One Rupee Battle: RS Sharma is Not Aware of BHIM App’s Flaw

After he issued a challenge to Twitter users on Saturday by making his Aadhaar number public, TRAI Chairman RS Sharma tweeted on Monday night, asserting that users had failed in depositing money into his account.

Sharma denies he received Re 1 in his account, but the user Anivar Aravind, who had posted a screenshot of the transaction, stands by his claim and says he has had Re 1 debited from his account.

Aravind, on 28 July, had demonstrated that one could transfer money to Sharma’s account without his consent and with only his Aadhaar number. While this exposes flaws in BHIM’s UPI, it also reveals that by depositing unaccounted money by unknown individuals, Sharma can be susceptible to harassment.

In sending out these tweets as a way of asserting that no harm was caused by his own publication of his Aadhaar number, Sharma appears to have made three basic errors:

• The screenshots indicate requests to withdraw money from his bank account via the BHIM UPI app and NOT to deposit money in his account.
• Sharma, in his tweet, himself admits inadvertently that his Aadhaar number was used to transfer money. This is precisely the “harm” he had challenged people to cause.
• He refers to ‘ethical’ norms but still there is no mention of the legal implication of his act being a criminal one.

1. Sharma Shared Screenshots of Withdrawal Requests and Not Deposits

The screenshots that Sharma has shared in his tweet indicate that they were UPI collect requests to withdraw money from his account and not “attempts to deposit money” as he has tweeted.

In the screenshot, the downward arrows within the orange circles indicate collect requests from individuals who are requesting money from Sharma.

The flaw in the BHIM app’s UPI, which Sharma does not seem to be aware of, is that deposits into his account does not generate a similar notification. Sharma has not shared his bank account statement to prove he has not received the Re 1 deposit.

2. I Have Had Re 1 Debited: Twitter User

Anivar Aravind was the first to reveal this crucial vulnerability of the BHIM UPI app. His successful deposit of Re 1 to Sharma is marked with a green upwards arrow. RS Sharma’s Aadhaar number in the screenshot has been blurred by The Quint. Aravind merely exposed an existing chink in the app which allows money to be transferred to another individual’s account through one’s Aadhaar number. Hence one can deposit money into Sharma’s account with only the knowledge of his Aadhaar number.

“I have had the Re 1 debited from my end,” said Aravind who had posted the screenshot containing the transaction ID generated by the BHIM App.

By “successfully” depositing Re 1 he made three important points:

• The ability to transfer money without Sharma’s consent .
• A public official can be blackmailed in many ways. “A possible harm for a public servant is getting unaccounted money from unknown people in his account and bribery charges. With Aadhaar as public (same with UPI) , anyone can send you money and accuse you of bribery,” Anivar Aravind told The Quint.
• The sending of Re 1 also returned a response by the app which revealed that RS Sharma was using a Bank of India account – yet another vulnerability.

3. Sharma Proves his Own Harm

Sharma, in his tweet said, “ Note: This was done using my Aadhaar number, not my "leaked" Bank Accounts”.

By making this statement he acknowledged that his Aadhaar number was sufficient to try to deposit money to his account without his consent. This falls within the interpretation of harm.

4. Sharma Brings up “Ethics” but What About the Illegality of his Act ?

Sharma, in his tweet, says “Sorry I am not open for bribes. Friends please look up the word "ethical", because this is not it.”