Taking advantage of a bug in the government’s United Payments Interface (UPI) app, 22 residents of Bhayander in Mumbai transferred Rs 1.42 crore from the Bank of Maharashtra into several of their bank accounts, reported Indian Express.

On Friday, the Bank of Maharashtra lodged a complaint accusing them of hacking its central server in Mumbai. 

Bhayander residents Jaswant Damania, Prateek Poojary, Bharat Gawade, along with Aurangabad resident Deepak and 18 others have been booked for cheating, forgery, criminal conspiracy and identity theft.

b’Source: PTI’

What is the case?

The police report says that the accused made around 142 transfers of Rs 1 lakh each between December 26, 2016 and January 18, 2017. After the bank realised that it had lost over Rs 1 crore in January, it froze the accounts of the accused and sent them notices to appear at the bank. When they chose to ignore the notices, the bank went ahead and filed the police complaint. 

How did they do it?

According to the report, all the accused had accounts in the Bank of Maharashtra and downloaded the UPI app and linked their bank accounts to it. 

UPI, launched by the National Payments Corporation of India, allows people to transfer money using their phones and allows transactions of up to Rs 1 lakh. Though the accused did not even have sufficient balance in their accounts, the bug ensured multiple transactions of Rs 1 lakh. 

But this isn’t the first time

On March 10 Bank of Maharashtra (BoM) in Pune filed an FIR with the police against 50 people for illegally pulling money using the UPI app and causing a loss of Rs 6.14 crore to the bank, as per a Times Of India report.

 In this case, the fraudsters allegedly sent Rs 1 lakh to themselves over a period of 48 days.

b’Source: PTI’

What is the National Payments Corporation of India (NPCI)  saying?

Regarding similar reports about technical malfunction in certain banks’ Unified Payments Interface (UPI) application, NPCI and iSpirt have clarified that there is no vulnerability or loophole in Bharat Interface for Money (BHIM) application or UPI system.

Both the NPCI and iSpirt said that the fraudulent transactions were due to glitches in Bank of Maharashtra’s UPI application. Sharad Sharma, co-founder of iSpirt told Medianama

“This was an issue with the bank and its core banking system. Due to this bug, payments would have been possible from an account not having balance through multiple payment systems apart from UPI. In effect, this isn’t a UPI issue. Bank of Maharashtra is rectifying the situation.”