credit card to top up your Suica transit card with Apple pay, but it works fine on Android with Google pay. Lot of merchants get confused between NFC/Apple Pay/Google Pay/Visa Pay and so many spin offs of something that's essentially just NFC A-B mode of payment.
With Osaifu Keitai you just choose one provider - Passmo, Suica etc and just top up money in any form you want - cash, credit card, debit card, points etc. And it just works. No internet, no middlemen and sub millisecond latency which is very crucial transit payments.
Last time I was visiting Japan my friends with Apple phones were able to add their physical cards to their phones and then top up their suica/pasmo cards digitally but I had Android and it was impossible.
There's nothing technically stopping it from being used in other countries though, Hong Kong has implemented the same system with same level of success as Japan.
> You can't use it internationally, unlike contactless EMV.
Technically it's incorrect. Visa/Mastercard works internationally, I have a RuPay card from India and it didn't work internationally until recently. So it depends on the reciprocal agreement between networks - https://en.wikipedia.org/wiki/Card_reciprocal_agreements
Yes HK has its own stored value card, but you can't use Octopus in Japan, can you?
Also I'm sure you'd agree it's easier to trust something issued internationally if there was some element of online verification to it (admittedly probably not much of an issue for transit applications).
This is where Apple and Google step in, you can load Octopus pay on your phone and start using it like a local. Apple even notifies you about Suica as soon as you land in Japan.
During 2010 I was working for a payments company in India and we already had NFC based payment system based on Nokia 6131(2007) and J2ME app which was used for demonstration to Government; Obviously we were too early and it got nowhere(except in Singapore I think).
So, I completely understand when you mean NFC payments vs UPI. I made my statement not as a direct technical comparison, but to inform that there is a way for seamless payments in India now which wasn't available earlier. Btw, Apple has put its plans to integrate UPI with Apple Pay on hold due to disagreements with data storage, I wonder what its doing in China.
Interestingly, it's not my friends in US who raved about Apple Pay but those in England(Not sure what's that about).
Social engineering attacks work quite well too. A quick glance through Google News reveals many attacks by which scammers coax a PIN out of unsuspecting victims [1,2].
UPI withdraws money out of your bank account -- in that respect it's like a debit card with no way to "claw back" wrongly-sent money short of going through the justice system, which is notoriously slow in India.
It's useful for what it is, but needs way more work (especially in the ability to recall payments and/or address fraudulent transactions) to become a payment system that protects even the technically less proficient.
>attackers just dupe many of them into giving them the OTP[1]
I also think there is no way to change the upper limit of the transactions with UPI i.e. its Rs.1,00,000 in most banks/transaction/day. Where as for Debit/Credit card we can set it to even Rs.1000 and other sub-limits as fraud prevention methods via the bank portal.
So if someone has set such limits for Debit/Credit card(everyone should), if the card gets stolen/cloned and if the hacker/thief tries to withdraw it in an ATM even in other side of the world, all they would get is a maximum of Rs.1000 when compared to Rs.1,00,000 via UPI.
Also private companies are not that great in protecting the card details, like remember when Paytm wanted us to enter our card details on the merchant's phone during demonetisation? I disclosed it as security vulnerability[1] to them, they withdrew the PoS feature, told me that it was done due to business decision and not because of any security implications. When News media enquired about my disclosure to its CEO, he told them “This news is false” although the the News site had independently verified my claim[2].
Then again, if the SIM gets jacked or the telecom employee gets compromised all bets are off in India, everything from the identity to savings could be lost.
> these apps have found its users even among those who have never used a computer in their life
The only internet connected device these users have are the cheap smartphones and within the phone perhaps only complex apps that they are familiar with is messaging (apart from entertainment and 'selfie' related ones).
So any other authentication mechanism (email or others) would see the usage plummet.
>So any other authentication mechanism (email or others) would see the usage plummet.
True, but Security > Friction; especially when it comes to hard earned wealth in a poor country like ours, where even daily wage earners use UPI now, especially because of COVID-19 induced lockdowns(COVID-19 themed UPI frauds for OTP are also increasing at the alarming rate for the same reason).
More over email is Federated, not owned by any single entity, I can run my own email infrastructure with minimal expenditure if needed. But for phone number itself I have to depend upon a Monopoly, Duopoly or an Oligarchy at best who if needed can screw me up if they want at anytime.
>cheap smartphones
disagree. you get surprisingly powerful smartphones within 100-150$ range. Since you anyway have to shell out close to 100$ for a decent smartphone, many extend that to 130$ (10,000 Rs - a phycological barrier) to get a quite good smartphone - thanks to plenty of Chinese mobile manufacturers.
The argument was not that cheap smartphones cannot handle email apps (or such); but these phones can only have so many things and definitely no expectation to have hardware based security features.
You probably don't need hardware security features. OS-based software U2F would probably be a step up (prevents sim-jacking, but physical access to the phone is possibly more vulnerable)
> be prepared for transaction failures at best to getting locked out of the UPI apps at worst
Can you clarify on this? I’ve made transactions with UPI over in-flight Wi-Fi and no cellular coverage. The entire protocol does not require cellular/SMS coverage beyond the initial setup. Unless your specific PSP is doing some risk checks and signing you out, I don’t see why this would happen. The SIM-bindings are supposed to be persistent in nature.
Maybe your PSP is over-eager and you should try switching?
> I’ve made transactions with UPI over in-flight Wi-Fi and no cellular coverage
Not sure whether aeroplane mode interrupts app's ability to fetch unique hardware ID like(IMEI, MEID, ESN, IMSI) but I've had such troubles multiple times, but as I said my phone is always on Aeroplane mode.
>Maybe your PSP is over-eager and you should try switching?
Could be. But the choice of apps according to me range from, less trustworthy to totally not-trustworthy and so I'm out of luck there as well. Nowadays, I just enable cellular services for few minutes, recharge that damn thing, before UPI transactions.
I think you're a non-resident dude, sady they didn't expand the whole UPI protocol to include non-Indian numbers which is a shame, we could've showed off to people.
One counterpoint is that the concept of an OTP is now so widespread that even the most senile of my relatives know not to share it with anyone. Im yet to hear a single case of socially engineered forgery happening from my friends and family circles, but almost every one of my friends in the US including myself have had fraudulent charges on some credit card once every few years. So this system seems far more secure than whatever cluster* is in the US.
