Caller ID app Truecaller, which has a massive user base in India, may be responsible for a security risk by linking the bank accounts of users with its Unified Payments Interface (UPI) offering without seeking consent or requiring any user action. According to several users, many of whom have complained through Twitter, Truecaller has automatically been sending out UPI-linking requests after an update to the app that came out recently.
Truecaller told HuffPost India that this is being caused by a bug that affects the payments feature. The full statement is here:
“We have discovered a bug in the latest update of Truecaller that affected the payments feature, which automatically triggered a registration post updating to the version. This was a bug and we have discontinued this version of the app so no other users will be affected. We’re sorry about this version not passing our quality standards. We’ve taken quick steps to fix the issue, and already rolled out a fix in a new version. For the users already affected, the new version with the fix will be available shortly, however, in the meanwhile they can choose to manually deregister through the overflow menu in the app.”
Although Truecaller has taken note of the matter, it took several days of tweets from users to make this happen, which is not too big a deal for other tech apps, but a big concern when it starts to affect your bank account.
Responding to Truecaller CEO Alan Mamedi on Twitter, user Nikhil Dhariwal shared screenshots of an SMS from ICICI about UPI registration without asking for any permission. Another user tweeted a screenshot showing that the process of adding their Axis Bank account to UPI had begun. There are several such examples, such as this one about Truecaller automatically linking UPI, or this one where another user flagged the issue, which seems to have come up when upgrading to Truecaller version 10.41.6.
Replying to a tweet from Truecaller, another user posted that Truecaller was trying to verify their UPI ID without adequate confirmation. This thread by user Dheeraj Kumar contains the most details about this issue, with screenshots. Several other accounts confirmed that updating to the latest version of the app tries to automatically link the Truecaller UPI with your bank accounts.
Millions could be affected
Spam calls are a huge problem in India and so it’s not surprising that an app like TrueCaller, which can identify who is calling you even if you don’t have their number saved, has taken off so well. Earlier this year, Truecaller CEO Mamedi tweeted that Truecaller has crossed 100 million (10 crore) daily active users in India, and added that every tenth active user in India has linked their bank account to Truecaller. This means that around one crore people could be affected by this latest update from Truecaller, whether or not it was intentional.
UPDATE: Truecaller responed to this article stating that millions of users were not affected. This is what the company said: “Less than 0.1% of Truecaller’s India specific users were affected by this incident, as a result of swift action that was taken by the team to immediately rollback the update. We would like to also confirm that all the affected users have been completely deregistered from the platform within hours of the incident taking place.”
0.1% of Truecaller’s user base of over 100 million Indian users is over 100,000 users potentially affected.
Truecaller has also been criticized for the way in which it builds its database of numbers—your number can be uploaded even if you are not using Truecaller.
Truecaller’s has denied this and also said it requires users to explicitly take action to connect their UPI. Once Truecaller UPI is connected to your bank account, it can be used to send and receive money or pay businesses offline and online. All you require is the other person’s phone number (if they’re also using UPI on Truecaller) or their UPI ID, and you can start sending or receiving money. That’s not all, though: UPI also lets you check your bank balance, which is a feature offered through the Truecaller app.
This has raised serious questions about the security and privacy of people’s financial data, and although Truecaller in a blog post denied that there has been a breach, there have been reports that user data from the app is on sale on the Dark Web.
What can you do?
Check the Truecaller app to make sure that your account hasn’t been linked, and also check your SMS app to see if any messages were sent or received for UPI. Disable SMS permissions for Truecaller, and if you’re not on the latest version of the app, turn off automatic updates for Truecaller.
Update: The company stated that a fixed update (version 10.41.7) has already been issued on Tuesday late evening itself and it is safe to use Truecaller.