Social engineering attacks work quite well too. A quick glance through Google News reveals many attacks by which scammers coax a PIN out of unsuspecting victims [1,2].
UPI withdraws money out of your bank account -- in that respect it's like a debit card with no way to "claw back" wrongly-sent money short of going through the justice system, which is notoriously slow in India.
It's useful for what it is, but needs way more work (especially in the ability to recall payments and/or address fraudulent transactions) to become a payment system that protects even the technically less proficient.
>attackers just dupe many of them into giving them the OTP[1]
I also think there is no way to change the upper limit of the transactions with UPI i.e. its Rs.1,00,000 in most banks/transaction/day. Where as for Debit/Credit card we can set it to even Rs.1000 and other sub-limits as fraud prevention methods via the bank portal.
So if someone has set such limits for Debit/Credit card(everyone should), if the card gets stolen/cloned and if the hacker/thief tries to withdraw it in an ATM even in other side of the world, all they would get is a maximum of Rs.1000 when compared to Rs.1,00,000 via UPI.
Also private companies are not that great in protecting the card details, like remember when Paytm wanted us to enter our card details on the merchant's phone during demonetisation? I disclosed it as security vulnerability[1] to them, they withdrew the PoS feature, told me that it was done due to business decision and not because of any security implications. When News media enquired about my disclosure to its CEO, he told them “This news is false” although the the News site had independently verified my claim[2].
Then again, if the SIM gets jacked or the telecom employee gets compromised all bets are off in India, everything from the identity to savings could be lost.
UPI withdraws money out of your bank account -- in that respect it's like a debit card with no way to "claw back" wrongly-sent money short of going through the justice system, which is notoriously slow in India.
It's useful for what it is, but needs way more work (especially in the ability to recall payments and/or address fraudulent transactions) to become a payment system that protects even the technically less proficient.
[1] https://timesofindia.indiatimes.com/city/bengaluru/customers...
[2] https://indianexpress.com/article/technology/tech-news-techn...