[HN Gopher] UPI: India's Unified Payments Interface
___________________________________________________________________
UPI: India's Unified Payments Interface
Author : zero_kool
Score : 99 points
Date : 2020-08-08 19:20 UTC (3 hours ago)
(HTM) web link (the-other-side.blog)
(TXT) w3m dump (the-other-side.blog)
| jgalt212 wrote:
| There are just so many things that make me fearful of either
| losing my phone or having it irreparably damaged. The account
| recovery process can be a. too hard or impossible (Hi Gitlab!) or
| b. too easy (too simple security questions).
| tialaramex wrote:
| I can't figure out which account you're worried about here.
|
| Your bank presumably knows a bit more about you than... nothing
| like a free Gitlab user and the account is valuable to both of
| you. So they can "just" do old fashioned manual account
| recovery as they would have in 1820 or 1920.
|
| If I lose my phone and all backup authenticators, maybe in a
| house fire or something, I can live with the fact that maybe I
| need to go in person to a big stone building and talk to a
| human face-to-face about account recovery. My home just burned
| down, I think I can make a little time for essentials like
| that.
| nine_k wrote:
| 2FA with some rescue codes printed and kept in your wallet /
| safe box seems like a reasonably bulletproof setup (hi
| GitHub!), but not every important site offers this.
| scoot wrote:
| Printing them and carrying them in a wallet that could be
| lost or stolen seems like asking for trouble.
| lykr0n wrote:
| I'd love for the US to adopt a standard that is bank agnostic,
| like ACH, but allows for near real-time payments from P2P but
| also person to business payments.
|
| It's a big problem when Visa, Mastercard, and PayPal control a
| large part of money transactions.
| closeparen wrote:
| We already have wire transfers, but due to high costs they are
| really only used for high value transactions.
| jmole wrote:
| Visa, Mastercard, and Paypal offer more than transactions
| though; they have "buyer protection", "seller protection", etc.
|
| In theory, all you need is institutional trust and KYC, but as
| soon as you hit a situation like, "oh shit, someone stole my
| wallet (/ online identity)", you realize why the fees are
| there.
| smart_jackal wrote:
| >> "oh shit, someone stole my wallet (/ online identity)"
|
| Isn't one supposed to be responsible for their own
| passwords/security? Does Microsoft take responsibility if
| someone steals your windows password or hacks your computer?
| No, they will just say its you who didn't install the
| security updates. Why should a banking transaction be any
| different?
| nurettin wrote:
| Because banking is serious business and windows is not.
| Animats wrote:
| Right. UPI appears to be a payment system only. Not a sales
| transaction system. When you buy something with a credit
| card, there is evidence of a transaction in both directions -
| you buy some thing from a seller. That allows disputes,
| dispute resolution, and reversal.
|
| A one-way payment system, such as Venmo, lacks that. (Venmo
| is trying to retrofit a dispute mechanism, for which they
| charge 3% extra.) What's Google proposing? Probably something
| with terms that include "sole discretion" (theirs) and forced
| arbitration.
| PaulDavisThe1st wrote:
| The article is a fairly easy read, and would answer your
| question "What's Google proposing". They don't seem to be
| proposing "sole discretion" or forced arbitration. The
| Indian UPI system specifically involves a central agent,
| effectively a government body, that is involved in setting
| up and authenticating all transactions that occur using
| UPI.
| ktta wrote:
| There is one. It is called RTP - Real time payments
|
| It is currently undergoing adoption among several big banks,
| although adoption for individual non-corporate accounts is slow
| toomuchtodo wrote:
| How does it compare to Zelle (Early Warning Systems) from an
| integration and cost perspective for financial partners?
|
| Personally, I'd rather the Fed run real time payments instead
| of some private consortium made up of the largest US banks
| (some governance/overnight vs less so as a private
| corporation), but the Fed's been dragging their feet for
| years while Zelle has rolled out quickly. Humorously,
| Facebook's Libra is what set a fire under the Fed [1] [2].
