The Karnataka High Court’s June 2026 ruling finds BSNL responsible for losses caused by a SIM swap fraud that enabled unauthorized bank transactions, revealing a critical weak point in the Unified Payments Interface (UPI) system where mobile number control compromises multiple authentication layers.
- Mobile number acts as a master key for multiple banking authentication methods.
- Device binding secures UPI app but not broader banking services relying on OTPs.
- Regulators focus on tightening SIM issuance, but core security design remains vulnerable.
What happened
The Karnataka High Court ruled on June 5, 2026, that Bharat Sanchar Nigam Limited (BSNL) was liable for a cooperative bank’s financial loss amounting to Rs 50.5 lakh caused by a SIM swap fraud. The court emphasized that BSNL’s negligence in issuing a duplicate SIM card facilitated fraudsters gaining control over the victim’s financial identity. The fraud did not occur through a cloned UPI app but through unauthorized RTGS and NEFT transactions on internet banking, all authorized via OTPs sent to the hijacked mobile number.
This case involved two petitions: one from the cooperative bank seeking increased compensation and another from BSNL challenging the ruling. The court’s decision clarifies that despite protective measures like device binding in UPI, the mobile number remains central to transaction authorizations and resets, making its compromise extremely damaging.
Why it matters
The case reveals a deep structural flaw in India’s digital payments security model, where the mobile number registered with a bank acts as the principal channel for multifactor authentication. Fraudsters gaining control over a mobile number can exploit OTP-based verifications to reset UPI PINs and authorize transactions not only within UPI apps but also across internet banking and RTGS/NEFT systems. This breaks down the integrity of security layers designed to protect financial accounts.
Device binding adds a layer that restricts direct cloning of UPI apps, but it cannot mitigate risks where the mobile number itself is compromised. Since SIM swaps generally occur outside digital systems via telecom personnel issuing duplicate SIMs, the entire payments ecosystem inherits this external vulnerability, which any next-generation security measure must address.
What to watch next
Regulators in India are increasingly focused on improving the telecom sector’s SIM issuance and porting processes to harden defenses against such fraudulent swaps. The Reserve Bank of India’s liability framework acknowledges zero liability for customers who lose OTPs through SIM swap fraud, signaling a regulatory shift towards telecom accountability. However, experts note that continuous SIM validation through apps may remain impractical due to how devices and an operating system mask SIM identifiers.
The core issue remains that control over a mobile number continues to serve as a master key to a user’s financial accounts. Without redesigning this fundamental authentication mechanism, the digital payments infrastructure will remain exposed to SIM swap exploits. Future developments may require innovative approaches that move beyond reliance on mobile numbers for transaction authorizations to secure India’s rapidly expanding digital economy.