Truecaller apologises for UPI SMS gaffe

Nami Zarringhalam, chairman, Truecaller, has responded to the negative news around the application. On 30 July, Truecaller users were complaining of the app sending a SMS from their SIM to banks.

 

In a letter signed by Zarringhalam, Alan Mamedi, co-founder and CEO, and the entire Truecaller team, the company has apologised.

 

Truecaller had registered users who updated to its 10.41.6 version for UPI without consent. The Truecaller app was automatically sending SMS from the sim. Through the letter, Zarringhalam stated that the company was built on the foundation of trust in public interest and many scams have been avoided because of the app. 

 

The full letter stated:

 

Nami and I built Truecaller on the foundation of trust, we wanted to solve the mistrust in communication and enable people, like ourselves, to create a trusted identity in communication. We also believed (and still do) that Truecaller can help and enable people to do things they have not been able to do in the past by being a part of the Truecaller Community. People getting their dream job because we identified who was calling, people avoided scams and harassment because we helped report bad intentions, and many criminal cases have been solved because Truecaller helped identify the culprit.  And recently, people in small villages are going digital with their payments for the first time by using their Truecaller app. Truecaller’s impact on society has been quite inspiring for us behind the scenes and our continuous effort has been to provide services that benefits the general mass and acts in public interest.

 

We started Truecaller based on a few core principles that still remain true: 1) Build the product for the masses that acts in public interest; 2) Always ask for permission and only process personal information if it brings value to the users; 3) Make it simple for the users to remove any personal information. 4) Never build things that we would not feel comfortable using ourselves, or standing in front of a camera to talk about.

 

Ten years later, we believe we have come very far by following these principles and they still remain core to us. We understand the frustration this news and numerous rumours may have caused to people, and we honestly apologise to them. We all at Truecaller feel awful this even happened in the first place.

 

Going back to our core principles, we would never do anything without asking for permission, and we always build things that hopefully brings value to our customers with transparency. Our intention is always to solve problems and help you. We will strive to do better.

 

/Alan, Nami & the entire Truecaller Team

 

The recent incident on our Pay feature was an anomaly in this journey and we would like to talk about it to put all fear and speculation to rest.

 

What happened?

 

Last Monday, we started to roll out an updated version of Truecaller to our Android users as we do every week. As a standard internal protocol, every time we roll an updated version, we first roll it out to 1% of our user base, check the reviews, support tickets, and crash reports to see if everything is normal. For this particular release, we noticed that the first users to update to our new version (10.41.6) on Android started to complain that an SMS was sent out automatically without users’ consent to our banking partners. Due to this anomaly some of our users (less than 0.12% of our total monthly users in India) automatically initiated a creation of payments profile created that they never asked for. We deeply regret the trouble caused to these unsuspecting users, who may have thought that there is some breach to their bank account. As explained in detail below, no bank accounts or financial information of users were compromised and immediate steps were taken to remove the issue and ensure the services were returned to normal. 

 

What was the bug?

 

The particular API that caused the havoc was supposed to be initiated for only existing Truecaller Pay users who consented to sign up with Truecaller Pay. Since this API is only meant for registered payment users, if there is an indication that the registered user’s credentials were corrupted, the API would then trigger a refresh of the credentials. However, this API was triggered for a portion of users who were not already registered for payments. Such an API issue is unusual and unprecedented at Truecaller and a scenario we hadn’t designed for. As a consequence, the payments backend responded with an error code signalling that the users have insufficient credentials to perform this request (that’s what that odd SMS message was about). Under normal circumstances this would be the correct course of action, since this error would have occurred only for a pre-registered user. This triggered a credential refresh which would eventually cause the UPI registration to be triggered inadvertently.

 

The good news

 

We immediately stopped the release from being available and stopped all payment functionality remotely on that particular version. Less than 0.12% of our users in India got registered to UPI without their consent and we took quick actions to delete those accounts of affected users. Because the registration happened in the background, our affected users were never asked to create a UPI Pin code, which means that the registration process never finished. Therefore, the above mishap didn’t mean any sort of loss for the affected user, neither in terms of user’s data nor anything financial. Truecaller cannot make any transactions without the user manually submitting their UPI PIN (which was never created as explained above). Therefore, this  does not affect or make the bank account of users vulnerable to any unexpected financial transactions.

 

The corrective steps of action

 

Right after recovering from the shock of what had slipped through our quality ensuring processes, our entire business unit came together to immediately mitigate the situation and ensure an effective solution was provided to our affected users. Within hours of becoming aware of the issue, we were able to take the following corrective measures:

 

1.    Stop roll out of the affected version

2.    Deregister all the affected users (<0.12% of India MAU)

3.    Release a build with the bug fix within hours (the fixed version is v10.41.7 on Android)

4.    Schedule a force update for users once the new build gets to critical reach. (Available now)

 

The clarification:

 

Amidst this unfortunate event, we saw reports in the media that Truecaller also reads user SMSs to create a credit scoring without users’ consent. We would like to clarify that it is not correct. We recently introduced loans as a part of our Truecaller Pay offering to help and enable the community who do not necessarily have access to a traditional credit score for the banks to approve them. This loan could help scale their small business, or capitalise on opportunities that might appear, where we believe alternative data can be much more helpful in a fast growing economy like our home market, India. We may use transactional SMSs (transactional SMSs exclude any personal SMSs of users received from ten digit mobile numbers), in our determination process, however, any such access to users transactional SMSs is done only when the user requests for a loan and gives their  explicit consent to analyse their transactional messages. If a user doesn’t request for a loan and provides an explicit consent, we don’t process any of their personal data for lending purposes.

 

The learnings:

 

When the week started, none of the Truecaller Team could predict we’d end up here, or that we’d encounter a piece of code that would have caused this dilemma or distrust from our users, and for this, we wholeheartedly apologize. We are currently re-evaluating our development, testing & release processes to make them more air-tight so that this would not manifest again. Some of the concrete measures we are already working on include ensuring that our client-server communications have an implicit mechanism to prevent developer errors related to user state.

 

We thank the users for being patient with us while we fixed the issues, same goes for NPCI & our Bank partners who listened in detail to what happened and looked into our RCAs (Root Cause Analysis). We would also like to thank the media who stuck to facts, and the users on social media who opened up their ears and eyes to listen and speak with us directly instead of following speculation.