As a UPI user who is using this from literally day 1 and who is hard core advertiser of this, here are few important points:
1. Security: Signup requires phone number validation via SMS and phone number must be registered with bank. It also requires additional details like debit card validation. This makes is hard to spoof. After signup your device finger print is stored with NPCI and this works as 1st factor. An additional PIN is also required during signup.
You can send money only from registered device and requires fingerprint and pin validation.
2. Every digital transaction in India triggers SMS, so that provides additional transparency to user.
3. All payments are from bank account to bank account and they happen in real time! Also no transaction fee!
4. Merchants require no special equipments and they advertise their VPA usually via QR code in shops so it’s easy for users to pay.
4. Online payments can be either user triggered or can be requested via pushing payment request to user app. However user needs to approve the request with pin.
Point 3 & 4 were the biggest reasons why India adopted it pretty quickly. Also ofcourse due to Jio boom & cheap chinese smartphones!
Foreigner who spends a lot of time in India here - I find the heavy reliance on SMS/phone numbers to be a frustrating part of the system. If I want to get something with my wife's card, I have to have her phone nearby. I wish they'd think of some creative additions to only using phone number for 2fa. After all, if somebodies card can be stolen, there's a chance their phone can get stolen at the same time.
India's largest state bank (SBI) has somewhat moved away from just using SMS, their debit card now supports 2FA using their app and their credit cards now support 2FA over app, E-mail and SMS. Though I think RBI regulation still require a 2FA for all online domestic transactions.
The regulations require it to be enabled by default afaik. SBI (I don't have experience with other banks) allows you to turn off 2FA for different classes of transactions. It's hidden away in the settings on their legacy web interface.
Not to mention the fact that if both card and phone (associated with the card) are stolen at the same time it is a headache to block the card since now you don’t have the phone to log in to your account to block it which requires 2FA. Calling customer care is possible but if they ask for verification then again you don’t have your phone.
> Calling customer care is possible but if they ask for verification then again you don’t have your phone.
Card blocking is easier with phone calls. With most banks, there's a direct option right at the start via IVR - the operator will confirm basic personal details (like DOB), and done.
I have had to do it more times than I should have had to.
Q: If a phone number has to be registered and validated, why not use that as the unique ID, instead of creating a separate VPA?
For comparison, in Singapore, the local UPI-like "PayNow" network uses numbers as IDs, meaning you can easily send money to anybody in the system (these days virtually everybody) without needing to know their bank. You can also transfer to any Singaporean company or organization via their Unique Entity Number, which is an existing company/org ID assigned at formation that includes a checksum.
VPA is used for discoverability across UPI clients. Phone numbers can be used for discoverability among users of a single client. For eg: foobar@icici on Google Pay & baz@hdfc on PhonePe can transact with each other, but can't use phone numbers. But +91-1234567890 & +91-9876543210 can discover & transact only if they are both on either PhonePe or Google Pay or any other client application. QR Codes were initially client-specific too, but now they are scannable across apps.
UPI truly is a revolution. I can have a 6Rs chai tea (8 cents) from a road side tea stall and pay using UPI with zero transaction fees.
> UPI truly is a revolution. I can have a 6Rs chai tea (8 cents) from a road side tea stall and pay using UPI with zero transaction fees.
The main benefit of UPI is that it works really well for small amounts, e.g. the INR 6 tea. Such small transcations were traditionally too small/uneconomical for Visa/Mastercard.
However as the transaction size grows, say you're buying a laptop for INR 50,000 -- that's when the protections Visa/Mastercard build in against fraud start helping you and UPI's "no transaction fee" value proposition also starts looking like "no accountability".
Interestingly, India has a home-grown Visa/MC alternative called RuPay, which also waives transaction fees for small amounts and is a credible alternative to Visa/MC.
Unfortunately Indian startups have been obsessed with pushing e-wallets (PayTM et al) or direct electronic cash transfers (UPI) because it benefits them -- as the transaction size goes up it certainly doesn't protect the consumer.
You can have phone_number@paytm or phone_number@bank as you vpa is you prefer that, also UPI API, you can search users with phone number so if i want to send money to a friend and I know his no I can search his VPA/s
I use same phone number across multiple bank accounts.
So I create unique UPI IDs to receive in each. So Google pay is linked to icici, Airtel is linked to Canara bank.
When people send money, I receive it in the corresponding one.
With just phone number, I will need to get multiple sim cards for each bank account.
Since that is the most obvious UX, most PSPs automatically assign you mobile@PSP.
However, VPA lookups are public (VPA->Name), so your mobile Numbers can now be used to get your real name, which resulted in a lot of backlash and PSPs making this an opt-out feature.
From my understanding, I think just your phone number/VPA is enough to send money. I am not sure how it works in practice but I assume the VPA concept is there so that your phone number is not exposed if you don't wish to.
This only works if both parties are on the same PSP and no VPA lookup over UPI is required. So if I am not registered on PhonePe, you can’t send me money using just my phone number there.
For other cases, most PSPs will automatically register mobile@psp for you with an opt-out.
VPA based on just the phone numbers may be convenient, it can lead to frauds. At least in India where - for most part - phone numbers aren’t treated like one’s personal data. Apps like Truecaller make it worse. Imagine receiving tons of involuntary charity requests on your UPI app, waiting for you to pay.
If not fraud, it will clutter the whole experience of UPI payments.
yes they can be used as well. In fact Phone number can be used to discover UPI ids connected to them and if user has signed up via NPCI app BHIM then <phone_number>@upi is a valid VPA.
Doesn't it bother you that they track everything you do, buy, sell, and know where you go all the time? That they have a forever record of your entire consumer life and potentially beyond? This is why I choose cash whenever possible.
I diversify my payments, wherever I can - but not too much, since the other end is relying on too many third parties. I use SIMPL as a second layer for small value transactions, as it shows up as a single line item on my CC statement.
This is also a country where millions of people give their transaction data willingly to companies like Walnut.
