A bug in caller-ID app Truecaller risked its users’ financial data on Tuesday, 30 July. The app, which helps people avoid spam callers, started registering users to the Unified Payment Interface (UPI) account with ICICI Bank without their permission.
Truecaller’s payment service works in India through the its payments partner ICICI Bank, which facilitates UPI service for the platform.
The bug in Truecaller became active when one downloaded the app’s 10.41.6 update.
This is a clear breach of privacy, as people who don’t have accounts with ICICI Bank are getting enrolled, that too without their permission.
UPI has become a strong force in the country’s push for digital payments, with technology giants like Google, Amazon and Paytm leading the charge.
Having said that, the platform has its own set of issues, with more players joining the ranks, and this episode courtesy Truecaller is concerning as people could lose their hard-earned money if there’s a mishap.
Affected Users Asked to Manually De-register; New Update to Fix the Bug
Truecaller released a statement confirming the presence of the bug. The company will be releasing a new version with a fix now. It told The Quint,
“We have discovered a bug in the latest update of Truecaller that affected the payments feature, which automatically triggered a registration post updating to the version.”
Truecaller claims that the affected version of the app has been discontinued and users will no longer be registered automatically.
The company is asking the affected users to manually de-register through the overflow menu on its app.
The bug came to light after a user on Twitter shared his concern, as a UPI account was created with ICICI Bank without the person asking for it.
According to UPI guidelines, payment entities cannot create a user account without taking their consent, and Truecaller, being a payments provider, will have to be careful about such mishaps in the future.
Truecaller Fixing the Bug, We Will Ensure Action if It’s Found Non-compliant: NPCI
After the incident came to light, the National Payments Corporation of India (NPCI), the makers of UPI ecosystem said they have been updated about the situation. NPCI’s Managing Director and CEO Dilip Asbe said,
“There was an issue in the app observed today. We have been updated that last night’s migration had resulted in a bug in the workflow. We understand that it has being fixed and till then user on-boarding has been stopped in this app. NPCI ensures to take action if found non-compliant.”
Truecaller hasn’t officially detailed the reason for the bug, but has clarified that no third-party entity has got access to the users’ payment details.
The company started offering its service through Truecaller Pay, which is integrated into the main app. It’s possible that the bug intervened with the SDK (Software Development Kit) of the payment service, and triggered the registration process, for which the app already has user’s permission to send/receive messages.
It claims that every tenth user on Truecaller has signed for its payment service, which means, more users are likely to have been affected by the bug.