Let's Build a Responsible Cyber Society



Axis Bank Nightmare

Here is a narration of the harrowing experience of a customer of Axis Bank as reported to Naavi.org. The victim here has suffered a loss of Rs 11 lakhs due to the faulty E Banking security. Readers may come to their own conclusion on who should be held accountable for this fraud.

"On the 29th of March ( Thursday ), Shabbir receives a Phishing mail from Axis bank with an attachment which he downloads . The attachment was a pdf Doc which took him to a Fake axis bank website when he opened it , requesting him to update his account information , including address and passwords . Realising that the website was fake , he closed it instantly without entering any Details . ( Shabbir now suspects that the Attachment may have contained a Keylogger which May have sent his Axis Bank Password details to the hackers )

He also used his Axis Bank Internet account on the same day for a genuine purpose .Shabbir then realises that his Vodafone connection is not working on the 30th Evening . Unaware of fraud , he thinks that it may be a connectivity / Sim issue , and tries calling the Vodafone Customer care from his Wife's phone . But since his wife has a pre-paid connection , the customer care agent informs him that his is a post paid connection and has to contact the postpaid CS team for help .

Assuming it to be a trivial matter , he visits the Vodafone store on the 31st afternoon where he is informed that his Sim has been duplicated at Vodafone care office in AP . Shabbir blocks the duplicate sim and issues a triplicate sim card for himself .

On the same day he get a message on his phone that a sum of Rs 50,000 has been credited into his account . Its only now that he realises that somethings wrong , he tries to log in to his Axis bank account only to find out that that his passwords have been changed .

On contacting axis bank , they inform him of the bank transfer that have been done from his account . The 50,000 was credited back to his account as one of the beneficiary details was wrong .

A sum of 11.14 Lakhs had been transferred to 22 Separate accounts on the 30th evening and the 31st morning .

The very apparent shortcomings from

a. Vodafone's part

1. There was not verification done on the original number before duplicating the sim . The was no call or SMS notification sent to the original sim .
2. The Self attested Passport copy submitted as document evidence had a Different photo with Shabbir's name and address which was overlooked and a verification could have been done with his CAF documents in Vodafone's possession .
3. The self attested signature on the Passport copy was different from the one on the passport .

b. On Axis Bank's part

1. There was no Transaction Limit on his account
2. Axis bank claims that the Limit can be increased online and that was done in this case .
3. Axis bank claims that this is a pfishing attack and He has revealed his account information to the hackers and they cannot be held liable for this attack .
4. 22 Beneficiary accounts were added on the 30th night and the bank had no restrictions on the no of beneficiary's that can be added on a single day .
5. There was not red flag/ alert that was raised when these unexpected transactions took place .

The Police enquiry has reveled the following facts so far :

1. The Funds were transferred to 22 accounts from which they were withdrawn .
2. One of the beneficiary account details was wrong , which resulted in a sum of 50,000 being reversed .
3. 8 people have been arrested so far , of which 6 claim to have been working on a commission basis
4. The IMEI number of the phone on which the duplicate Sim was inserted was tracked to a Nigerian national who is in jail in Kolkata for a similar Banking fraud case . This person has been remanded to the kerala Police for questioning
5. One of the Account Holders is the Son of a trinamul congress politician who was arrested from his home in Kolkata by the kerala police .
6. Many of the bank accounts are fake with fake names and addresses
7. Some of the accounts are salary accounts of employees who have resigned but their bank accounts still active . The culprits have somehow got hold of the ATM cards of these accounts .
8. The Cyber crimes division has taken Shabbir's Laptop Hard disk to investigate on how his password may have gone out .
9. The Hackers used a Tata Photon data card , and the police could trace this to only a Gateway Server in kolkata so far .

The investigation is progressing well , but will take time to prove any concrete links with those arrested in this regard . Axis bank is not willing to take responsibility for this incident and Shabbir can only hope to recover his money if the police investigation is successful .

He has also filed a case against Axis Bank on the matter . "

I would like to add. Axis Bank and Vodafone are both jointly and severally liable for making good the amount lost along with adequate compensation.

RBI should take note that in all the 22 beneficairy accounts there is a failure of KYC and the Bank can be levied a fine of at least Rs 5 lakhs per failure.

Naavi has been suggesting that RBI should create a "Fraud Guarantee Fund" and use the KYC fine collected to repay the loss to the victim.


July 01, 2012

[Comments welcome]