Flipkart’s PhonePe Wallet Tries To Latch On To Cashback Craze, Gets Scammed Instead

Narendra Modi shocked India last night with his decision to make Rs. 500 and Rs. 1000 notes obsolete. Ordinary Indians were delighted that the government was finally serious about fighting black money. Wallet companies were more more delighted – they’d just discovered a whole new use case for the business models.

All wallet companies scrambled to take advantage of the situation – Paytm carried out a full page ad on the front page of a major newspaper, and Mobikwik and Freecharge ran campaigns on social media. The newest entrant to the wallet space, Flipkart’s Phone Pe, went a step further.

It announced a cashback scheme for users transacting money through their wallet – users who sent money through PhonePe would receive a 5% cashback.

No cash? No problem! Send money through your UPI linked bank a/c on PhonePe and get 5% cashback! #IndiaFightsCorruption #IndiaLetsGoDigital pic.twitter.com/vprL7s7ouw

— PhonePe (@PhonePe_) November 9, 2016

Now cashbacks are fairly common, and are used all the time by e-commerce sites and wallets. But there was a gaping hole in PhonePe’s offer.

You could send money to a a different Virtual Address that you yourself owned, and still receive a cashback.

So I transferred some money from one VPA to other and @PhonePe_ gave me ₹100 on my bank account. Things VC money used for.

— Srikanth ஸ்‌ரீகாந்த் (@logic) November 9, 2016

A Twitter user discovered the vulnerability. The UPI interface allows for users to have multiple virtual addresses that are meant to be used for different purposes, and they’re free and easy to make. The user simply transferred some money from one virtual address to the other, and received the cashback – Rs. 100 – into his wallet.

And he wasn’t the only one to discover it – another Twitter user had used the same trick, and earned a cashback as well.

@logic @PhonePe_ LOL. I did the same.

— SG (@shrinivassg) November 9, 2016

While it can’t be ascertained how many other people earned cashbacks through the hack, PhonePe, to its credit, fixed the bug within an hour and a half of being informed.

Thanks for pointing it out Srikant @logic. We have plugged it now. 🙂

— PhonePe (@PhonePe_) November 9, 2016

The vulnerability itself was plugged, but bugs in financial apps aren’t the most comforting thought. With millions of dollars passing through wallets each day, you don’t want to leave them open to simple oversights like these. The financial business works on trust, and apps in the sector need to have flawless tech to earn the confidence of their users.