A viral video from an MCD parking site in Delhi recently exposed a major loophole in India’s digital payment ecosystem. The clip showed an attendant allegedly diverting customer payments to a personal account by displaying a QR code image saved in the phone’s gallery instead of the official merchant code on a Razorpay POS device.
In response, Razorpay co-founder Shashank Kumar announced that the company will soon release a software update disabling gallery access on merchant devices “unless really needed.” The move aims to prevent fraudulent QR substitution, which has become an emerging form of digital payment fraud.
The incident underscores a low-tech yet high-impact attack—where a fake QR code, though visually identical, redirects payments to an unauthorized UPI handle. Such scams exploit user trust and highlight the vulnerabilities of human-operated digital interfaces.
Disabling gallery access significantly reduces this risk. By preventing image uploads, Razorpay can ensure that only authentic PSP-provisioned QR assets linked to verified merchant IDs appear at checkout, strengthening the chain of trust between payer and receiver.
However, experts caution that this measure alone cannot eliminate all forms of QR fraud. Fraudsters also use printed overlays, counterfeit stickers, and digital sharing of fake codes. Hence, both procedural vigilance and technical controls are essential.
Industry best practices include device hardening, merchant name verification, voice confirmation soundboxes, and regular physical audits of QR displays.
Ultimately, Razorpay’s proactive step reflects a broader lesson for India’s fintech ecosystem: digital security must evolve as fast as digital adoption. Layered safeguards—spanning user awareness, merchant training, and intelligent fraud analytics—remain vital to preserving trust in the nation’s booming UPI infrastructure.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
