It was 0950 pm on Tuesday night when Bengaluru resident Anima Nair, preparing for a quiet sleep at her home, received a strange email alert - Rs 7800-odd had been paid online using her IndusInd Visa debit card, which she confirmed was still with her.
Rattled, she immediately dialled the IndusInd Bank Call Centre to alert them about the transaction, block her card and to find out how money was being withdrawn from her account without an OTP being generated. As she was put on hold by a call centre executive trying to find the answer, she got an alert of another transaction - again Rs 7800-odd. Deciding enough was enough, Anima cancelled her card.
Even blocking a card takes so much time, she recounted, criticising the lack of a "direct emergency number - a 911 assistance - to block cards".
The next morning, Anima, a software engineer and writer who co-runs a vocational centre for children with autism, went to her bank (IndusInd Bank). There she found that officials were reluctant to "promise me a refund or (to take) any useful action that would remotely benefit me". All they promised was that they would "initiate an investigation", suggesting she file an FIR and bring a copy of it to the branch. Such being the callousness on display, she ended up walking out in a huff after threatening to cancel both her and her husband's accounts.
Fortunately, for her, as she was walking out of IndusInd bank, Anima was greeted with some good news - the amount debited from her account had been credited back. This was thanks to her getting in touch earlier with the online site where her debit card was used for payment by a fraudster.
The shopping site, located in Europe, treated her complaint with the seriousness her bank did not. They ended up questioning the buyer who had tried to pass himself off as Anima and used her card number and account to make the payments.
The site went beyond refunding the money. They shared with Anima the disturbing fact that possibly a Darshan Patel from Gandhinagar (from shipping address details) was the culprit who had used the fake debit card and presented a fake Aadhaar card too in her name (as additional proof). Patel did not just have her address, he had gotten hold of her phone number also.
The case is now being investigated by Bengaluru Police's cyber wing, but Anima says the lesson she took away is "to not trust banks that lure you in with promise of great service and superb security only to let you down when you need help the most".
She also warns people against using debit cards online as "there is no guarantee for the security of either the transaction or the money".
"I only used my debit card on Amazon, where I order books, and Bookmyshow, where the card gave me offers on tickets. The rest of my transactions - 90% - were using my credit card. And yet I ended up having to deal with online id theft," Anima said.
Anima had stored her IndusInd Bank debit card details on Amazon because she made frequent purchases there. She now suspects if the information was leaked from there or from bookmyshow.
But there is an even more worrying possibility. On foreign websites using foreign gateways, there is no two-step authentication system for payments.
Here, research published towards the end of 2017 highlighted how hackers using the 'Distributed Guessing Attack' could void all security features employed to secure online payments.
The research by a team from Newcastle University, UK, exposed flaws in the VISA payment system, in particular, and discovered that neither the network nor the banks were able to detect attackers making multiple, invalid attempts to get payment card data.
"This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system," explained Mohammed Ali, a PhD student in Newcastle University's School of Computing Science and lead author on the paper, in a press release on his university website.
"Firstly, the current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts - typically 10 or 20 guesses - on each website.
"Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw.
"So even starting with no details at all other than the first six digits – which tell you the bank and card type and so are the same for every card from a single provider – a hacker can obtain the three essential pieces of information (Card Number + Expiry date + CVV) to make an online purchase within as little as six seconds."
Here's a video where the CVV is generated as explained above in a matter of a few seconds:
So, how can you keep your money safe?
"Sadly there's no magic bullet," as Newcastle University's Dr Martin Emms observed.
But these tips might help:
* Switch to a credit card from a debit card for online purchases. At least, your own cash is not at risk.
* If you are using a debit card, use one card for online payments.
* Keep the spending limit on that account as low as possible. If it's a bank card, then keep ready funds to a minimum by transferring money to the account only when needed.
* There is a high probability that your bank has enabled international transactions on your card. Tell your bank to revoke this option, if you are planning to use it only in India.
* Try avoiding using CVV for online transactions. You could instead load a mobile wallet such as Paytm, Oxygen for online transactions or even use virtual bank wallets.
* Avoid saving card details on digital notepads or in digital files.
* Get a fresh card every year or once in 15 months. You may not know which ATM machine or POS machine has been compromised. Worse, it is also difficult to trust e- commerce sites. So, replace your card every 12-15 months. Banks do charge for replacing cards, but then this is far cheaper than losing your hard-earned money to fraudsters.
* Stay vigilant and check your statements. Register for sms alerts. Always watch out for odd payments.
* Keep card blocking numbers handy. Card blocking numbers begin with 1800. Also have your account and card details handy. At the moment, sadly, only a handful of banks offer card delisting services on a dedicated toll-free number. Check if your bank is one of these.
* If you are hit with a fraudulent transaction, retain all the transaction details, SMSes, email addresses and receipts and head to the Cyber Crime Cell of your locality. Individual police stations may not be equipped to help you out.
* Your last port of call is the specific city' banking ombudsman. Besides meeting them in person and calling on phone, you can also file an online complaint. The complete list of the banking ombudsmen across major cities can be found here.
Remember, while getting your money back can prove tedious, it helps to have as many details of your transaction as possible. The ombudsman favours the customer, when the it gets proven that the Bank or the payment processor is at fault.