Wednesday, May 5, 2010

You can lose money in phishing without any mistake on your part

Usually you lose money due to carelessness while doing transactions at ATM or online. But there is a case where an elderly gentleman found his money disappearing from his account without making any mistake or carelessness.

Dwarak Ethiraj is staying in Chennai and has an ICICI Bank account in Pune. Late February, this year he got a rude shock when he received an SMS from his mobile service operator, Reliance India Mobile stating that his “handset change request has been processed”. (Such request is placed with the service provider when a telecom customer loses his handset. In this the number remains the same and calls will be directed to the SIM on the new phone).

After this message, the SIM in Ethiraj's phone became invalid and he could make no more calls, except to the telecom company's customer care number. However his number remained valid but it was being used by whoever had committed this fraudulent change.

Then, on the next day he received a call from ICICI Bank on his landline number informing him that Rs 1.55 lakh had been taken out from his account and paid to four new beneficiaries across 10 transactions. The transactions were done around 11 p.m. the very day his mobile number was hijacked.

Ethiraj is confused. He says, “One, I don't know how a telecom service provider can authorise a handset change when the number is in my name, and I have not made such a request. Two, how did the perpetrator of the fraud get access to details on my ATM/Debit card and make those amount transfers?”

The victim’s puzzlement stems from this: in case you want to transfer amount from your ICICI account, you have to punch in a login and password before you access your account, also you are asked to input numbers that you find at the back of your card. This is done at random and hence it is difficult to predict what exactly the security system would ask you. For instance, it will ask you to enter the numbers placed under box A, I and N at the back of your ATM Card. In the next transaction, it might ask you for numbers in boxes C, F and G.

Then, there is another layer of security having confidential code which is sent to the mobile number registered with the bank, when you wish to add a beneficiary to whom payments could be made. In this case also, codes generated by the system at the bank will have reached the mobile number, but clearly, in the hands of the perpetrator of the fraud.

Ethiraj says he took up this matter with the Reliance Communication's call centre and then he visited the local outlet as well as to the nodal office of the telecom service provider. But nothing has been done. He is yet to hear from them. Ethiraj says that ICICI Bank is also yet to clarify as to how such confidential information, specific to his ATM card, had been compromised.

He told that in the Internet banking profile at the bank's Web site, his current e-mail ID has been replaced with a defunct ID used previously.

The victim's other question to the bank is this, “All the four beneficiaries are customers of ICICI Bank. It would be easy to locate those four with the help of Know Your Customer documentation that the bank would have.” He informed that till now bank has not shared such information with him.

On the other hand service provider’s say

Reliance Communications has not given any response to eWorld's e-mail queries. Ethiraj says, “When I make a handset change (or SIM change) request, I have to support it with documentation with regard to identity proof, address proof and the like. When I, myself, have not made such a request, how could someone else walk away with my number on another phone?”

A spokesperson for ICICI Bank replied to eWorld's e-mail saying, “... It is practically not possible to fraudulently withdraw money from (an) online account unless the personal details are compromised by customers inadvertently or otherwise. ICICI Bank sends a code (URN) by SMS on the customer's mobile phone every time a new payee has to be added. The customer needs to confirm the payee by entering this URN. In this case ICICI Bank sent the URN to the registered number of the customer as per the standard process.”

According to bank, “the mobile operator allegedly issued SIM to an imposter without duly verifying know-your-customer (KYC) documents. It is impossible for a bank to know that such a duplicate SIM has been issued by an operator because the registered mobile number in our record has not changed". Most of the banks claim that their employees can also not access the numbers given at the back of the ATM. When asked, ICICI bank repeated what it said above.

Then what has exactly happened with Ethiraj? Was Ethiraj a victim of a ‘phishing' attack? Ethiraj says he did get an e-mail, prior to his loss, which was obviously trying to ‘phish' for information. He said, “I certainly did not give out any confidential information.” He says, he had forwarded that message to ICICI Bank.

(Wikipedia describes ‘phishing' as a criminally fraudulent process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.)

However, in a case of cyber crime through phishing, the Adjudicating Officer in Tamil Nadu, the state's IT Secretary, PWC Davidar, last fortnight passed an order against the bank. In the case the defendant was ICICI Bank which has been ordered to pay nearly Rs 13 lakh against the original loss of Rs 6.5 lakh to a customer, including interest costs and other expenses.

Although, in that case, the customer had accidentally, given out his details during a ‘phishing' attack. The officer told that the list of instructions on phishing put by the banks on their website and sent to the customers, were of a “routine nature” and did not help a customer distinguish between an e-mail from the bank and an e-mail sent by somebody suspect.

He also said that the banks are taking shelter behind routine instructions on phishing and had avoided taking steps that would benefit the customer. Davidar, in his verdict, said that the bank's actions indicated it had “washed its hands off the customer,”

Ethiraj says that though bank is investigating to find out what had happened, “The bank should pay me back the money I have lost.” The present status of Ethiraj's case is that his complaint against the telecom and banking institutions is with the Cyber Crime Branch of the TN police in Chennai. The Branch has asked the two companies to provide the details.


Subhash said...

Very Dramatic, i am shocked to know the article in your blog.

Could we talk, i need to talk you.
Plz reply me on my e-mail id

Subhash said...

It is passed 2years of the incident with Mr. Ethiraj.

Have the case been solved or it is still under decision.

Mr alok Please contact me by mail

Subhash said...

contact me on

Subhash said...

contact me on