|
| [1] https://www.bankingdive.com/news/fed-gives-new-details-
| on-it...
|
| [2] https://www.federalreserve.gov/newsevents/pressreleases/f
| ile... (warning: 50 page pdf)
| vishnugupta wrote:
| FedNow is exactly this system [1]. What's more it's an
| initiative by none other than the federal reserve which can, to
| an extent, twist financial institutions' arms to adopt it.
|
| [1]
|
| https://www.frbservices.org/financial-services/fednow/announ...
| [deleted]
| atemerev wrote:
| As if what we need is even more surveillance capitalism...
| PaulDavisThe1st wrote:
| Every electronic transaction you're involved with is already
| surveiled, so it's hard to see how that would change.
|
| But how about NOT having to pay banks for instantaneous funds
| transfers to any 3rd party? And how about actually have
| instantaneous funds transfer to any 3rd party (something which
| does not exist in the US banking system)
|
| Same surveillance, lower costs, faster payments.
| atemerev wrote:
| Bitcoin already works for cheap international transfers.
|
| And no, my bank won't give any details about my account and
| its transactions (unless I do something really horrible),
| even to the national tax authorities (I live in Switzerland,
| where bank secrecy is still a thing, at least for the
| residents/citizens).
| filleduchaos wrote:
| It amazes me how seemingly behind US banking is tech-wise. My
| home country for instance has the Nigerian Inter-Bank Settlement
| System for decades; it's quite similar to the UPI but primarily
| led by the central bank (plus participation is mandatory for all
| banks/bank-like institutions).
|
| For anyone that's curious, the platform's home page at
| https://nibss-plc.com.ng/ has a nice little statistics summary of
| both POS and account-to-account transactions (you might have to
| scroll past the fold). There's five-minute and whole day numbers
| for total transactions and error rate broken down into types of
| errors - it's a nice bit of transparency.
| blisseyGo wrote:
| I think US (and other western countries like Canada, European
| countries etc) are VERY different from the Indian market. In
| US, Canada etc, everyone has an email and banks allow
| interactive payments already. I have yet to have a single time
| where I had problems paying someone for something. Interac
| etransfer works well. Even iMessage, FB messenger etc allow
| payments. Other services like PayPal, Stripe, Patreon cover the
| rest of the base.
|
| India is a completely different market. There are millions of
| people there who don't even have a bank account, nor do they
| have email. The road-side vendors use cash.
| Kednicma wrote:
| Great idea; let's have USPS administer it, like they used to do
| for money orders and wire transactions. No sense in replacing
| Mastercard with Google.
| smart_jackal wrote:
| Except that UPI is a payment standard, Google neither has
| monopoly over it nor the only one payment company who supports
| UPI in India, there are many others like Paytm, Phonepe,
| Mobikwik, etc.
| PaulDavisThe1st wrote:
| From the article:
|
| "National Payments Corporation of India (NPCI) is a non-profit
| set up by the Government of India to facilitate digital
| payments. They facilitate many payment schemes (like IMPS,
| BBPS, FASTag, etc.)"
| dodobirdlord wrote:
| I think this is an excellent suggestion, assuming the post
| office survives an ongoing calculated attempt to cripple and
| privatize it. Routing digital payment requests to bank
| addresses is a natural extension of the responsibility of
| routing all physical mail to any physical address.
| patmorgan23 wrote:
| I think the Fed is a better place to administer this. It
| already does checks and ACH payments.
| [deleted]
| kadoban wrote:
| The USPS doesn't seem like it's going to exist in a few more
| months.
| zimbatm wrote:
| The article looked great until the introduction of the NPCI
| system. It's essentially a single point of failure, and the best
| place to observe all the transaction of the whole country. It's
| controlled by the Government so it will be really tempting to
| peek into it.
|
| > Imagine the pain that everyone has to go through in reaching a
| consensus when configurations or infrastructures change. It would
| be chaos.
|
| Welcome to the Internet.
