Overview
Thanks to demonetization and covid, use of digital payment has soared in India. In Apr 2023, INR 14 lakh Crore worth of UPI transactions were done (link). In terms of number of transactions, 74 billion transactions worth INR 124.94 trillion were done in 2022 (link).
Technology literacy is low in India and this gives rise to people who attempt to defraud gullible users using whatever method they can conjure up. One of the ways to conduct fraud is to get people tricked into doing a UPI payment and people will lose money. There is no one solution that will fully prevent fraud and multiple solutions have to work together to continuously invent ways to reduce fraud.
This blog post focuses on one potential solution, disposable aka one time use UPI Ids (or for that matter, one time use QR codes).
What’s the problem
Today, in order to make payment via UPI, you have two options
- Ask the recipient to tell you their phone number. Your UPI app will lookup UPI IDs associated with the phone number (how they do it is out of scope). You then make the payment. Two things have happened
(a) you know the phone number of recipient and (b) you know the UPI ID of the recipient.If you know the phone number and the owner of the number is a high value target, the owner is now susceptible to fraud. - Ask the recipient to share a QR code and you then scan the QR code to make the payment. To make it easy for people to know their UPI ID, UPI apps create phonenumber@xxxx to represent the UPI ID and this gets embedded in the QR Code also. Using this method also, again
(a) you know the phone number of recipient even though the recipient did not share his/her phone number and (b) you know the UPI ID of the recipient. Not only the sender can find out the phone number of recipient, but the recipient can also find out the UPI Id of the sender from the transaction history. One can hide UPI ID from the transaction page but it can result in a support nightmare. Also, even if you hide the UPI ID like we do for credit card, the UPI ID has already been leaked during the transaction because a transaction can’t be done without UPI ID of sender and receiver (ex – QR code contains UPI ID and if I save the QR code, I have the UPI ID). Hence, post transaction trickery is of limited use.- If you are doing online transactions, you are giving out your phone number to the payment gateway or merchants when you scan QR code or enter your UPI ID (which would typically be your phone number).
- You can see that everyone in blog post attempts to hide UPI id because it can be misused (example here). This is just added evidence that UPI IDs should not be available to anyone as it can be misused.
A small note on QR code – QR code has payment details like UPI Id linked in the code. This is more convenient to avoid any typing mistakes that can happen due to manual errors. The important thing to understand is that QR code doesn’t hide anything from the person who sees the QR code, it just merely removes potential manual errors in typing / listening.
Today every UPI app (Google Pay, Phone Pay or Paytm being the most popular) supports looking up UPI ID using phone number. This not only reveals unwanted information but promotes revealing unwanted personal information, especially when you are doing a one time transaction with an untrusted party. Think of paying a store for dinner using UPI, paying for a UBER auto/bike/car ride or buying fruits from a street vendor who supports UPI.
Potential Solution
It may be time to move away from phone number based UPI IDs. Imagine a world where payments are done in a way that the UPI IDs used for a transaction are for one time use only and can’t be used for payment again. These UPI IDs can’t be exploited again as they can’t be used more than once.
Another solution is to move to a non phone number based UPI ID but that will have ability to do repeat transactions and still be susceptible to potential fraud in future. This is however definitely better than having phone number as your UPI ID as phone number as other potential problems (people can find more information about your using your phone number).
One time use UPI ID in reality would look something like following
- You have to make a payment. The recipient will share a QR Code. QR code would contain a one-time use UPI ID and when the sender makes payment, it will be done via a one time UPI ID that represents the sender. No party has any information that can be exploited in future.
This is highly useful in situation where transaction is between two untrusted parties. - Payment companies should promoted payment via QR code online and offline so that need to enter UPI ID goes away. If you don’t have to enter UPI ID, having a cryptic one time UPI ID is not an issue because you don’t have to know it or type it. Do the transaction and move on in life.
- There are situations where a seller doesn’t want to repeatedly generate new QR codes because seller is busy conducting business (ex – shopkeeper where people take product, scan the printed QR code. It’s convenient). For such scenarios, shopkeepers should be allowed to generate a UPI ID that is receive only. This UPI ID can be used only for receiving money but not sending money. This will achieve both convenience and also prevent anyone from tricking the shopkeeper into paying using UPI because the UPI ID can’t receive money.
Business considerations for disposable UPI IDs
- You don’t have to hide UPI IDs in screenshot or in transaction history. They can’t be misused anymore.
- Support is still possible as UPI ID is linked to a person but this information is only with payment companies and these should be closely guarded so that unauthorised people don’t have access to it.
- Assuming 100 billion UPI transactions for next 5 years, we need ability to generate these many unique UPI IDs as re-use of ID would be a bad idea. One can debate on after how many years, re-use should be allowed or should re-use be allowed at all.
- This would also require NPCI to increase the max length of a UPI ID so that disposable UPI Id can be supported.
- An app can always keep 4-5 pre-generated UPI IDs and associate it with each user so that UPI IDs don’t have to be generated in real time and therefore, disposable UPI IDs won’t have detrimental effect on payment speed.
Until disposable UPI Id becomes a reality, the bare minimum you should do is to not use your phone number as your UPI ID.