The big concern I have here is that the address resolution seems similar to DNS... Which is very bad, IMHO. Are they taking necessary steps to mitigate ddos and Man in the middle attacks? If they're not, they're seeing themselves up for major disaster.
>>Just like how domains get resolved to IP addresses, every VPA needs to be linked to a bank account. The UPI handles get resolved to bank accounts and IFSC during the payment (we will see how).
I am sure I am missing something. Just curious to know where do you see an attack vector for DDoS or MOTM attack?
> Are they taking necessary steps to mitigate ddos
I am not sure how this would happen in this case. If you want to flood the system you will have initiate a lot of payments which will be costly.
Both sender and receiver are authenticated with bank, so there is a traceability.
Also, you need a bank license from the central bank to act as a bank and each UPI is linked to an bank account which itself is linked to details. To add, it is now difficult (not impossible) to have anonymous bank account because they are linked to a central ID called Aaddhar number [1] and other KYC procedures.
One will have to really execute an elaborate scam like in Ocean's 11 movie to make this work.
I don’t know about UPI, but those concerns can be mitigated by not operating on public networks. The SWIFT payment network for example is private[1] and is only accessible via dedicated routers.
Relying on perimeter security like this means you are as vulnerable as your weakest nodes. SWIFT can be and has been hacked via its less sophisticated participant banks.
Actually this got me thinking they should have built the resolution system on top of DNS. We already use emails for very sensitive communications and rely on DNS to resolve them correctly. I'm not sure why we couldn't do the same for payment addresses.
NCPI could definitely be a single point of failure, and I think that makes them vulnerable to more than just MITM and DDOS attacks.