I am far less impressed by Indian system. First, it is almost impossible to use regular credit card in India that otherwise works in rest of the world. Indian POSes expect pins and most international credit cards do not have one so they get auto-decline. Some slightly smarter POSes will try to do things like Verified by Visa and usually there are so many bugs in implementation that things never gets through. One of the challenge I give to non-Indian folks is buy Internet access on international airports in India. It is impossible unlike rest of the world. The worst thing is that to even get in the Indian payment system you need govt issued citizenship documents and wait for approvals. Indian websites accepting online payments are usually extremely poorly designed and can't handle International credit cards at all. Most even require that you must have Indian phone number. So imagine you come to airport, have working International plan but you can't use it for payments or anything because the entire system assumes you are an Indian citizen with documents, all government approvals done and have a mobile phone number in India.
Indian POSes expect pins and most international credit cards do not have one so they get auto-decline
This is actually an America problem and not a world problem. Even cards and POS in Europe are chip enabled. On the other hand, I have used my PIN-less American credit card in Europe and India and it always worked without asking for a PIN.
Indian websites accepting online payments are usually extremely poorly designed and can't handle International credit cards at all. Most even require that you must have Indian phone number.
+1, the entire online banking experience sucks.
buy Internet access on international airports in India. It is impossible unlike rest of the world. The worst thing is that to even get in the Indian payment system you need govt issued citizenship documents and wait for approvals
That's not true. There are cell-phone service providers on the Airport that issue you a working SIM with an international passport on the spot. You don't need Indian citizenship. But you do need an Indian bank account for UPI.
Sadly, the answer to almost all of your issues is regulation.
India, in response to various terrorist attacks, enacted laws that made:
1. Burner phones impossible. Every new SIM requires a physical KYC
2. Every bank account requires KYC. And linking to a phone number
3. If you are a public WiFi operator(such as an Airport or a Internet Café), you are bound by law to keep KYC records of who used your services. The easiest way for this in India (that covers almost everyone) is to send an OTP over SMS. Sadly, this doesn’t work if you just landed in India and don’t have a working SIM.
The credit cars on PoS is more of a US issue because US banks refuse to support chip-and-PIN. With NFC payments being supported more and more (no PIN required), this should get easier - but I don’t think of this as a fault in the Indian system.
I am not sure why you are claiming that credit cards a pin-less everywhere. This is true only in US and for my opinion doesn't make sense at all from security standpoint.
Disclosure up-front: I've been in the payments domain for 15+ years 10 of which have been in Indian payments ecosystem.
From a user's stand point this is a fair criticism. However, if it helps to mitigate your bad user experience, it helps to know the larger context in this this exist.
The government of India's first, and mostly sole, priority is to build a payment network and get most of its citizens adopt it. This is an unprecedented challenge at multiple levels which very few know, let alone appreciate.
Back when UPI was being built, the digital infrastructure was shitty, smart phone penetration was not much to speak of, banks were unwilling to support this, merchants didn't care, most of the citizens didn't even have a digital/online identity let alone bank account -- just to name a few challenges. Overlaid on that is the incredible diversity, scale (1300+ millions), political diversity and so on. Multiple and parallel mega-initiatives had to be carried out (Adhaar for identity, Jandhan for bank accounts, NPCI to pull together all the banks, overhauling subsidies system) besides indirect push through demonetisation.
For the Indian government, payment infrastructure was a means to several ends such as equitable distribution resources, plugging the subsidy leakage through corruption.
Now in all this international users' use case is so low down the priority that no one would even bring it up, let alone acknowledge it. Even if we go by just numbers, international transactions are so low in comparison that it's less than round off error.
With that, let me try to address your frustration points because not all of them are unique or specific to India.
> Indian POSes expect pins and most international credit cards do not have one so they get auto-decline
As others have pointed out this is mostly due to US cards being behind the curve in adopting better security standards.
This is a feature not a bug and neither is it specific to India. Between acquirer, issuer, network and regulator any one could demand the POS to enforce a PIN failing which merchant is expected to be liable for fraudulent transactions.
> Some slightly smarter POSes will try to do things like Verified by Visa and usually there are so many bugs in implementation that things never gets through.
Verified by visa (VBV) is one specific implementation of 3DS (3-domain-secure) for online payments. You seem to be confused between POS payments and mobile/web payments. But this is a valid observation/concern. There way too many systems involved in the transaction chain and coupled with India's not so reliable internet infrastructure it's a recipe for shitty experience. Though it's improving fast.
> One of the challenge I give to non-Indian folks is buy Internet access on international airports in India. It is impossible unlike rest of the world
The best way to circumvent is to buy airport lounge access. Almost all the lounges accept international cards so you should be fine. It's bit expensive but not so much in $ terms and the lounges are in fact quite nice with free food/drinks nice seatings etc., :-)
> The worst thing is that to even get in the Indian payment system you need govt issued citizenship documents and wait for approvals.
This, unfortunately, is the by-product of Indian government prioritising Indian citizens as I explained above.
> Indian websites accepting online payments are usually extremely poorly designed
This however is fast improving, especially if you use native mobile apps. But even then you do have to contend with 2FA with is downright horrible on mobile device but there are some auto-otp-read features that reduce the pain.
There's been a talk of dropping 2FA requirement for low value transactions but I think it's still to be done.
> can't handle International credit cards at all
This, again, is a feature. The fraud rate is so high on international card that it's just not worth it to enable them. Note that the issue here is on the issuing side i.e., stolen US cards are dime a dozen and shockingly they just work out of the box thanks to next to no fraud control on them. There's an option to go through Stripe/Paypal etc., but then their rates are very high (again, due to high fraud rate of US cards) that it doesn't make business sense.
> So imagine you come to airport, have working International plan but you can't use it for payments or anything because the entire system assumes you are an Indian citizen with documents, all government approvals done and have a mobile phone number in India.
This too is a by-product of what I explained above. That said, within International Airports your card should just work fine on POSes. Because those POSes are configured to accept them as, well, they in fact deal with more foreign issued cards than Indian ones. So I'm surprised to hear that that's not the case. Something doesn't add up here.
> One of the challenge I give to non-Indian folks is buy Internet access on international airports in India.
This is by design, because the Indian government is terrified of anonymous phone/internet access and doesn't care one whit about user experience.
