Truecaller to Close UPI Services in India

Caller ID app Truecaller suspended its services on the Unified Payment Interface (UPI) to focus on core offerings such as communication and security, a company spokesperson said.

Truecaller has operated the payment service under Truecaller Pay for the last four years. The spam blocker app will not add new UPI users, the company could integrate Truecaller Pay with other UPI partners in its application, but the final decision is yet to be made.

The spokesperson said, "We have identified other opportunities where we believe we are uniquely positioned to serve the community. The potential impact of such investment would be significantly higher compared to that of payments where many companies are already contributing. To summarize, this is a strategic decision to deprioritize payments and focus on products and solutions that can help create significantly more impact in areas like communication, trust and safety."

At its peak in mid of 2020, Truecaller Pay had around 20 million registered UPI users, and it offered services like bill payments through its banking partners ICICI Bank and Bank of Baroda.

Truecaller said that the UPI service interruption would have no impact on its lending operations. The platform will continue to distribute credit through partnerships with its non-bank financial partners.

Truecaller has more than 200 million monthly active users in India, with around 120,000 premium clients. The company claimed that it notified users of its decision two weeks ago. "Based on guidance from regulators, we gave users a two-week notice," added the spokesperson.

Truecaller launched Guardians- a personal safety app, in March, where Indian users can share their location with friends, family and authorities on their phone contact list. By pressing the emergency button in the application, the tutors' contacts, added by the user, were alerted to the user's exact location.

As per Anand Prakash, Cybersecurity Researcher and CEO of PingSafe AI, Guardians had a major bug at the "Login with Truecaller API" level, allowing attackers to log into the victim's Guardians account just by using the contact number. "Once the attacker has successfully logged in, they can track all your family members' locations. The application also leaked the victim's account details such as date of birth, profile picture and emergency contact details. It allowed an attacker to add more family members to the account once the account was taken over. Truecaller was quick to fix the vulnerability within a few hours," read the PingSafe AI blog.

A spokesperson from Truecaller assured that the issue was fixed and said, "In this case, the issue pointed out by Anand was due to a development configuration being rolled out by mistake during the launch phase. Our engineers were already rolling out a fix at the time of his submission to ensure user safety. We routinely conduct extensive testing to make sure our users are safe and their data secured; however, we would also like to thank Anand for reaching out proactively."