Info unprotected,cash lost

The orders take note of banking practices abroad,particularly Section 909 of the Electronic Fund Transfer Act of the US,under which customers are insured against e-frauds beyond $50. “It is quite sad to see global banks operating in India proclaiming very loudly that they are following best practices,but not giving Indian customers the same level of protection that they offer abroad,” reads the order.

A few of the cases it deals with:

Language barrier

FROM THE ORDER: “I would request HDFC top management to sensitise its officials and staff that poor,lower middle-class,mother tongue-speaking customers should not be looked down upon.”

PRAVIN BHATKAR,who does not speak English,struggled to communicate with a bank representative who,the order notes,treated him with contempt.

Bhatkar had complained of misuse of Rs 1.94 lakh on his credit card. His account showed a debit towards the recharge of mobile accounts he didn’t hold. He got his credit card deactivated as the bank started to send him non-payment notices.

“I didn’t want a credit card but took it after the call centre kept pressing me. I used it only once,in Diwali,buying clothes for my family for Rs 5,000,which I cleared immediately,” says Bhatkar. “This new bill was a shock; I had never seen such money.”

The bank blocked his savings account,which had Rs 10,000,though it told the Pune police that banking and credit card are two different functions.

The adjudicating officer’s order states,“During the hearings,the bank representative was downright contemptuous of the complainant,saying that ‘people like him’ were often making false stories of getting victimised to avoid (paying) credit card fees… The victim is a poor,lower middle-class person,who does not speak English and only speaks Marathi. Such attitude on behalf of the banker raises questions whether we are living in a democratic socialist republic,or are still being ruled by English-speaking people.”

Self-made detective

“I must comment on the investigation (or the lack of it) by the police. While the complainant,who has no background in law or policing,has been able to gather so much evidence,the investigating officer has not taken any interest in the case.”

SANTOSH JALUKAR’s Bank of Baroda account was breached in April 2011,with Rs 1,07,600 transferred. This was after a fraudster,posing as a bank employee,had called Jalukar’s wife,sent her an SMS and asked her to forward it to another number,supposedly bank registration formalities. Jalukar went on to unearth 10 similar e-fraud victims by the same fraudster and provide CCTV images to the police. He first traced an account holder whose stolen ATM card was misused,then tracked down the mobile number and photo ID of the fraudster based on his purchases and withdrawals.

Bank of Baroda has been asked to pay Rs 1,20,000 to Jalukar as compensation for wilful negligence.

Commitment forgotten

“Complainant had authorised the bank to allow only tax-related transactions,but the bank ignored this instruction.”

RAM TECHNO PARK,a paper packaging unit in Pune,found its current account Rs 1,72,000 short in June 2012. The money had been transferred though the firm had given written instructions that their account was only to pay tax bills. State Bank of India admitted the money had been transferred to a fake account in Dimapur,and that it had received complaints from various customers of multiple fraudulent transactions to Dimapur between June 2012 and October 2012. The accounts had been opened on the basis of ID cards supposedly issued by the office of the additional deputy commissioner,Dimapur — which probed this and found all were fake documents. SBI has been found guilty of wilful negligence and asked to pay Rs 1,90,000.

Call to look within

“An insider having access to servers and doing criminal activity should have rung alarm bells in their IT security division and in higher management,but they have ignored this potential huge breach of security.”

BALBIR SINGH was visiting Mumbai in January 2012 when his phone,its number registered in his wife’s name,lost connectivity . He lost Rs 2,00,000 from his account the same day. Fraudsters had acquired a duplicate of the SIM card and used it to clean out his account. A probe checked the screen printout of the net banking transaction; the money went to the account of Paresh Mohanta in State Bank of India. The printout read,“PERSONAL-STAFF_SUPER”. It indicates an inside job,says the order. It has asked CERT-IN to probe the SBI servers potentially being accessed for criminal use by insiders.

Unmanned ATM

“Had a security guard and CCTVs been in place,it would have helped the investigating agency in apprehending the person who had done the transactions.”

ANJALI LODHA of Pune has a Bank of India savings account that was breached 49 times between August 2009 and September 2011,with Rs 3 lakh withdrawn. The adjudicating officer held Lodha equally liable as she had never kept a check on her account.

The fraudster had withdrawn from a Canara Bank ATM. The adjudicating officer has ordered Canara Bank to pay Rs 25,000 to Lodha for not conforming to a policy of hiring security guards or installing functioning CCTV cameras.

Telecom regulation

“…Do these big telecom companies need to be regulated for even the most basic and most logical issues? Is it asking too much to expect these companies to be self-regulated in certain areas like issuance of duplicate SIM cards?”

Dr D V GOKHALE,a scientist,was in Korea on October 31,2011,when his Tata Indicom mobile stopped working. A duplicate of the SIM had been issued,and his account was cleaned out by someone using a Varanasi’s account holder’s ATM number. The police are now looking for an auto driver-cum-recovery agent in Mumbai. In his order,the adjudicating officer notes that “he may have got inside details on many bank customers or SIM card details…” Tata Teleservices was pulled up for submitting that “DoT has not framed any rules… or guidelines in respect of issuance of duplicate SIM card.” It has been asked to pay Rs 2,00,000 as compensation.

Poor tracking

“The bank could not even trace the IP addresses from where the transactions took place. So much for the security of the information of customers of a bank of ICICI’s repute.”

SOURABH JAIN found that someone had used his internet banking ID and password 15 times to transfer money from his account to “unknown” ICICI Bank accounts. ICICI Bank cites a phishing mail,which Jain replied to,as the possible cause of the breach. The probe is yet to reach a conclusion as the bank could not trace the IP addresses from where the transactions took place.

“Fraudulent transactions in this case could not have been accomplished without the connivance or negligence of someone from ICICI Bank,” the order notes. “There is a clear link between the phishing mail and the fraudulent transfers and withdrawals.” It asks ICICI to compensate Jain with Rs 1,50,000. “It is clear that personal and sensitive information… was compromised by the ICICI Bank and it also facilitated he transfer of funds from the complainant’s accounts to multiple other ICICI Bank accounts,of which the bank has no genuine KYC documents.”