Four years after unidentified suspects cloned a man’s SIM card and siphoned Rs 19.50 lakh from his firm’s bank account, the state government’s Adjudicating Officer awarded the firm the same amount in compensation.
S V R Srinivas, principal secretary, Information Technology and the Adjudicating Officer, also pulled up the telecom service company and the mercantile bank where the firm held the man’s account, for failing to secure his confidential data.
The complainant is Ashok Mange, the manager of M/S Agri Trade India Service Pvt, Ltd, which is based in Vashi. The firm’s account at a mercantile bank in Vashi was operated from Mange’s cellphone.
According to Mange’s complaint, on February 24, 2015, his phone suddenly stopped functioning. When he went to the showroom of the telecom company, he learnt that his SIM card was non-functional. When he got a duplicate SIM card issued, he received text messages stating that Rs 19.50 lakh had been withdrawn from the firm’s bank account in seven transactions. As Mange’s SIM was temporarily disabled, he did not receive One-Time Password requests to authorise the transactions.
After the police learnt that the money had been transferred to several different bank accounts in West Bengal, Uttar Pradesh and Rajasthan, they wrote to the banks and managed to freeze Rs 7.30 lakh. However, even as the police investigation progressed, the firm sought compensation from its telecom service provider, parent bank and the banks where its money was diverted to.
Both the telecom service provider and the mercantile bank accused the firm of being negligent with its private data by responding to a phishing email. The banks where the beneficiaries of the firm’s money held their accounts insisted they had followed all Know Your Customer norms and examined the personal documents of the account holders.
The firm contended that the fraud could have been avoided had the telecom service provider contacted Mange before blocking his SIM card and issuing a duplicate to the unidentified fraudsters. Srinivas also observed in his order that the onus of securing a customer’s data is on the telecom service provider.
“Since the transactions were done online using internet banking procedure, the relevance of SIM card is of high relevance as the 3rd level of security in any online transaction for its completion is a One-Time Password (OTP), which is received on the mobile number of the customer registered with the bank (sic,” states the order.
The order was passed ex-parte as the banks where the beneficiaries held accounts did not respond to summons for hearings. Srinivas ordered the telecom service provider to pay Rs 12.20 lakh and directed the beneficiary banks to refund the firm the rest of the amount. The respondents were given 15 days to comply with the order, failing which they would have to repay the firm with a 12 per cent monthly interest.
Cyber crime expert advocate Prashant Mali, who represented the firm, said that a permanent solution to the SIM swap fraud needs to be devised by telecom companies and that banks should refund customers immediately, instead of making them run around for several years to be compensated for online banking frauds.