SUMMARY
Truecaller had registered users for UPI without consent
Android version 10.41.6 of Truecaller app automatically sends SMS from the SIM
Truecaller has now rolled back the update and is bringing a new update
In a surprising start to the day, a Truecaller user received an SMS from ICICI Bank saying that his application for UPI has been started. That’s without wanting to register for any such linking, and with no ICICI Bank account, all thanks to a Truecaller app update.
Taking it to Twitter, Dheeraj Kumar said that Truecaller had registered him for UPI without his consent. And he was not alone. Several other Truecaller users expressed a similar concern as they were registered for UPI on Truecaller without consent.
A tweet further said that the latest Android version 10.41.6 of Truecaller app automatically sends an SMS from the SIM used to register for a UPI bank account to Truecaller Pay without consent, the moment the latest version of the app was installed.
Kumar filed a complaint with the National Payments Corporation of India (NPCI). The NPCI team got in touch with Kumar and said that their tech team is investigating how this happened.
Later, Truecaller Pay head Sony Joy tweeted to Kumar saying, “It was an unfortunate incident of a technical bug going past our testing process. The build was rolled out within a couple of hours from when the concerns first started surfacing. Affected users are being deregistered from the service as we speak and will be completed by EOD.”
In a media statement, Truecaller said, “We have discovered a bug in the latest update of Truecaller that affected the payments feature, which automatically triggered a registration post updating to the version. This was a bug and we have discontinued this version of the app so no other users will be affected. We’re sorry about this version not passing our quality standards. We’ve taken quick steps to fix the issue, and already rolled out a fix in a new version. For the users already affected, the new version with the fix will be available shortly, however, in the meanwhile they can choose to manually deregister through the overflow menu in the app.”
In 2017, Truecaller Pay was launched in India in partnership with ICICI Bank. Truecaller Pay allows users to instantly create a UPI ID and transfer money to other UPI users or mobile number registered with the BHIM app. This March, the company was also reported to be planning a full spectrum of financial services with a focus on digital lending service.
In a statement, Dilip Asbe, MD and CEO of NPCI, said, “There was an issue in the App observed today. We have been updated that last night’s migration had resulted in a bug in the workflow. We understand that it has being fixed and till then user on-boarding has been stopped in this app. NPCI ensures to take action if found non compliant.”
Asbe further explained, “This is enrolling mistake by the app without customer consent. With this customer can’t do any UPI transaction. For onboarding to UPI, the customer has to still enter 2FA( issuer OTP and debit card), and set UPI pin. The workflow mistake is limited to enrolling which will not have any impact on any customer account whatsoever.”
In May, reports surfaced that the user database of Truecaller is being sold on internet forums on the dark web. The alleged leaked database included names, phone numbers and email addresses of some Truecaller users, which the poster claimed to have acquired through a data breach.
In May, India was reported as the second most cyber attacks affected country between 2016 to 2018. The average cost for a data breach in India has risen 7.9% since 2017, with the average cost per breached record mounting to INR 4,552 ($64). The Reserve Bank of India too recorded a total of 2,059 cases of cyber fraud in 2017-18 as compared to 1,372 cyber fraud cases in 2016-17.