Prepaid SIM issuers and internet cafes alike are supposed to ask for and retain documentation about their users, which creates lots of opportunities for identity theft.
The further reason to not be impressed by the Indian system is how it handles fraud. If you are defrauded by UPI, you've got to go to the police/courts -- Indians will know that that's the start of a Kafka-esque process.
Compare this with how Visa and Mastercard handle fraud, at least in the US and W.Europe, and it's far more customer friendly.
It amazes me how seemingly behind US banking is tech-wise. My home country for instance has the Nigerian Inter-Bank Settlement System for decades; it's quite similar to the UPI but primarily led by the central bank (plus participation is mandatory for all banks/bank-like institutions).
For anyone that's curious, the platform's home page at https://nibss-plc.com.ng/ has a nice little statistics summary of both POS and account-to-account transactions (you might have to scroll past the fold). There's five-minute and whole day numbers for total transactions and error rate broken down into types of errors - it's a nice bit of transparency.
> It amazes me how seemingly behind US banking is tech-wise.
This is a statement true in other infrastructure domains, from plumbing to roads to healthcare. It was explained to me that although the US possesses world-class technology in practically every field, the deployment is mediated through a fragmented and diverse political economy.
That’s when I properly internalised how the US is federated not merely at the top level, but through many strata of localised governance, and the practical consequences thereof.
Couple this to the inertia of regulatory capture by entrenched wealth (which occurs in all human systems irrespective of political construct) and it’s easy to accept that US retail banking, which is approaching three centuries of uptime, will be a very late adopter of mass-market technology.
This sounds reasonable, but I'm not sure it's all the explanation.
The EU is far more fragmented at a government level, but chip&pin cards where much more common than in the US far earlier.
Likewise, mobile communication was far better in Europe 20 years ago than it was in the US (all of Europe had GSM while the US was insanely fragmented).
And the EU was able to push the open banking directive with relative ease while the US still seems to have nothing comparable.
So it seems to me there's something else in play that explains your observation.
> So it seems to me there's something else in play that explains your observation.
There is, and with apologies for the late reply, I'll unpack one term I used, which is diversity. I've lived and worked all over the EU and feel comfortable observing that practically all EU national, regional, and local governments are politically clustered within one deviation of the International Standard Social Democracy. What's more, they actively work together at the top level to promote harmonisation of processes and industrial/commercial/technical/legal/administrative standards.
I'll contrast this with the US where the political window is splattered all over the compass, process & technical standards are driven by corporations that actively seek to differentiate themselves from one another, and regional and local political groupings will take a deliberately contrarian tack on a diverse policy spectrum in order to more clearly disambiguate themselves from opposing forces and to segment and cement their constituencies.
I believe the latter drives more innovation through competition, but distributes it more unevenly. And I'm neither a US citizen or (currently) resident, just a frequent visitor both for work and play, but I also think that the greatest single quality of the US is being the only country where practically anyone, regardless of cultural backdrop or however divergent their social/political preferences, might hope to find a community of like-minded individuals. What that isn't: a recipe for harmony.
The reason for that is because the US was "standardizing" finance before the EU even existed, and therefore has momentum from those standards that needs to be overcome in order to adopt new standards.
e.g. having strong anti-fraud/anti-theft practices built around signatures.
European countries were also standardizing finance before the EU existed, but that meant that there already was the infrastructure of banks working together (in each country) that was then used to establish the EU wide protocols.
In comparison US banking seems rather adversarial in nature and so there are few interbanking standards which led to the need of a layer on top in the form of credit card companies to abstract away the differences.
Underrated comment. You have managed to eloquently and elegantly summarize why the US is slow in adopting new standards - be it banking or the CMDA/TDMA mess.
I think US (and other western countries like Canada, European countries etc) are VERY different from the Indian market. In US, Canada etc, everyone has an email and banks allow interactive payments already. I have yet to have a single time where I had problems paying someone for something. Interac etransfer works well. Even iMessage, FB messenger etc allow payments. Other services like PayPal, Stripe, Patreon cover the rest of the base.
India is a completely different market. There are millions of people there who don't even have a bank account, nor do they have email. The road-side vendors use cash.
The other thing that amazes me is how quickly people will jump to defend the US' hodge-podge of third-party walled garden options. I've been able to send near-instant account-to-account transfers for a decade, for a stamp charge capped at the equivalent of about thirteen cents, via a first-party platform that every bank or bank-like institution is required to be part of. So yeah, "options" like "join Facebook" or "wait a couple business days for your transaction to be complete" or "pay (comparatively) exorbitant fees" will always sound inherently ridiculous to me.
To my knowledge the situation in the US is getting better with the rise of Zelle, but that's still a half-assed solution - not all institutions participate, and customers have to opt in to it. Quite a few (older) people I've talked to don't even know it exists.
> India is a completely different market.
Ironically you are quite close to getting the point here, which is that India (and many other developing nations) are able to build and push the cutting edge of national fintech precisely because they don't have decades if not centuries of cruft and technical debt weighing them down. They can skip the inefficient stages of development that developed nations went through and go straight to creating banking systems for the 21st century.
FWIW, the few times someone tried to send me money via Zelle, it’s been a mess.
Wherever email they sent was caught in GMail’s filters, so I never saw it. And you have to click a link to accept the payment, even from an established contact who’s sent funds previously. And after a bit the funds get returned. Too easy to lose money.
Instead, I just ask friends to use Square Cash. Auto-deposits into my bank account so there’s nothing to worry about.
Also, higher value payments are still easiest via check - since the online payment services will threaten to suspend your account if they think you’re running a business. Splitting rent amongst roommates was enough to get one of my accounts flagged as a business.
I've been using Zelle for 5+ years and I've never had to click any email. Other than initially logging into your bank account and setting up which email/phone number you want to use, I haven't had to do anything.
All I do is tell people to send money to my phone/email, and it shows up pretty quickly.
distributed pay mechanisms are a good thing in my mind. I don't know why everyone thinks it's a great idea to have corporations, the government, and banks knowing everything about your buying habits and consumer persona.
