Great write-up, thanks for sharing.
I noticed a similar problem while submitting my bank statements to my auditor, transactions included my debit card numbers. I had to search/replace them. But I can imagine the number of bank statements scanned and sent mindlessly that contain that information, stored in unencrypted file-shares.
Great find, good read.
UPI has also enabled name lookups via phone numbers and vehicle numbers(via FAStag).
For ex:
<mobile_number>@bankname/upi
netc.<vehicle_number>@bankname
Essentially allowing anybody to programatically and easily dox owner information.
Although there are options to disable this default behaviour, I believe Privacy should be enabled by default and not optional.
This is a great way to protect some banking info in the long run. There is more to expect when it comes to the security since that there are many tweaks on hacks and other breaches. I believe that it is easy to expect that there won’t be much of a problem when it comes to the tricks on the block since it is protected by bank stuff or whatsoever. This one here is a great way to ensure that we can get easy access but protect it from certain people who have nothing but threats in our own money.