The credit card fraud reported in media today involving use of 580 fake cards created by fraudsters resulting in withdrawals of Rs 2.84 crores from Kotak Mahindra Bank is a lesson to all those men in Judicial positions who have been always difficult to be convinced that Banks can fail in their security procedures.
Fortunately, in this fraud, no customer is involved. The fraudsters obtained the details of “yet to be used” credit card numbers assigned to K0tak Mahindra Bank by Master Card and created card accounts in fictitious names and encashed the same through online portals.
It is surmised that a security breach at DZ Card India Ltd, Gurgaon could have resulted in the fraud. Possibility of insider involvement in DZ card or Kotak Bank is not ruled out. But “negligence” and “Failure of Information Security policy and Procedures” is a certainty. Violation of RBI regulations on how to manage information security with an outsourced agent can also be visualized. Possibility of negligence by multiple agencies involved in the processing of the card printing, and its encashment is not ruled out.
While the Police can follow the available leads and try to resolve the case, I would like to make this a case to be quoted in all Bank fraud litigation hearings where the Banks make a statement….
“We have international level of information security and no breach can happen at our end. If there has been a fraud, the negligence must be at the customer’s end and hence the loss should be borne by him and him alone.”
I have heard this argument from all the banks against whom I have either directly or indirectly followed complaints some with the Banking Ombudsmen, some with Adjudicators and also Judges of various courts.
Even in this case, if there is any query, the Bank as well as the Card printing agent will claim that they are “PCI-DSS Compliant” or “ISO 27001 Compliant” and file a one page document signed by one of the Big4 audit firms or some other firm stating that they have satisfactorily undergone an audit as of a particular date.
Ask them “Are you ITA 2008 Compliant?”.. they will perhaps say “What do you mean by it?..
These companies think that technical best practice compliance is better than legal compliance. All of them will learn the hard way that when the bell rings, it is the legal compliance that can save them from liabilities and not the technical best practice compliance.
The Judicial authority who may not know the difference between ISO 9001 and ISO 27001 or what PCI-DSS means, is likely to be impressed by the weight of the audit firm’s reputation and ignore any plea by the poor customer that he has no knowledge how his Credit Card or Debit Card appeared in some ATM or Merchant Establishment’s claim or how his identity could have been stolen.
I therefore invite the attention of all such judicial authorities to realize and start believing that Frauds such as Phishing or Credit/Debit/ATM Cards or Mobile Banking or Mobile Wallet frauds can occur without any knowledge of the customers.
The subject case proves that such frauds can occur even when cards are not issued at all to any customer. If so, it can also happen on a clone of a card issued to a customer.
If this truth is understood by these Judicial persons, I would be happy that this fraud had a beneficial impact on the society.
At the same time, I consider that Kotak Mahindra Bank is one of the better Banks in the pack in terms of Information Security and I hope they did cover themselves with appropriate Cyber Insurance to recover this loss.