| themacguffinman wrote:
| So is the Federal Reserve, so is the SEC, so is the IRS, so are
| all the financial reporting laws that require transactions to
| be reported to the US government for audit and regulation. I
| fail to see how NPCI is any different. The solutions won't be
| any different either: the government has laws restricting
| unregulated access to data and developers will implement access
| controls to enforce these laws.
|
| The financial system in practically every country is already
| fully controlled by a central authority, and for good reason:
| finance is critical to national security and financial
| decisions are inherently political, therefore finance is
| controlled by political authorities.
| galaxyLogic wrote:
| It takes like 3 days to pay my Chase credit-card from my Citibank
| account. Lots of waste happening in the financial system.
| yokaze wrote:
| AFAIK, that's not waste, it's intentional. That's three days of
| that money out of your books, and on the banks side.
| ckdarby wrote:
| While this is true a lot of banks would like to do it
| instantly as it would be an advantage over others and drive
| more people to sign up for the feature.
|
| The real problem is most banks backend systems are still old
| mainframes where this isn't possible.
|
| Source: I'm a prior developer at multi-billion dollar payment
| processor working with many acquirers.
| orf wrote:
| > The real problem is most banks backend systems are still
| old mainframes where this isn't possible.
|
| The rest of the world manages it. Do they not use
| mainframes?
| tialaramex wrote:
| In the UK at least the answer was government fiat.
|
| Faster Payments is the unimaginative name for the rule
| that allows most UK bank account holders to move money
| the same day (typically in reality instantly) at zero
| cost to them. The date for Faster Payments becoming
| possible was set, and banks are just obliged to provide
| it. Some were earlier, most were not.
|
| The banks did not actually implement the underlying
| backend transfers in time, but customers don't care. Rick
| Smith, father to an 18 year old daughter who seemingly
| always needs another few hundred quid for something wants
| to send Beth PS750 right now, and Beth wants to be able
| to spend that money when she receives it from her father.
| Neither of them cares that Rick's and Beth's banks are
| running different versions of some 1970s COBOL
| application or are struggling to ensure a backend funds
| transfer matching the Rick-> Beth transaction happens in
| a timely fashion.
|
| So the banks just faked the UX. This technically means if
| Rick's bank fails after Rick sent the money, but before
| the backend catches up in a day or two, Beth's bank (but
| not Beth or Rick) could lose the value of the transaction
| because the underlying money actually didn't go anywhere
| yet, just the two account balances were updated. But
| regulators reasoned that banks being more likely to freak
| out and report if they suspect their competitors are
| struggling and likely to fail imminently is a _good_
| thing so let them take that risk.
|
| Maybe they have subsequently fixed their backends, maybe
| they didn't, as an end user I needn't care so I paid no
| further attention.
| [deleted]
| Finster wrote:
| The big concern I have here is that the address resolution seems
| similar to DNS... Which is very bad, IMHO. Are they taking
| necessary steps to mitigate ddos and Man in the middle attacks?
| If they're not, they're seeing themselves up for major disaster.
| arafsheikh wrote:
| I don't know about UPI, but those concerns can be mitigated by
| not operating on public networks. The SWIFT payment network for
| example is private[1] and is only accessible via dedicated
| routers.
|
| [1] https://www.exalog.com/en/swiftnet-network-banking-
| communica...
| closeparen wrote:
| Relying on perimeter security like this means you are as
| vulnerable as your weakest nodes. SWIFT can be and has been
| hacked via its less sophisticated participant banks.
| godelmachine wrote:
| >> _Just like how domains get resolved to IP addresses, every
| VPA needs to be linked to a bank account. The UPI handles get
| resolved to bank accounts and IFSC during the payment (we will
| see how)._
|
| I am sure I am missing something. Just curious to know where do
| you see an attack vector for DDoS or MOTM attack?
| quarantine wrote:
| This looks like a Bancontact/SEPA combination.
___________________________________________________________________
(page generated 2020-08-08 23:00 UTC)