back to article Scammers use India’s real-time payment system to siphon off money, send it to China

China-based scammers are using a combination of fake loan apps and India's real-time mobile payment system, Unified Payments Interface (UPI), to separate victims from their cash, according to a report by threat intel firm CloudSEK. "UPI service providers currently operate without coverage under the Prevention of Money …

  1. Raj

    Why are you characterizing a social engineering crime as a technical vulnerability off the UPI platform ? You realize this entire scam can be transacted face to face as well ? It’s how old people are commonly duped around the world.

    1. Dan 55 Silver badge

      Because of what's written in the second, third-to-last, and second-to-last paragraphs.

      1. doublelayer Silver badge

        Most of those things are problems that could exist in any payment system, and aren't particularly reliant on any peculiarity of India's. The only technical change suggested was this:

        One key initiative could involve verifying that any new mobile number added to an account matches the account holder's name, thwarting scammers from gaining control by altering phone numbers," advised CloudSEK.

        That change is not likely to help much. If India tracks ownership of phone numbers, scammers could buy cheap phones and have them registered as their mules while keeping control of the devices. The people who are changing phone numbers are those who decided to be willing accomplices, so this shouldn't be a problem. This suggestion would work better if the scam involved the victims changing their account phone numbers, but the article makes it clear that they are socially engineered out of their cash and the account details only apply to people who have time to set up the infrastructure beforehand.

        The point that the system operates outside the money laundering law is a better possibility, although they didn't suggest what technical changes are required to fix that. Unfortunately, a lot of schemes like this manage to get around such legislation if the scammers simply wait a bit longer for the funds to clear before cashing them out or transferring them over borders. Scam rings that operate this in a variety of western countries, including but not limited to many large ones based in India, know this firsthand. If our banking systems, with all their anti-laundering facilities can't prevent that, then adding a delay to their system is unlikely to be sufficient to prevent it in India either. You'll need more, and I don't know what that would be.

        1. Dan 55 Silver badge

          Most of those things are problems that could exist in any payment system, and aren't particularly reliant on any peculiarity of India's.

          I don't think I ever suggested these problems were reliant on any peculiarity of India's.

          That change is not likely to help much. If India tracks ownership of phone numbers, scammers could buy cheap phones and have them registered as their mules while keeping control of the devices.

          And yet the change in the UK to the faster payments system to check names was brought in precisely to cut down on fraud. It doesn't matter if you're sending it to the scammer or a mule, neither of those names will match the person or business the user thinks they're sending the money to so it should flag up a warning.

          1. doublelayer Silver badge

            "I don't think I ever suggested these problems were reliant on any peculiarity of India's."

            As far as I can tell, this thread is discussing whether this is a social engineering problem or one that's peculiar to India's UPI system. Raj took the view that it was not related to UPI, and you disagreed. That would mean that you think it is reliant on some particular aspect of UPI, not just social engineering on a different transfer system. I certainly read that suggestion, and I don't see what other one you have in mind.

            Adding verification to the process would help, and that is certainly worth trying, but I don't think that the suggested measure, verifying phone numbers against account names, will really do anything to help social engineering. The account name shown to people transferring funds won't change. You'll just get an indication that the phone number was registered with the same name that the account was. If they're already showing account names, it sounds like they are already giving the victim one opportunity to smell a rat and cancel the transfer when it appears to be an individual's account rather than a business one. Phone number validation won't do more of that.

            1. Dan 55 Silver badge

              As far as I can tell, this thread is discussing whether this is a social engineering problem or one that's peculiar to India's UPI system. Raj took the view that it was not related to UPI, and you disagreed. That would mean that you think it is reliant on some particular aspect of UPI, not just social engineering on a different transfer system. I certainly read that suggestion, and I don't see what other one you have in mind.

              There are some technical problems which have nothing to so with the platform being Indian. Any other platform in the world would also have the same problems if it also had the same deficiencies... so the problems need to be addressed.

  2. Pascal Monett Silver badge

    Well that didn't take long

    And so starts the loooong path of patches and changes in the system to ensure some measure of reliability and security.

    I do feel the idea was good, but I fear the changes that will come will kinda shoot the whole thing in the foot.

  3. Tron Silver badge

    It's popular because it is easy to use.

    Adding multiple levels of security will put everyone off and kill it.

    Tech just makes things easier, including fraud. The solutions are the same as they were decades before the internet was invented. Educate people and police crime effectively.

    1. LybsterRoy Silver badge

      Re: It's popular because it is easy to use.

      -- police crime effectively --

      Interesting concept. Here in Scotland the police have stated they won't bother with some "low level" crimes.

      1. GBE

        Re: It's popular because it is easy to use.

        -- police crime effectively --

        I parsed that initially as Noun Verb Adverb, and it took me quite a while to figure out it was meant to be Verb Noun Adverb.

        There's a legal podcast I listen to regularly where one of the hosts likes to colloquially use "crime" as a verb. Actually it's usually "criming" used as a gerund, but apparently my brain has adjusted and now considers crime to be either noun or verb.

  4. martinusher Silver badge

    Indians falling for Internet scam? Who'd have thought it!

    For many years now the concepts "Indian" and "Internet Scam" have been intrinsically linked -- I've lost count of the number of times I've picked up the phone to have some barely intelligible voice claiming to be from the IRS or similar agency threatening dire consequences unless I give them all my money.

    The fact that someone's now working the same crap on them is sweet irony. Maybe Indian law enforcement might start taking these criminals seriously.

    1. Joe 59

      Re: Indians falling for Internet scam? Who'd have thought it!

      Of course, with 1.4B people who aren't scammers, India is as much victim as the rest of the world. The only thing keeping them from rising up in rank of victims is that most of them are extremely poor and don't have digital assets to plunder.

      I feel like the emphasis needs to be placed on the policing part, and any nation that firewalls off investigations into this should be shunned from international transactions, like China. They take internal victims very seriously, unless the thief is a member of the CP, but don't extend that courtesy to external victims, unless the thief isn't a member of the CP.

  5. Prakashp

    Usually it is Chinese scammers who scam international systems and I do not understand why they can't be pursued in China and punished. China punishes crimes very severely, so how is it that scammers like this seem to succeed in hiding themselves behind a curtain in a country that is so efficient in tracking their population even if they write an opinion on social media. Is the Chinese government promoting international fraud to make money. That is a question that nobody seems to think about. Should China then be sanctioned for promoting illegal / criminal financial transactions

    1. Kevin McMurtrie Silver badge

      China punishes perceived crimes against China or the Xi. Commit crimes against the rest of the world and the government might give you funding.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like