By Priya Nair
On January 6, Mumbai resident Soumen Majumdar's credit card was used for transactions carried out in the US to the tune of Rs 1.17 lakh. A shocked Majumdar, who was very much in Mumbai, got nine text alerts about the transactions. He alerted his bank, which settled three transactions worth Rs 5,000 and asked him to pay the remaining Rs 1.12 lakh. However, after investigations proved that the cards were used fraudulently, the bank agreed to settle all transactions.
On the same day, another Mumbai resident, Pratap Gayen's credit card, too, was swiped in New York to the tune of $200 (about Rs 11,000). Gayen was luckier than Majumdar because he was able to block his card immediately, which prevented further misuse.
A third Mumbai resident, Ankur Korane, lost Rs 1 crore from his account with YES Bank in a span of 45 minutes, on January 31. The money was transferred to 12 different accounts across the country through RTGS (real time gross settlement - an electronic fund transfer system in which fund transfer takes place as soon as the order is placed).
True, internet banking and credit cards have made life easy for many of us. But as these incidents prove, there is still a chance of accounts being hacked and cards being misused.
Recently, the Reserve Bank of India (RBI) suggested banks disincentivise usage of cheques. RBI suggested measures such as setting limits, levying charges on issue of cheque books to account holders or levying charges on cheque usage, both by the issuer and beneficiary.
However, given that frauds still happen, is this shift feasible or even desirable? More importantly, what are the precautions that customers and banks should take to ensure security?
P D Singh, general manager (e-business), Bank of Baroda, says, "Given the convenience of electronic transactions, customers have to be prepared for a trade-off between security and convenience. But frauds happen even in case of cheque transactions As internet usage increases, protection also gets enhanced."
Lalit Sinha, general manager (alternate channels and new initiative department), Union Bank of India, agrees that it will be a challenge for banks to implement it. "This is the direction given by RBI and banks have to move towards it,'' he says.
It's a ploy to trick unsuspecting bank customers into revealing their bank details. In this, the customer receives offers that are too good to be true (such as huge discounts or rewards). To avail of the offer, the customer is asked to disclose details such as his account number, user id, password and so on. These may be in the form of emails that would appear to be from your bank or even from RBI.
Most of the time, it may be a mail asking you to click a link which will lead to a website, whose address may be similar to that of your bank's. Such websites will duplicate your personal details and use them to withdraw money from your bank account.
The thing to remember is that your own bank will never ask you for your password. So, be wary of any such mail. Also, you must never click on any outside link to reach your bank's website. Always type the site address in your browser window and check for the padlock symbol, which denotes the transaction is secure.
Banks today ask you to register your mobile number and answer a list of questions, whose answers are known only to you, before the transaction can be completed. Such additional security levels ensure even if your user id and password are compromised, the fraudsters would not be able to make any transaction on your account.
Banks also send a one time password (OTP) to the customer's mobile, which is valid for a very short time, maybe a few minutes. This will also ensure nobody but the account holder, whose mobile number is registered with the bank, is able to transact from the account. The SMS alert about the transaction being completed is also a safeguard for customers.
Some banks, like Union Bank of India, provide a software token for retail customers and a hardware token, for corporate customers. The hardware token like a thumb drive or a flash drive, can be used to generate the OTP and it always remains with the customer. The software token can be used to generate the OTP, essentially a random number generated every minute, and is in sync with the bank's server, says Sinha.
Duplicating SIM cards:
Fraudsters have started duplicating SIM cards as well. This is often done in connivance with employees of telecom companies. The fraudster makes a false identity proof, say a driver's licence, using details such as date of birth, mobile number and photograph which are often found on social networking sites these days. Using this fake identity proof, the fraudster approaches the telecom company and says that he has lost the SIM card and asks for a duplicate one.
While that is being issued, the original card stops working for a brief while. In this time, the fraudster, who has already obtained details such as the bank account number and user id, will also receive the OTP from the bank and transfer funds from the bank account.
The way out is not to reveal personal details on social networking websites, says Kartik Shahani, country manager, RSA Security, India and Saarc. Also, if you find that your phone is not working for some time, check with your operator if there is a problem with the network. If not, check if someone has requested for a duplicate SIM card. If you have two phones, it is better to register with the bank the SIM card that is not frequently used.
For corporate users:
In case of corporate accounts, often more than one person has access to the user id and password for making business-related payments. Make sure the access is limited and those who have access are trustworthy.
For some banks, the OTP and SMS alert is not mandatory for corporate customers. But it is advisable to register only one mobile number for receiving SMS alerts so that any fraudulent transactions will come to light.
Credit card cloning:
The most common frauds are when the card details are cloned (duplicated). It can happen at ATMs or POS (point of sale) machines when the customer swipes the card. The data is duplicated and the fraudster gets a new card made.
Another problem is when the credit card number and the three-digit CVV (card verification value) number, which is mandatory for any online transaction, is copied. This may happen when you give your card for swiping at a store.
One way to protect this is to go for chip-based cards, which are not easy to duplicate, instead of magnetic strip based cards. RBI has made it mandatory to issue chip-based EMV (Europay MasterCard, and Visa) cards from June 2013, says Singh. However, for these cards to work, ATMs will need chip readers. So to begin with, cards will be issued with both chip and magnetic strips and eventually, all cards will be chip-based.