What’s bugging Truecaller UPI
Truecaller may have more than 100 million active users in India alone, but it is still not close to profitability. With the company lowering its hopes on the fintech play, it is a little surprising that a mess like the UPI bug occurred
"Remove truecaller."
After a user's chance search went viral last week, these two words threatened the existence of Truecaller. This app actively filters spam calls and messages for more than 100 million smartphone users in India - and more than tens of millions worldwide - found some users to enroll for UPI without their knowledge Gaya. UPI or Unified Payments Interface is India's mobile based instant payment system.
It started with a regular update. But after the rollout, many users noticed that Truecaller sent messages with garbled text to an unknown number from their phone. Subsequently, the partner bank of ICICI Bank-Truecaller sent messages saying that their registration for UPI has started.
Truecaller blamed this incident on a bug A spokesman influenced The Ken to his Android users only. The spokesman refused to disclose how many The company also assured that the bug was done to only enrolled users — no transactions. However, it is worrying how easily this can lead to a transaction.
Following ICICI lessons, the Truecaller app also correctly identified users' bank accounts. It can only do this by using messaging, it has to be done in advance, to find out which account number was connected, he said that BHIM app maker, Juspay founder and CTO Ramanathan RV In one case, one of the Dheeraj Kumar-influenced users - Truecaller - was naked to add his HDFC bank account to the company's app. The mobile payment app supported by Kumar Government uses HDFC Bank to pay using BHIM.
Second user Ashish Bansal was inspired to link his Indian diaspora bank account to the app. Although neither Kumar nor Bansal suffered a financial loss, this issue exposed the gap between India's regulatory framework, where companies operate in the absence of data protection laws, often collateral damage to users.How do you explain the SMS? There is no other app in that list that has permissions to send a SMS. And it's with an institution you've partnered with! Also, I can't deregister, because according to your own app, I'm not registered! pic.twitter.com/PzuyN8VxHs— Dheeraj Kumar (@codepodu) July 30, 2019
Since I had not initiated the creation of any UPI ID on this phone, I checked my messages and I found there were three activation strings sent for creating the said UPI ID. Again, no human intervention.— Aashish Bansal (@Unbelted) July 30, 2019
Do note that this phone was switched off for the last 3 days. pic.twitter.com/IDMwWEgHAR
There aren't any third party apps on this phone except for Truecaller. I log on to Truecaller and I find that a UPI ID "with the bank's details" had been created for my account mapped to this phone number. I quickly reset Truecaller to unlink the UPI from this app. pic.twitter.com/n5G4WR28jX— Aashish Bansal (@Unbelted) July 30, 2019
According to the Marykekar Internet Trends report 2018, Truecaller has everything in India for this - 100 million daily active users and this is the fourth most downloaded app. It is an app with almost limited permissions for user data from Google's Play Store. All of this should be great for the company, but it does not live up to its initial potential. Truecaller has ventured from one business model to another in the pursuit of profitability over the years. One of its primary revenue streams was advertising, but it has proved to be less than permanent.
This, despite reducing its value proposition to attract Truecaller advertising revenues. One way advertisers make money is by allowing users to call them - it puts those numbers on the white list by which they show users would be willing to call with those names. Occasionally celebrity names In one campaign, it was claimed that 50% of users picked up such calls.
It has also added an ad-free premium subscription service. The company said that despite its best efforts, it is definitely going to be in deficit in 2018, with revenue of $ 6 million being $ 22.2 million. According to regulatory filings from Sweden, there was a loss of $ 11.2 million in sales and $ 6.2 million in 2017.
But as India's digital payments have taken place in recent years, Truecaller finds itself attracted to India's $ 100 billion digital credit opportunity. This is the latest incident, but a symptom of Truecaller's discovery of his ultimate identity.
There is no need to have UPI registration code present in the update life cycle of the app. So, it is difficult to understand how this bug is. If it really was, then it is quite unfair. Given its vast installed base, if such a bug survives production, it calls into question the testing process. It's unexpected from a mature company
Ramsanathan RV, founder and CTP's Jespe, the company producing the BHIM app
A foreign event
Truecaller is not the kind of company you would be looking for in the fintech blunder hub in India. For one, business is not Indian.
The company was founded in the summer of 2009 by Swedish duo Alan Mamedi and Nami Jeringlinghalm. Their rapid growth is a validation of independence of opportunity in Sweden because both of them had challenged the upbringing. Mamedi was born in a refugee camp - his Kurdish parents had moved a month before he was born - while Jaringalam's parents fled to Iran, Tehran, where he was born.
Truecaller has been around for so long that it is actually the first time it has launched on BlackBerry - once — with the most exclusive physical keyboard — before iOS and Android roll out months later.
