[HN Gopher] UPI: India's Unified Payments Interface ___________________________________________________________________ UPI: India's Unified Payments Interface Author : zero_kool Score : 99 points Date : 2020-08-08 19:20 UTC (3 hours ago) (HTM) web link (the-other-side.blog) (TXT) w3m dump (the-other-side.blog) | jgalt212 wrote: | There are just so many things that make me fearful of either | losing my phone or having it irreparably damaged. The account | recovery process can be a. too hard or impossible (Hi Gitlab!) or | b. too easy (too simple security questions). | tialaramex wrote: | I can't figure out which account you're worried about here. | | Your bank presumably knows a bit more about you than... nothing | like a free Gitlab user and the account is valuable to both of | you. So they can "just" do old fashioned manual account | recovery as they would have in 1820 or 1920. | | If I lose my phone and all backup authenticators, maybe in a | house fire or something, I can live with the fact that maybe I | need to go in person to a big stone building and talk to a | human face-to-face about account recovery. My home just burned | down, I think I can make a little time for essentials like | that. | nine_k wrote: | 2FA with some rescue codes printed and kept in your wallet / | safe box seems like a reasonably bulletproof setup (hi | GitHub!), but not every important site offers this. | scoot wrote: | Printing them and carrying them in a wallet that could be | lost or stolen seems like asking for trouble. | lykr0n wrote: | I'd love for the US to adopt a standard that is bank agnostic, | like ACH, but allows for near real-time payments from P2P but | also person to business payments. | | It's a big problem when Visa, Mastercard, and PayPal control a | large part of money transactions. | closeparen wrote: | We already have wire transfers, but due to high costs they are | really only used for high value transactions. | jmole wrote: | Visa, Mastercard, and Paypal offer more than transactions | though; they have "buyer protection", "seller protection", etc. | | In theory, all you need is institutional trust and KYC, but as | soon as you hit a situation like, "oh shit, someone stole my | wallet (/ online identity)", you realize why the fees are | there. | smart_jackal wrote: | >> "oh shit, someone stole my wallet (/ online identity)" | | Isn't one supposed to be responsible for their own | passwords/security? Does Microsoft take responsibility if | someone steals your windows password or hacks your computer? | No, they will just say its you who didn't install the | security updates. Why should a banking transaction be any | different? | nurettin wrote: | Because banking is serious business and windows is not. | Animats wrote: | Right. UPI appears to be a payment system only. Not a sales | transaction system. When you buy something with a credit | card, there is evidence of a transaction in both directions - | you buy some thing from a seller. That allows disputes, | dispute resolution, and reversal. | | A one-way payment system, such as Venmo, lacks that. (Venmo | is trying to retrofit a dispute mechanism, for which they | charge 3% extra.) What's Google proposing? Probably something | with terms that include "sole discretion" (theirs) and forced | arbitration. | PaulDavisThe1st wrote: | The article is a fairly easy read, and would answer your | question "What's Google proposing". They don't seem to be | proposing "sole discretion" or forced arbitration. The | Indian UPI system specifically involves a central agent, | effectively a government body, that is involved in setting | up and authenticating all transactions that occur using | UPI. | ktta wrote: | There is one. It is called RTP - Real time payments | | It is currently undergoing adoption among several big banks, | although adoption for individual non-corporate accounts is slow | toomuchtodo wrote: | How does it compare to Zelle (Early Warning Systems) from an | integration and cost perspective for financial partners? | | Personally, I'd rather the Fed run real time payments instead | of some private consortium made up of the largest US banks | (some governance/overnight vs less so as a private | corporation), but the Fed's been dragging their feet for | years while Zelle has rolled out quickly. Humorously, | Facebook's Libra is what set a fire under the Fed [1] [2]. | | [1] https://www.bankingdive.com/news/fed-gives-new-details- | on-it... | | [2] https://www.federalreserve.gov/newsevents/pressreleases/f | ile... (warning: 50 page pdf) | vishnugupta wrote: | FedNow is exactly this system [1]. What's more it's an | initiative by none other than the federal reserve which can, to | an extent, twist financial institutions' arms to adopt it. | | [1] | | https://www.frbservices.org/financial-services/fednow/announ... | [deleted] | atemerev wrote: | As if what we need is even more surveillance capitalism... | PaulDavisThe1st wrote: | Every electronic transaction you're involved with is already | surveiled, so it's hard to see how that would change. | | But how about NOT having to pay banks for instantaneous funds | transfers to any 3rd party? And how about actually have | instantaneous funds transfer to any 3rd party (something which | does not exist in the US banking system) | | Same surveillance, lower costs, faster payments. | atemerev wrote: | Bitcoin already works for cheap international transfers. | | And no, my bank won't give any details about my account and | its transactions (unless I do something really horrible), | even to the national tax authorities (I live in Switzerland, | where bank secrecy is still a thing, at least for the | residents/citizens). | filleduchaos wrote: | It amazes me how seemingly behind US banking is tech-wise. My | home country for instance has the Nigerian Inter-Bank Settlement | System for decades; it's quite similar to the UPI but primarily | led by the central bank (plus participation is mandatory for all | banks/bank-like institutions). | | For anyone that's curious, the platform's home page at | https://nibss-plc.com.ng/ has a nice little statistics summary of | both POS and account-to-account transactions (you might have to | scroll past the fold). There's five-minute and whole day numbers | for total transactions and error rate broken down into types of | errors - it's a nice bit of transparency. | blisseyGo wrote: | I think US (and other western countries like Canada, European | countries etc) are VERY different from the Indian market. In | US, Canada etc, everyone has an email and banks allow | interactive payments already. I have yet