Let's Build a Responsible Cyber Society




Innocent Bank Customer Suffers of ATM Card Cloning Fraud

An ATM fraud involving a customer of Bank of India has been reported from Bangalore which indicates the distinct possibility of an ATM Card cloning  syndicate being in operation in Bangalore. In this reported incident, Canara Bank ATM was involved. It appears that the banking Ombudsman has informed the customer orally that he has received a satisfactory explanation from the Bank and may be unable to resolve the dispute.

When the customer is still holding the Card and the ATM Bank is unable to produce evidence in the form of CCTV that the customer has not himself withdrawn the amount it is surprising how the Banking Ombudsman can come to the conclusion that RBI direction has not been violated by either Bank of India or Canara Bank. RBI needs to take a closer look at the incident and needs to come up with a proper explanation for the decision of the Banking Ombudsman.

In a similar incident in Gurugaon under a complaint no BO Complaint No. 201011014004856, where money had been drawn from a customer's account in Axis bank through ATMs in some foreign countries, the Ombudsman had ordered that payment had to be made by the Bank which held the customer's account. There are also other instances where Banking Ombudsman have held Banks liable in Phishing cases also and some of these cases are reported in the Compendium of cases reported by RBI and it is not clear why the Banking Ombudsman in Bangalore should take a divergent view. There is also a case of Bank of India in Bangalore itself in the past where the Ombudsman intervened and settled a claim of Rs 29000/- to a phishing victim. RBI needs to ensure  consistency in the decisions of their officers acting as Ombudsman.  

It must be observed that while the Complaint with the Banking Ombudsman is mainly decided on the basis of the failure of any of the Banks in following RBI guidelines, the customer has the option to approach the Adjudicator of Karnataka to hold the Banks involved in the case also liable under Section 85 of ITA 2008. If ITA 2008 is invoked in this case, both Bank of India and Canara Bank may be held liable along with the executives of the respective Banks.

We are forwarding a copy of this report to both the Banks and hopefully they would initiate some action at the earliest to redress the grievance of the customer.

It is suspected that some establishments such as malls have no security ethics while swiping  customer's cards for genuine purchases. It is learnt that some of the cashiers swipe the details of the card into a skimmer and sell the data to some card information seekers. When a complaint of this nature is reported to the Police, it is necessary for the Police to take up the investigation in all seriousness and ensure that bigger frauds are prevented. I suppose the Commissioner of Police in Bangalore takes notice of this case in which an FIR has already been filed with the Chandapur Police Station.

There is a possibility that Key Loggers could have been used at some ATM centers to capture card data and hence banks need to ensure that their security has not failed in this regard.

If this happens to be a "ATM Card cloning" incident, then this would only be a tip of an iceberg and several more such incidents reported or unreported would have occurred and the Police need to take action in this regard without further delay.

Further, according to the ITA 2008, the Adjudicator can take suo moto action and order an enquiry whenever a contravention of ITA 2008 is observed. In the instant case there is an unauthorized access to an electronic system leading to a wrongful loss to a citizen. This is sufficient for the Adjudicator to order a suomoto enquiry. If such an action is taken it would be the first time in the country that any Adjudicator would have taken such a Citizen Friendly decision.

Hope Karnataka Adjudicator would be taking cognizance of the crime and order that all commercial establishments that use card swiping machines confirm that they have undertaken "Reasonable Security Practices" as required under Section 43A of ITA 2008.

Naavi.org will bring this to the notice of the Adjudicator of Karnataka and the Police authorities in Bangalore and follow up on action taken in due course.

Report in Deccan Chronicle




2nd July 2011

 Comments are Welcome at naavi@vsnl.com