UPI doesn't work without a bank account. Additionally, its launch was preceded by the Jan Dhan Yojana [0] which pushed hundreds of millions of the poor to open bank accounts. Today most street vendors in India - including even pushcart vendors - will accept payment via UPI. It has become even more popular in the past couple of months because of Covid-19 and hygiene concerns with handling cash.
In fact, I've often thought it would be an interesting experiment for a developed nation to form a partnership with a developing one - equal, of course - to experiment with what modern infrastructure might look like without having to cater to legacy systems.
A unique challenge for US dollars is that as the defult choice of all kinds of dirty money, it has a huge laundering problem. This is not the case for Chinese Yuan and, I presume, Indian Rupee.
In China the gov doesn't care about any amounts of transation or cash, you can walk in banks and deposit millions of dollars of cash and will be treated as VIPs, "all-cash-bill" buying of condos is normal. I think it kind of has something to with corruption, since you don't know who is behind this money and what trouble will get you if you dig too deep.
Also the protection others mentioned, once the money got to other accounts, which usually happens instantly, it's almost impossible to get it back.
This is not true in India. Every transactions bigger than 50,000 needs pan card. RBI monitors all big transactions. You can't deposit any big amount in bank without mentioning proper sources else Income tax dept enquires you. The Indian way of doing corruption is Hawala (gold mostly). As Modi govt did demonetization, all old currency became obsolete, wiping huge black money.Now nobody wants to launder money in cash. Govt also tried to bring adhar card system similar to US security number, so everything can be tracked but it was opposed by court.
It's going to be a looooonnnng time before Americans voluntarily turn over all their buying power to a government controlled payment system that takes away all consumer privacy. I still pay with cash myself when I can.
I don't think the poor in India are worried about Govt knowing about their 5-10 rupee purchases. Vast majority would be worried about where their next meal/income would come. Privacy would be for the rich to worry about their income getting reduced by Govt taxes.
Thank you for sharing this. Very impressed with this transparency by the switch operator.
I couldn't tell how reliable this switch operator itself is. Is there statistics reported from the perspective of the payment initiator? (consumer-side app/service provider)
The US isn't behind 99% of the places I go will accept a phone payment. I still choose cash as I don't like everything I do being tracked and documented forever.
I'd love for the US to adopt a standard that is bank agnostic, like ACH, but allows for near real-time payments from P2P but also person to business payments.
It's a big problem when Visa, Mastercard, and PayPal control a large part of money transactions.
FedNow is exactly this system [1]. What’s more it’s an initiative by none other than the federal reserve which can, to an extent, twist financial institutions’ arms to adopt it.
Visa, Mastercard, and Paypal offer more than transactions though; they have "buyer protection", "seller protection", etc.
In theory, all you need is institutional trust and KYC, but as soon as you hit a situation like, "oh shit, someone stole my wallet (/ online identity)", you realize why the fees are there.
There are a lot of transactions that don't need that protection, and it's crazy to have to pay for it on those transactions too. You want to by a 5c emoji for use on a social network? You can't, the minimum transaction fee is 30c. Who's going to issue a chargeback on a 5c emoji? And batching is a non-solution.
Right. UPI appears to be a payment system only. Not a sales transaction system. When you buy something with a credit card, there is evidence of a transaction in both directions - you buy some thing from a seller. That allows disputes, dispute resolution, and reversal.
A one-way payment system, such as Venmo, lacks that. (Venmo is trying to retrofit a dispute mechanism, for which they charge 3% extra.) What's Google proposing? Probably something with terms that include "sole discretion" (theirs) and forced arbitration.
The article is a fairly easy read, and would answer your question "What's Google proposing". They don't seem to be proposing "sole discretion" or forced arbitration. The Indian UPI system specifically involves a central agent, effectively a government body, that is involved in setting up and authenticating all transactions that occur using UPI.
This "protection" is not free, in fact is quite expensive. I think most customers would be better off without them. Many customers when faced with having to pay the 3% for it opt out. And most merchants do not have really any protection at all, at least none that I am aware of.
Compared to the time before cards, merchants are protected from credit fraud by simply being partially connected with the bank so they don't have to hire their own debt collectors.
Nowadays cards are taken for granted and always accepted because it's necessary, but it would still be pretty hard to create your own system that checked if a user had enough funds in the bank to purchase something without either Visa/MC (or I guess Plaid).
I would like to try out the (European?) variation on Escro where in transactions are collected and at the end of a month there's a statement you get to review for a few days, and by default everything's approved.
That would offer buyer protection, seller protection would necessarily relate to some combination of combining contract fulfillment reliability / risk and where fitting holds that either side can clear early if the transaction is canceled. (With notification)
>> "oh shit, someone stole my wallet (/ online identity)"
Isn't one supposed to be responsible for their own passwords/security? Does Microsoft take responsibility if someone steals your windows password or hacks your computer? No, they will just say its you who didn't install the security updates. Why should a banking transaction be any different?
How does it compare to Zelle (Early Warning Systems) from an integration and cost perspective for financial partners?
Personally, I’d rather the Fed run real time payments instead of some private consortium made up of the largest US banks (some governance/overnight vs less so as a private corporation), but the Fed’s been dragging their feet for years while Zelle has rolled out quickly. Humorously, Facebook’s Libra is what set a fire under the Fed [1] [2].
Wire transfers are literally nineteenth century technology. They're a bad choice today for transactions of any value.
They're amazing if, in fact, you don't yet have the Public Switched Telephone Network, and so ordinarily data moves no faster than a horse in your culture. And they're completely astounding if you do not yet have the Universal Postal Union and so ordinarily data doesn't move over long distances at all.
But if you live in the mid-20th century or later you can do better. "Let's make wire transfers free" is one of those ideas which you'd come up through lack of imagination. There's an apocryphal Henry Ford quote about customers wanting "faster horses" but more recently when people had no idea they all wanted a handheld computer we told them it was a "mobile telephone" so they'd buy it and we could let them discover they've never wanted a telephone anyway but they did actually want a handheld computer.
UPI is a fascinating battle field of tech companies. I had a front seat to some of the negotiations happening to build platforms on UPI. There was a fear in India that foreign tech companies would monopolize that platform.
