It started on Monday, the 29th of July when thousands of users of the most popular caller-identification app Truecaller got an SMS saying their UPI registration has been initiated and their bank accounts have been linked to ICICI bank’s UPI interface. This happened automatically, without the app asking for users’ consent, or them signing up for UPI inside Truecaller. As more people read the text, they started to raise their voice on Twitter, bringing it to the notice of Truecaller and NPCI (National Payments Corporation Of India).
This comes as one of those scary nightmares as the very base of UPI is security. While the app itself is completely to be blamed for it, the fact that Truecaller is not a new app and has millions of users only makes assumptions worse. Those who are into programming should know that bugs like this neither occur this easily nor are easily digestible. Also, this raises questions for all other apps on the UPI platform, as this is a null-and-void case of security and user privacy breach.
Thousands of people immediately reached out to their bank and got their cards blocked after getting the notification, which can be considered natural.
Truecaller acknowledged the issue on Tuesday, 30th of July, blaming the latest app update for it. According to the Swedish company’s official media statement,
“We have discovered a bug in the latest update of Truecaller that affected the payments feature, which automatically triggered a registration post updating to the version. This was a bug and we have discontinued this version of the app so no other users will be affected. We’re sorry about this version not passing our quality standards. We’ve taken quick steps to fix the issue and already rolled out a fix in a new version. For the users already affected, the new version with the fix will be available shortly, however, in the meanwhile, they can choose to manually deregister through the overflow menu in the app.”– Truecaller
On the 31st of July, NPCI announced that Truecaller has temporarily stopped onboarding new users until the said bug has been fixed. Speaking about the mishap, Dilip Asbe, CEO of NPCI said that accounts that were accidentally enrolled by Truecaller won’t be affected.
“This is enrolling mistake by the app without customer consent. With this, the customer can’t do any UPI transaction. For onboarding to UPI the customer has to still enter 2 Factor Authentication (issuer OTP and debit card), and set UPI pin. The workflow mistake is limited to enrolling, which will not have any impact on any customer account whatsoever.”– Dilip Asbe
CEO of NPCI
As of 7th August, the newest version of Truecaller on Android has new UPI registrations re-enabled, so we suppose the bug has been fixed. However, events like this only convey that apps, especially those who deal with real money, need very strict quality and data-privacy checks, else we’ve seen how things can go from convenient to scary.