Swedish company Truecaller has clarified in a blog post that the recent incident on their Pay feature was an anomaly.
Explaining what happened, CEO Alan Mamedi said in the blog post that last Monday when the company started to roll out an updated version of Truecaller for Android users, they noticed that the first users to update to the new version (10.41.6) on Android started to complain that SMSs were sent out automatically without users’ consent to their banking partners.
Due to this anomaly, some of the users (less than 0.12% of total monthly users in India) automatically initiated creation of payments profiles they never asked for. However, the company said that no bank accounts or financial information of users were compromised and immediate steps were taken to remove the issue and ensure the services were returned to normal
What was the bug?
The particular API that caused the havoc was supposed to be initiated for only existing Truecaller Pay users who consented to sign up with Truecaller Pay. Since this API is only meant for registered payment users, if there is an indication that the registered user’s credentials were corrupted, the API would then trigger a refresh of the credentials. However, this API was triggered for a portion of users who were not already registered for payments. Such an API issue is unusual and unprecedented at Truecaller and a scenario we hadn’t designed for. As a consequence, the payments back end responded with an error code signalling that the users have insufficient credentials to perform this request (that’s what that odd SMS message was about). Under normal circumstances this would be the correct course of action, since this error would have occurred only for a pre-registered user. This triggered a credential refresh which would eventually cause the UPI registration to be triggered inadvertently.
The good news
Corrective steps of action
1. Stop roll out of the affected version
2. Deregister all the affected users (<0.12% of India MAU)
3. Release a build with the bug fix within hours (the fixed version is v10.41.7 on Android)
4. Schedule a force update for users once the new build gets to critical reach. (Available now)
Truecaller does not read users' SMSs to create a credit scoring without their consent.
We recently introduced loans as a part of our Truecaller Pay offering to help and enable the community who do not necessarily have access to a traditional credit score for the banks to approve them. This loan could help scale their small business, or capitalise on opportunities that might appear, where we believe alternative data can be much more helpful in a fast growing economy like our home market, India.
We may use transactional SMSs (transactional SMSs exclude any personal SMSs of users received from ten digit mobile numbers), in our determination process, however, any such access to users transactional SMSs is done only when the user requests for a loan and gives their explicit consent to analyse their transactional messages. If a user doesn’t request for a loan and provides an explicit consent, we don’t process any of their personal data for lending purposes.