top | item 24095196

(no title)

Finster | 5 years ago

The big concern I have here is that the address resolution seems similar to DNS... Which is very bad, IMHO. Are they taking necessary steps to mitigate ddos and Man in the middle attacks? If they're not, they're seeing themselves up for major disaster.

discuss

godelmachine|5 years ago

>>Just like how domains get resolved to IP addresses, every VPA needs to be linked to a bank account. The UPI handles get resolved to bank accounts and IFSC during the payment (we will see how).

I am sure I am missing something. Just curious to know where do you see an attack vector for DDoS or MOTM attack?

sudeepj|5 years ago

> Are they taking necessary steps to mitigate ddos

I am not sure how this would happen in this case. If you want to flood the system you will have initiate a lot of payments which will be costly.

Both sender and receiver are authenticated with bank, so there is a traceability.

Also, you need a bank license from the central bank to act as a bank and each UPI is linked to an bank account which itself is linked to details. To add, it is now difficult (not impossible) to have anonymous bank account because they are linked to a central ID called Aaddhar number [1] and other KYC procedures.

One will have to really execute an elaborate scam like in Ocean's 11 movie to make this work.

[1] https://en.wikipedia.org/wiki/Aadhaar

arafsheikh|5 years ago

I don’t know about UPI, but those concerns can be mitigated by not operating on public networks. The SWIFT payment network for example is private[1] and is only accessible via dedicated routers.

[1] https://www.exalog.com/en/swiftnet-network-banking-communica...

closeparen|5 years ago

Relying on perimeter security like this means you are as vulnerable as your weakest nodes. SWIFT can be and has been hacked via its less sophisticated participant banks.

blueblisters|5 years ago

Actually this got me thinking they should have built the resolution system on top of DNS. We already use emails for very sensitive communications and rely on DNS to resolve them correctly. I'm not sure why we couldn't do the same for payment addresses.

NCPI could definitely be a single point of failure, and I think that makes them vulnerable to more than just MITM and DDOS attacks.

captn3m0|5 years ago

The “resolution” is done by forwarding the query to your PSP which forwards it to the NPCI which forwards it to the issuing bank.

The client-PSP is over HTTPS, and the remaining legs are over UPI (which is essentially SOAP+XML) which uses XML signatures.

There are rate-limits built at most ends, and I think most PSPs also cache the resolution.

sseth|5 years ago

The resolution is not done at the client end, but in NPCI, while processing the transaction. So this is nothing like DNS.

ta2987|5 years ago

[deleted]