Concurrent with negotiations to build on UPI, there were also leaks and stories by both sides in the press to bolster or communicate positions. For example, there was one story where an official said that a tech CEO made a commitment. The tech CEO did not make that commitment. That company's team had their own set of meeting notes confirming their position. Other companies were livid with the tech company for supposedly taking that position. With the story now published, the tech company could not publicly deny the story or else they would anger the other side. So they quietly rolled with it.
It is also a credit to PayTM's CEO. Their CEO saw that succeeding with UPI was a matter of survival. Backed up against a wall, he fought back against his competitors with everything he had and is winning so far.
Someone needs to write a book on the behind the scenes happenings.
Given PayTM’s losses[1,2], I find “winning” an odd choice of words.
The reality is that digital payments in India experienced an artificial “bump” following India’s ill-thought demonetisation experiment, which has evaporated since. And what growth there is, is on vendor-neutral UPI (which Facebook, Google, Jio et al can all use) rather than proprietary e-wallets like PayTM.
Brazil is doing a similar bank-agnostic system called PIX. Kinda interesting how in the previous thread where I mentioned it a lot of people were against it because it was "not competitive" while here I'm seeing (mostly) praise for UPI.
IMHO, this is how it should be, a bank-agnostic standard set by the central bank that other services use to connect to the central and with each other. Competition is good? Yes, but not when it's a complete mess.
I love UPI and it has proved to be a boon in this time when I am scared of touching cash. It's very fast, easy and quite reliable in my case. In Bangalore, it works literally everywhere. From the smallest shops to big supermarkets. Many small shopkeepers even discourage me from paying in cash.
But people need to realize one aspect of UPI that it is exactly as unsafe as cash. Would you send cash to someone over the phone for accepting delivery of a product later? No. So don't do that with UPI.
Use UPI when it would be appropriate to use cash, when you're standing face to face with the seller. Just think of it as more convenient cash. Otherwise, it is ripe for exploitation by thieves.
Yup exactly. As someone mentioned above, it's a frictionless payments system, unlike Visa/Mastercard which also offer dispute resolution.
Of course, if you trust the vendor, I don't see why you should implicitly pay for the protection mechanism of Visa/Mastercard when UPI is literally free.
So far. Lots of banks are fighting to introduce fees. The actual cost is getting subsidised so far, but there are no free lunches. Banks can't keep this up forever.
RBI recently issued a circular inviting companies to build a retail payments network, in parallel to UPI [1], under New Umbrella Entity (NUE).
Two key aspects of NUE are, it could be a for-profit, and it'll be governed by India's FDI rules, meaning foreign investments are allowed and could even be encouraged as FDI rules get relaxed.
Both these are in direct contrast to NPCI's charter which is a not-for-profit and entirely owned by Indian entities. In fact NPCI is a quasi government organisation, owned by a combination of RBI and Indian banking association.
Google (through its India subsidiary) has already applied for building/operating an NUE, and I won't be surprised if Facebook has done it too.
I just hope that 20 years down the line we won't end up with a fragmented quagmire with half a dozen payment networks each of which don't talk to anyone else. UPI solved a huge problem of interoperability and it'll be a shame if its seamlessness is squandered away.
While this is true a lot of banks would like to do it instantly as it would be an advantage over others and drive more people to sign up for the feature.
The real problem is most banks backend systems are still old mainframes where this isn't possible.
Source: I'm a prior developer at multi-billion dollar payment processor working with many acquirers.
In the UK at least the answer was government fiat.
Faster Payments is the unimaginative name for the rule that allows most UK bank account holders to move money the same day (typically in reality instantly) at zero cost to them. The date for Faster Payments becoming possible was set, and banks are just obliged to provide it. Some were earlier, most were not.
The banks did not actually implement the underlying backend transfers in time, but customers don't care. Rick Smith, father to an 18 year old daughter who seemingly always needs another few hundred quid for something wants to send Beth £750 right now, and Beth wants to be able to spend that money when she receives it from her father. Neither of them cares that Rick's and Beth's banks are running different versions of some 1970s COBOL application or are struggling to ensure a backend funds transfer matching the Rick-> Beth transaction happens in a timely fashion.
So the banks just faked the UX. This technically means if Rick's bank fails after Rick sent the money, but before the backend catches up in a day or two, Beth's bank (but not Beth or Rick) could lose the value of the transaction because the underlying money actually didn't go anywhere yet, just the two account balances were updated. But regulators reasoned that banks being more likely to freak out and report if they suspect their competitors are struggling and likely to fail imminently is a good thing so let them take that risk.
Maybe they have subsequently fixed their backends, maybe they didn't, as an end user I needn't care so I paid no further attention.
Engineering wise, it's a miracle that UPI works. All of the banks have very little in the way of consistency checks and proper abstractions. Everything is superglued together and very brittle. There was clearly little direct communication between NPCI, the issuing banks, and the users of the apis in development.
I agree with India's protectionist attitudes that's kept Western companies from monopolizing the ecosystem though. It works well enough, much to chagrin of SV tech companies lol.
I think this is an excellent suggestion, assuming the post office survives an ongoing calculated attempt to cripple and privatize it. Routing digital payment requests to bank addresses is a natural extension of the responsibility of routing all physical mail to any physical address.
"National Payments Corporation of India (NPCI) is a non-profit set up by the Government of India to facilitate digital payments. They facilitate many payment schemes (like IMPS, BBPS, FASTag, etc.)"
Except that UPI is a payment standard, Google neither has monopoly over it nor the only one payment company who supports UPI in India, there are many others like Paytm, Phonepe, Mobikwik, etc.
Killing it will hurt rural areas, Trump's base, far more than urban areas, where there are other possibilities to get things delivered. If it's destroyed, the guilty party (Trump) will be destroyed, and it will be put back together next year.
As an Indian citizen living in Germany right now, I sorely miss UPI. My workflow to order food in India - 1) open app and add things to cart 2) Google Pay (linked to UPI) prompts for my fingerprint and that's it. In Germany, I mostly end up using SOFORT which involves remembering my account number, pin, and then using a mobile OTP. There's no "easy" way to transfer money to friends - everyone either uses paypal or Transferwise, which requires an additional step to withdraw funds to your bank account. When shopping at brick and mortar shops, the payment options are either cash or a card. For a country that enjoys such a high standard of living, Germany has surprisingly underwhelming digital banking infrastructure.
