Security Analysis of Unified Payments Interface and Payment Apps in India
Renuka Kumar, University of Michigan; Sreesh Kishore; Hao Lu and Atul Prakash, University of Michigan
Since 2016, with a strong push from the Government of India, smartphone-based payment apps have become mainstream, with over $50 billion transacted through these apps in 2018. Many of these apps use a common infrastructure introduced by the Indian government, called the Unified Payments Interface (UPI), but there has been no security analysis of this critical piece of infrastructure that supports money transfers. We do a security analysis of the UPI protocol by reverse-engineering the design of this protocol through seven popular UPI apps. We discover previously-unreported multi-factor authentication design-level flaws in the UPI 1.0 specification that can lead to significant attacks when combined with an installed attacker-controlled application. In an extreme version of the attack, the flaws could allow a victim’s bank account to be linked and emptied, even if a victim had never used a UPI app.
Watch my Usenix Security ’20 talk here:
https://www.usenix.org/conference/usenixsecurity20/presentation/kumar