to have a single time | where I had problems paying someone for something. Interac | etransfer works well. Even iMessage, FB messenger etc allow | payments. Other services like PayPal, Stripe, Patreon cover the | rest of the base. | | India is a completely different market. There are millions of | people there who don't even have a bank account, nor do they | have email. The road-side vendors use cash. | Kednicma wrote: | Great idea; let's have USPS administer it, like they used to do | for money orders and wire transactions. No sense in replacing | Mastercard with Google. | smart_jackal wrote: | Except that UPI is a payment standard, Google neither has | monopoly over it nor the only one payment company who supports | UPI in India, there are many others like Paytm, Phonepe, | Mobikwik, etc. | PaulDavisThe1st wrote: | From the article: | | "National Payments Corporation of India (NPCI) is a non-profit | set up by the Government of India to facilitate digital | payments. They facilitate many payment schemes (like IMPS, | BBPS, FASTag, etc.)" | dodobirdlord wrote: | I think this is an excellent suggestion, assuming the post | office survives an ongoing calculated attempt to cripple and | privatize it. Routing digital payment requests to bank | addresses is a natural extension of the responsibility of | routing all physical mail to any physical address. | patmorgan23 wrote: | I think the Fed is a better place to administer this. It | already does checks and ACH payments. | [deleted] | kadoban wrote: | The USPS doesn't seem like it's going to exist in a few more | months. | zimbatm wrote: | The article looked great until the introduction of the NPCI | system. It's essentially a single point of failure, and the best | place to observe all the transaction of the whole country. It's | controlled by the Government so it will be really tempting to | peek into it. | | > Imagine the pain that everyone has to go through in reaching a | consensus when configurations or infrastructures change. It would | be chaos. | | Welcome to the Internet. | themacguffinman wrote: | So is the Federal Reserve, so is the SEC, so is the IRS, so are | all the financial reporting laws that require transactions to | be reported to the US government for audit and regulation. I | fail to see how NPCI is any different. The solutions won't be | any different either: the government has laws restricting | unregulated access to data and developers will implement access | controls to enforce these laws. | | The financial system in practically every country is already | fully controlled by a central authority, and for good reason: | finance is critical to national security and financial | decisions are inherently political, therefore finance is | controlled by political authorities. | galaxyLogic wrote: | It takes like 3 days to pay my Chase credit-card from my Citibank | account. Lots of waste happening in the financial system. | yokaze wrote: | AFAIK, that's not waste, it's intentional. That's three days of | that money out of your books, and on the banks side. | ckdarby wrote: | While this is true a lot of banks would like to do it | instantly as it would be an advantage over others and drive | more people to sign up for the feature. | | The real problem is most banks backend systems are still old | mainframes where this isn't possible. | | Source: I'm a prior developer at multi-billion dollar payment | processor working with many acquirers. | orf wrote: | > The real problem is most banks backend systems are still | old mainframes where this isn't possible. | | The rest of the world manages it. Do they not use | mainframes? | tialaramex wrote: | In the UK at least the answer was government fiat. | | Faster Payments is the unimaginative name for the rule | that allows most UK bank account holders to move money | the same day (typically in reality instantly) at zero | cost to them. The date for Faster Payments becoming | possible was set, and banks are just obliged to provide | it. Some were earlier, most were not. | | The banks did not actually implement the underlying | backend transfers in time, but customers don't care. Rick | Smith, father to an 18 year old daughter who seemingly | always needs another few hundred quid for something wants | to send Beth PS750 right now, and Beth wants to be able | to spend that money when she receives it from her father. | Neither of them cares that Rick's and Beth's banks are | running different versions of some 1970s COBOL | application or are struggling to ensure a backend funds | transfer matching the Rick-> Beth transaction happens in | a timely fashion. | | So the banks just faked the UX. This technically means if | Rick's bank fails after Rick sent the money, but before | the backend catches up in a day or two, Beth's bank (but | not Beth or Rick) could lose the value of the transaction | because the underlying money actually didn't go anywhere | yet, just the two account balances were updated. But | regulators reasoned that banks being more likely to freak | out and report if they suspect their competitors are | struggling and likely to fail imminently is a _good_ | thing so let them take that risk. | | Maybe they have subsequently fixed their backends, maybe | they didn't, as an end user I needn't care so I paid no | further attention. | [deleted] | Finster wrote: | The big concern I have here is that the address resolution seems | similar to DNS... Which is very bad, IMHO. Are they taking | necessary steps to mitigate ddos and Man in the middle attacks? | If they're not, they're seeing themselves up for major disaster. | arafsheikh wrote: | I don't know about UPI, but those concerns can be mitigated by | not operating on public networks. The SWIFT payment network for | example is private[1] and is only accessible via dedicated | routers. | | [1] https://www.exalog.com/en/swiftnet-network-banking- | communica... | closeparen wrote: | Relying on perimeter security like this means you are as | vulnerable as your weakest nodes. SWIFT can be and has been | hacked via its less sophisticated participant banks. | godelmachine wrote: | >> _Just like how domains get resolved to IP addresses, every | VPA needs to be linked to a bank account. The UPI handles get | resolved to bank accounts and IFSC during the payment (we will | see how)._ | | I am sure I am missing something. Just curious to know where do | you see an attack vector for DDoS or MOTM attack? | quarantine wrote: | This looks like a Bancontact/SEPA combination. ___________________________________________________________________ (page generated 2020-08-08 23:00 UTC)