(iStock)
(iStock)

Truecaller clarifies less than 0.12% of monthly active users in India hit by bug

  • While upgrading to the new Truecaller version on Android, users complained that SMSs were being sent out automatically without users’ consent to their banking partners
  • Some users (less than 0.12% of monthly users in India) automatically initiated creation of payments profiles they never asked for

Swedish company Truecaller has clarified in a blog post that the recent incident on their Pay feature was an anomaly.

Explaining what happened, CEO Alan Mamedi said in the blog post that last Monday when the company started to roll out an updated version of Truecaller for Android users, they noticed that the first users to update to the new version (10.41.6) on Android started to complain that SMSs were sent out automatically without users’ consent to their banking partners.

Due to this anomaly, some of the users (less than 0.12% of total monthly users in India) automatically initiated creation of payments profiles they never asked for. However, the company said that no bank accounts or financial information of users were compromised and immediate steps were taken to remove the issue and ensure the services were returned to normal

What was the bug?

The particular API that caused the havoc was supposed to be initiated for only existing Truecaller Pay users who consented to sign up with Truecaller Pay. Since this API is only meant for registered payment users, if there is an indication that the registered user’s credentials were corrupted, the API would then trigger a refresh of the credentials. However, this API was triggered for a portion of users who were not already registered for payments. Such an API issue is unusual and unprecedented at Truecaller and a scenario we hadn’t designed for. As a consequence, the payments back end responded with an error code signalling that the users have insufficient credentials to perform this request (that’s what that odd SMS message was about). Under normal circumstances this would be the correct course of action, since this error would have occurred only for a pre-registered user. This triggered a credential refresh which would eventually cause the UPI registration to be triggered inadvertently.

The good news

Truecaller immediately stopped the release from being available and stopped all payment functionality remotely on that particular version. Less than 0.12% of our users in India got registered to UPI without their consent and we took quick actions to delete those accounts of affected users. Because the registration happened in the background, our affected users were never asked to create a UPI Pin code, which means that the registration process never finished. Therefore, the above mishap didn’t mean any sort of loss for the affected user, neither in terms of user’s data nor anything financial. Truecaller cannot make any transactions without the user manually submitting their UPI PIN (which was never created as explained above). Therefore, this does not affect or make the bank account of users vulnerable to any unexpected financial transactions.

Corrective steps of action

1. Stop roll out of the affected version

2. Deregister all the affected users (<0.12% of India MAU)

3. Release a build with the bug fix within hours (the fixed version is v10.41.7 on Android)

4. Schedule a force update for users once the new build gets to critical reach. (Available now)

Clarification

Truecaller does not read users' SMSs to create a credit scoring without their consent.

We recently introduced loans as a part of our Truecaller Pay offering to help and enable the community who do not necessarily have access to a traditional credit score for the banks to approve them. This loan could help scale their small business, or capitalise on opportunities that might appear, where we believe alternative data can be much more helpful in a fast growing economy like our home market, India.

We may use transactional SMSs (transactional SMSs exclude any personal SMSs of users received from ten digit mobile numbers), in our determination process, however, any such access to users transactional SMSs is done only when the user requests for a loan and gives their explicit consent to analyse their transactional messages. If a user doesn’t request for a loan and provides an explicit consent, we don’t process any of their personal data for lending purposes.

Close