The concept was straightforward. Truecaller stops spam calls, something that disturbs people when the smartphone starts closing the first time, which tells you who is calling. Truecaller's twist is that it allows users to tag unwanted callers - helps to identify spammers publicly. Once a user has identified a caller - perhaps it is a bank or a loan company - all other Truecaller users see that ID when receiving the call.
The service pre-dates the global app event, and as the ability to adopt smartphones increases and apps become normal, Truecaller's popularity has increased. It reached five million registered users by September 2012, and due to 10 million network impact by January 2013
Four years later, as iOS and Android became the dominant platform, Truecaller saw 250 million registered users. Today it boasts 140 million active users - a more accurate metric than just 'registered users' - 100 million of which are in India.
Its development attracted investment and top names. The company has raised $ 98.6 million, according to Skype co-founder Nickless Zenstrom's Crunchbase data from Europe funds of companies such as Sequoia, Klein Perkins and Atomico.
Looking for a true calling
But despite the explosive growth, a service that thrives in today's mobile app economy, and a lot of money from top-tier VCs, Truecaller has struggled to discontinue a revenue model to match. It currently makes money through a combination of advertising, an ad-free premium service - for which it has 500,000 customers paying at least $ 0.99 and an ambitious knack for building an ecosystem.
The latter is a new addition, Truecaller started focusing on the Indian market. It crystallized in 2017 when the company acquired India-based payment startup Chillr. The plan was to offer payment and financial services to its large-scale audience in the country - its largest market worldwide.
India's story was of significant importance to Truecaller because it had passed pivot and startup growth pains before identifying this huge market opportunity.
At its peak in 2015, Truecaller was the next big thing. Facebook released its own caller ID app in a single breath, validating and challenging Truecaller. TechCrunch reported in June 2015 that the company was in talks with investors to raise $ 100 million at a $ 1 billion valuation, a deal that would see Truecaller join the unicorn club.
At the time, Truecaller had raised $ 80 million, so the capital increase would have been significant. But the round never materialized. Instead, Truecaller closed the year with layoffs and killed one of its supporting apps a few months later. The funding phase was also dead.
Speaking to TechCrunch in March 2016, Mamedi stated that Truecaller did not need the money because he anticipated that it would be cash-flow positive by the end of the year. The trigger, as he explained, would be the introduction of "targeted advertising".
Truecaller's advertising ambitions, which Mamedi once hung on to his hopes, haven't quite worked. Around $ 2 billion worth of brands that spend on digital advertising, about 80% of a brand's budget is spent on Google and Facebook properties. The rest is spent on content apps such as Hotstar and Tiktok, with Truecaller spending less than 2%, digital agencies estimate.
“Truecaller has about 250 crore ($ 36 million) of available inventory in a year. The advertising market is estimated to be 14,000 crore rupees ($ 2 billion) in 2019. Even though Truecaller does the impossible task of selling all of its inventory for all 365 days (which is highly unlikely), they will not be, Sahil Shah says, 'accounting for 2% of total advertising spend.' He is executive vice president of operations and media for Watsault, a digital marketing agency owned by Dentsu Aegis Networks. Shah continued, "My best guess is that they would be about 0.75–0.95% of a brand's spend."
Payment priority
However, fast forward to 2019, and Truecaller has not managed to break-even.
The product, too, has evolved considerably. Gone is the utility app focus - which provides a great experience but is hard to monetize. Today's Truecaller aspires to be a mobile platform. It provides free chat messaging and voice calling like WhatsApp among users. In India, it is aggressively rolling out payments, which is another feature Facebook is preparing to add to WhatsApp.
But it is an attempt to push its fintech services — converting low-revenue-utility app users into platform app users that generate significant revenue — that triggered last month's bug. At the height of the 2017 payment frenzy in India, Truecaller jumped into payments from its fellow foreign tech firms such as Google and Facebook.
As the volume of UPI increased, the number one fight was fought between locally developed wallet companies Paytm and PhonePe, the government-backed BHIM and Google Pay. Truecaller was nowhere on the payment scene. And now, 28 months after its launch, it has an insignificant presence. Truecaller has about 10 million bank accounts linked to it, the company said earlier this year. Competitor PhonePe - which focuses only on payments - has more than 100 million users, meanwhile.
At the same time, young companies are shaking trees too. The merchant-centric payment app BharatPe, which is barely one year old, is close to 10% of the UPI merchant volume. It makes about 9 million transactions in a month.
Truecaller's 100 million active user base, however, are not able to supercharge their payment dreams. What was needed is a development hack. A hack that could probably tell all its 100 million users, from their bank accounts.
Bugs bugfix
When it comes to Truecaller, a privacy breach swallow does not make it in the summer. Truecaller's strong desire to make its payment strategy a success has driven it along with other dishonest tactics. A talking point that arose from public scrutiny of the bug is exactly what Truecaller's app handles in the background without users' knowledge.