The big concern I have here is that the address resolution seems similar to DNS... Which is very bad, IMHO. Are they taking necessary steps to mitigate ddos and Man in the middle attacks? If they're not, they're seeing themselves up for major disaster.
>>Just like how domains get resolved to IP addresses, every VPA needs to be linked to a bank account. The UPI handles get resolved to bank accounts and IFSC during the payment (we will see how).
I am sure I am missing something. Just curious to know where do you see an attack vector for DDoS or MOTM attack?
> Are they taking necessary steps to mitigate ddos
I am not sure how this would happen in this case. If you want to flood the system you will have initiate a lot of payments which will be costly.
Both sender and receiver are authenticated with bank, so there is a traceability.
Also, you need a bank license from the central bank to act as a bank and each UPI is linked to an bank account which itself is linked to details. To add, it is now difficult (not impossible) to have anonymous bank account because they are linked to a central ID called Aaddhar number [1] and other KYC procedures.
One will have to really execute an elaborate scam like in Ocean's 11 movie to make this work.
I don’t know about UPI, but those concerns can be mitigated by not operating on public networks. The SWIFT payment network for example is private[1] and is only accessible via dedicated routers.
Relying on perimeter security like this means you are as vulnerable as your weakest nodes. SWIFT can be and has been hacked via its less sophisticated participant banks.
Actually this got me thinking they should have built the resolution system on top of DNS. We already use emails for very sensitive communications and rely on DNS to resolve them correctly. I'm not sure why we couldn't do the same for payment addresses.
NCPI could definitely be a single point of failure, and I think that makes them vulnerable to more than just MITM and DDOS attacks.
One important reason for the growth is the explosive increase in 4G connectivity in the last 4 years, which has data usage on mobile see a compound average growth of 93% to become the highest in the world at 11.2 GB per user / month. The rates are almost laughably cheap, at around 0.20 USD/GB.
COVID has also driven more recent growth because people don't want to handle cash.
The best feature of UPI for me is that it provides USSD code (*99#) to interact with the UPI. Since I only use FLOSS apps (via f-droid.org) on my LineageOS I use UPI without installing any UPI app (which all are proprietary e.g. PayTm, Gpay etc.).
There are just so many things that make me fearful of either losing my phone or having it irreparably damaged. The account recovery process can be a. too hard or impossible (Hi Gitlab!) or b. too easy (too simple security questions).
I can't figure out which account you're worried about here.
Your bank presumably knows a bit more about you than... nothing like a free Gitlab user and the account is valuable to both of you. So they can "just" do old fashioned manual account recovery as they would have in 1820 or 1920.
If I lose my phone and all backup authenticators, maybe in a house fire or something, I can live with the fact that maybe I need to go in person to a big stone building and talk to a human face-to-face about account recovery. My home just burned down, I think I can make a little time for essentials like that.
No such issue with UPI. 2FA makes sure no one can do payments from your lost phone; and the signup process for UPI (on a new phone) literally only involves creating a PIN as the bank account associated with your current phone number is added automatically through SMS verification.
2FA with some rescue codes printed and kept in your wallet / safe box seems like a reasonably bulletproof setup (hi GitHub!), but not every important site offers this.
Yes, that's decent. I also like services that allow you register multiple 2FA devices for an account. e.g. my back up phone not only serves as my back up phone, but also my back up 2FA device. I believe rackspace allows this.
Unless you're a victim of a targeted attack, and the perpetrators know your accounts and go to immediately hijack them, it's a non-issue. You just generate and print new rescue codes, and the old codes become invalid.
I've made five trips to India for business, the most recent was in 2017. The system that was instituted just before my last trip caused me major problems, as suddenly two things happened: foreign credit cards were no good for payments online (I had to get a colleague to buy my Taj Mahal ticket online and pay him back with cash), and it was suddenly much more difficult for some people I was trying to pay to accept payments in cash; restaurants and hotels could still get it done, but for others it was a major problem. I hope they have these issues straightened out by now.
The article looked great until the introduction of the NPCI system. It's essentially a single point of failure, and the best place to observe all the transaction of the whole country. It's controlled by the Government so it will be really tempting to peek into it.
> Imagine the pain that everyone has to go through in reaching a consensus when configurations or infrastructures change. It would be chaos.
So is the Federal Reserve, so is the SEC, so is the IRS, so are all the financial reporting laws that require transactions to be reported to the US government for audit and regulation. I fail to see how NPCI is any different. The solutions won't be any different either: the government has laws restricting unregulated access to data and developers will implement access controls to enforce these laws.
The financial system in practically every country is already fully controlled by a central authority, and for good reason: finance is critical to national security and financial decisions are inherently political, therefore finance is controlled by political authorities.
You are wrong on one very important point: NPCI is a non-government entity. It is a not for profit corporation that acts as a conglomeration of banks. The government gets a day in it by 1. owning public sector banks and 2. By regulating it indirectly as RBI (which is itself quite autonomous).
It is more akin to a not for profit VISA than the Fed Reserve.
Fair correction. However, correct me if I'm wrong, it still plays the role of a singular national authority blessed by the central bank. I'm skeptical that its non-government status is an important distinction when it appears to be an exclusively Indian institution co-established by the RBI. I don't think Visa's status is quite the same: Visa has actual competitors and operates under many foreign jurisdictions. I'd say the NPCI is as trustworthy and protected as the government institutions that bless it.
Yeah, the VISA comparison isn’t apt either. Maybe if VISA had a higher market share.
The RBI initiated process to setup a parallel body to NPCI, but that will take eons in fintech time.
The non-government status is important because the NPCI fought a case (and won) to keep it out of the ambit of the Right yo Information act. It is an opaque institution with a government granted monopoly that is also simultaneously a cartel of sorts.
Slightly OT, but what's the simplest way to offer more payment options online in India? Is there a way to set up UPI as a foreign company?
For context: we're a small B2C bootstrapped company offering online anatomy learning. We use Stripe and Paypal (via Fastspring), but it seems like it's far from enough for the local market in India...
The best option is to tie up with a payment gateway like Razorpay, Instamojo etc. They allow a variety of payment methods including UPI and also what is called "Net Banking" - which is direct transfers from a bank account even without UPI being used.
