After father lost ₹20,000 online, student develops new UPI fraud proof model

A computer science student from Haryana’s Mahendragarh district has developed what he claims is an alternative UPI system designed to reduce online payment fraud and prevent accidental money transfers.

Don’t Miss: A facebook friend request from ‘London’ cost this Gwalior man ₹1.27 lakh

Ankit Thakur, a BTech student, said he decided to work on the project after his father allegedly lost ₹20,000 in an online scam in 2020. He has offered the proposed system to the Government of India free of cost for wider public use.

Prevent fraud

Speaking to The Tribune, Ankit said the proposed system was designed to make digital payments safer for users.

“I have designed an alternative UPI system that leaves no scope for cyber fraud. It will also prevent loss of money due to online transactions made by mistake. I could patent the system in my name, but I want the Government of India to adopt it so that crores of UPI users across the country can benefit,” said Ankit, a resident of Talwana Kheri village in Mahendragarh district.

Apart from the alternative payment model, he has also developed a mobile UPI application.

What sparked research

Ankit said his interest in cybersecurity grew after his father, Sunil, who works as a driver, allegedly lost ₹20,000  in an online fraud in 2020.

Following the incident, he began researching flaws in UPI applications and later identified three vulnerabilities that, according to him, could aid cyber fraudsters.

He reported the issues to Google’s security bot, which acknowledged one of the bugs and took corrective measures.

Three vulnerabilities identified

According to Ankit, the first issue was a “Chrome Intent Vulnerability”, which he described as a flaw allowing malicious webpages to directly open sensitive applications such as UPI apps without user permission.

“Chrome Intent Vulnerability refers to a flaw in the Chrome browser that allows a malicious webpage to directly open sensitive apps like UPI without user permission or even a single click. This feature acts as an open door for scammers, giving them direct access to the user’s payment interface,” he explained.

The second issue, “Authentication Bypass”, allegedly allowed attackers to bypass the first layer of authentication, including app locks or biometric security.

“Though Google Pay and Paytm fixed this serious vulnerability after my report, many such loopholes may still exist,” Ankit noted.

‘Audio Hijacking’ vulnerability

Ankit said the third flaw, which he termed “Audio Hijacking”, was particularly dangerous because it could mislead users during transactions.

“In this scenario, UPI apps fail to ‘lock audio focus’ during a payment. A fake app hidden in the background can play its own audio, for example, ‘Enter your PIN to receive money’. The user believes the voice is coming from the payment app itself and falls prey to fraudsters,” he explained.

He added that government support could help him contribute to reducing cyber fraud linked to online banking and digital payments across the country.