Abhay Rana, a software developer at payment gateway Razorpe, found that Truecaller's app was embedded with several data-hungry software development kits (SDKs). SDKs allow a piece of software to talk to others.
TrueCaller includes a lot of third-party SDKs. A few cool ones I found:https://t.co/SwKLcMQByj pic.twitter.com/z5RYvegWyn— Nemo (@captn3m0) July 31, 2019
Now, the SDK is not an indicator of morality in itself. According to the SafeDK report, on average, an app has 18.5 SDKs. Most app ads and analytics use the SDK as a standard.
However, SDKs Truecaller has provided credit scoring service MessAI and expense management service Walnut access to user data. Pre-profile users can track messages. Walnut - which was acquired by fintech lender Capital Float - enjoyed equal reach.
This approach can help Truecaller, the ambition of lending, to identify which users have to target to lend. Rana investigated other payment apps for the SDK, such as PhonePe and Cred. The SDK did not include credit scoring, he said.
Lending apps like MoneyTap also have SDK's credit scoring, users explicitly download them for the purpose of taking loans. Looking at its focus on caller ID, some people downloading Truecaller will hope that their messages be scammed to assess their credentials.
Sony Joy, head of payments at Truecaller and former CEO of Chillr, defended the company's practices. Joey claims that credit scoring - which is part of the pilot - is only for a specific set of users who want to apply for credit and expressly allow to assess transaction related messages. . He said the application asks for consent, even if users have already given messaging permission.
Joy's claims appear to be truecaller's own FAQ detailing its credit services. It says that Truecaller does not show this option to all its users. "If you are eligible for the offer, it will be seen on the landing page under the banking tab of Truecaller App," it states. This indicates that Truecaller already recognizes which users are eligible for its lending services.
A few hours after Rana's findings were published on Twitter, Wal-Mart founder Amit Bhor said that the SDK was completely closed for the nut found in Truecaller. It also surfaced that Truecaller acquired MessAI in April 2019 following the discovery of Rana.
Very close to the sun
Truecaller is reflective of the era in which it evolved. When Android was a developer haven. App developers have turned to Google's mobile operating system because this allows apps to use user data independently and create products with some hurdles. As a result, Truecaller has permission to create call logs, read permissions and create messages, locations and contacts. This is in contrast to Apple's iOS operating system, which forbids applications built around users' message inboxes or call logs.
Focus Pocus
Truecaller is focused on Nigeria, Kenya and South Africa-all countries where service is required, but when it comes to user data, there is also a Lux permission architecture for it. In Europe, where the EU has introduced strict privacy rules, it has changed its trademark reverse lookup feature to ensure consumers opt into Truecaller's database.
It is the unbridled access to data that virtually led Truecaller to virtually break the invisible principle of digital payments in India. Just as Airtel Payments Bank and Paytm Payments Bank showed that electronic KYC (Know Your Customer) processes can be used to inadvertently sign people to bank accounts, the UPI bug of Truecaller shows that How the app can be misused in the same way.
Truecaller, with its bug, came to close all important fail-safe of Indian Digital Payment-to-Factor Authentication (2FA). On the back of the debit / credit card is a mechanism combining three-digit card verification value (CVV number) and a one-time password sent through messaging, which is the central bank, which is the darling of the Reserve Bank of India. Many untold angst of digital companies, who see two steps as a point.
When UPI was cracked on the scene, it was immediately approved, because even with 2FA, it practically worked as a single-step process. This is because the first factor is the phone number and the device itself, which does not require authentication every time a payment is made. But as Truecaller has shown, it can also be a vulnerability.
Generally, access to the device's details in any Upee app will occur only when a user installs the app and starts the registration process, but not Truecaller. There was already a description of the device based on the permission of the message in the form of the caller ID app. This allows it to auto-register The company would want to say it as an anomaly, it was also an event. If it is not in the hands of Truecaller, then perhaps with such finesite ambitions, through any other app.
Facebook has continued to move forward despite important privacy conflicts and this event can also fly for Trucillar, such as many technical indignities of the past. But there are some worrisome signs. Like the upcoming data protection bill, which is expected to be introduced in Parliament in the current budget session, and increased competition between fintech and non-fintech companies for lending.
Even though in May, Truecaller appointed Sandeep Patil as the former managing director of Flipkart as Indian managing director, its focus is on the Indian market as the company is in Sweden (where Mamadi, Zaringhalam and head of engineering and product) Is anchored in). Even on the board of Truecaller there is only one Indian representative - Shailesh Lakhani of Sequoia. The Chillar acquisition ended the presence of Truecaller on land in India, but the incidents of last week may have to re-think its approach. Whatsapp is going to explode India's Finitech landscape, where will it also leave?
Explanation: The article was updated to reflect the exact number of transactions done by BharatPeek in a month. It has also been edited to highlight that message-accessible access to Truecaller is sufficient for linking user bank accounts.