They also support a variety of wallets.
Instamojo actually advertises that they support over 100 payment methods.
Some of these payment gateways also allows you a "Pay Later" option which allows the user to pay via a micro loan that they take from the gateway. This is apart from the credit card, debit card options.
Thank you. I’m not sure that’s an option for us unfortunately. Unless you know of some stripe atlas equivalent service for setting up a company in India?
Unfortunately I am not sure if there are other ways of doing this. You may want to check with one of the primary backend services of the payment gateways - fsstech.com
Every electronic transaction you're involved with is already surveiled, so it's hard to see how that would change.
But how about NOT having to pay banks for instantaneous funds transfers to any 3rd party? And how about actually have instantaneous funds transfer to any 3rd party (something which does not exist in the US banking system)
Bitcoin already works for cheap international transfers.
And no, my bank won’t give any details about my account and its transactions (unless I do something really horrible), even to the national tax authorities (I live in Switzerland, where bank secrecy is still a thing, at least for the residents/citizens).
This is generally true in Switzerland as you stated (with those exceptions for more serious issues) for residents, as Swiss citizenship is irrelevant. Anyone resident in any of a host of countries with which Switzerland has signed agreements can have their bank details shared with the country of residence.
I suspect a fair amount of other countries have this discrepancy as well. Based on a brief online search it seems like the data on US checking/savings accounts of US residents are not shared with the IRS, for instance, unless a summons (which can be contested) is approved. I'm not sure what the difference is in practice.
1) UPI is unreliable. Based on my experience, it doesn't work many times per day. I once needed to beg my friend to pay for me after realizing that it didn't work when i purchased something in shop but had no money(only upi account)
2) It is closed source. UPI forces every App that uses UPI to use it's closed source code.
3) I find Bank transfer like IMPS/NEFT more reliable than UPI.
4) One advantage of UPI is it's id which led to discovery of account (through qr code) . This is also the reason it got adopted by people.
Can't really confirm on the reliability. I've used UPI for ~3 years now, I don't remember it failing more than maybe 4-5 times. I guess it depends on the bank whose UPI account you are using. Syndicate fails regularly, ICICI is almost always up.
> 3) I find Bank transfer like NEFT more reliable than UPI.
NEFT is great for occasional transfer of a large amount of money, but not for daily transactions as it requires a lot of info compared to UPI (it needs the receivers name, account number, IFSC code, branch name compared to UPI's singular <person>@<bank> id)
NEFT is not real time like IMPS (on which UPI is built). I don't think it is UPI that is unreliable, it is your bank. I have been using UPI on two accounts, SBI one is the one I face some problem from time to time. I agree with the closed source point, though.
80% of fintech is excel sheets getting sent from one system to the other. A lot of these were baby-sit earlier, and RBI changed this over a year or so. They asked for banks to make sure the processes were automated first, then lots of test-runs.
I think another important reason was that the morning rush (build-up of pending transfers) was causing issues and chokepoints. Smaller window-sizes helped fix that.
By babysit, do you mean someone used to go thru the sheets and update all the accounting stuff? I know its a bit idiotic question but I won't be really surprised if that's how it was.
I have made thousands of UPI payments, make at least 1 payment daily, and never has a payment failed after telling me it has succeeded. I get an immediate fail/pass and that has never been wrong.
> I find Bank transfer like IMPS/NEFT more reliable than UPI.
I find NEFT to be very unreliable in the time it takes to complete the transaction.
I think the main driver of UPI adoption is the immediate nature. It is as fast or faster than transacting in cash. NEFT/IMPS etc need you to add payee, confirm addition using 2 factor, wait for 24 hours to get it unlocked, then the actual payment also takes at least a couple of hours, it doesn't work on weekends. UPI is literally 10 seconds from scanning QR code to the shopkeeper getting a confirmation on their phone. It takes more time to deal with cash!
Not saying it is 100% reliable, but there's a good possibility the aggregator you are using (GPay / PhonePay / etc.) might have issues on the whole or with the account.
In my experience it's usually the bank having an issue on their end. If you try to make a transaction late at night, say 2am, there's a good chance your bank is "down for maintenance". My account is with a public bank, not sure if this is true for private banks. Either way, reliability varies from bank to bank.
One reason behind this (communicated to me by a friend who has some insight into the banking system) is that the government has prohibited charging for UPI transactions. So every bank needs to maintain the infrastructure to integrate with UPI but don't make money off it. This leads some to not treat it with priority (a good to have, not a necessity) or treat it like IMPS/NEFT/RTGS (which only work in a fixed time window).
Overall the reliability is still quite good and with increasing reliance of the masses on it, it will hopefully get better.
UPI usage/traffic has grown orders of magnitude each year. That kind of growth isn't handled reliably by the best of the startups even today (remember twitter in its early years?). Banks do invest a lot of money/resources into running/managing UPI but that alone isn't enough. There is no substitute for time and experience (talent) that's needed for the culture change within bank IT teams to mature, and their leadership teams – they have to shift their thinking to deal with the pace of growth and frankly the pace of changes as well.
With vernacular support/affordable cellular data, these apps have found its users even among those who have never used a computer in their life to login to their banking portal or used debit card before to conduct any online transactions earlier.
Now, what 'I' don't like about it,
Extraordinary dependence on 'Mobile Number' for security, RBI(India's central bank) requires personal phone number to be synced with the bank account, so these 'UPI' apps send SMS from the phone at random to 'verify' that it's actually you i.e. if the phone number matches its you. If you are like me, who has the phone in aeroplane mode 24*7 or use cellular on-demand be prepared for transaction failures at best to getting locked out of the UPI apps at worst.
Then there is the question of SMS OTP as the backbone of Indian banking infrastructure's 2FA security, we know SIM-Jacking attacks are getting prevalent every passing day, coercing an employee of a Telecom who earns minimum wage is not that difficult and especially since there is zero 'cyber-security' awareness among much of the population; attackers just dupe many of them into giving them the OTP[1].
It's high time banking infrastructure here start supporting hardware tokens or at least TOTP apps and UPI has to hedge its unique id dependence to email id as well.
[1]https://economictimes.indiatimes.com/wealth/save/beware-of-t...