"On the
29th of March ( Thursday ), Shabbir receives a Phishing
mail from Axis bank with an attachment which he
downloads . The attachment was a pdf Doc which took him
to a Fake axis bank website when he opened it ,
requesting him to update his account information ,
including address and passwords . Realising that the
website was fake , he closed it instantly without
entering any Details . ( Shabbir now suspects that the
Attachment may have contained a Keylogger which May have
sent his Axis Bank Password details to the hackers )
He also used his Axis Bank Internet account on the same
day for a genuine purpose .Shabbir then realises that
his Vodafone connection is not working on the 30th
Evening . Unaware of fraud , he thinks that it may be a
connectivity / Sim issue , and tries calling the
Vodafone Customer care from his Wife's phone . But since
his wife has a pre-paid connection , the customer care
agent informs him that his is a post paid connection and
has to contact the postpaid CS team for help .
Assuming it to be a trivial matter , he visits the
Vodafone store on the 31st afternoon where he is
informed that his Sim has been duplicated at Vodafone
care office in AP . Shabbir blocks the duplicate sim and
issues a triplicate sim card for himself .
On the same day he get a message on his phone that a sum
of Rs 50,000 has been credited into his account . Its
only now that he realises that somethings wrong , he
tries to log in to his Axis bank account only to find
out that that his passwords have been changed .
On contacting axis bank , they inform him of the bank
transfer that have been done from his account . The
50,000 was credited back to his account as one of the
beneficiary details was wrong .
A sum of 11.14 Lakhs had been transferred to 22 Separate
accounts on the 30th evening and the 31st morning .
The very apparent shortcomings from
a. Vodafone's part
1. There was not verification done on the
original number before duplicating the sim . The
was no call or SMS notification sent to the
original sim .
2. The Self attested Passport copy submitted as
document evidence had a Different photo with
Shabbir's name and address which was overlooked
and a verification could have been done with his
CAF documents in Vodafone's possession .
3. The self attested signature on the Passport
copy was different from the one on the passport
.
b. On Axis Bank's part
1. There was no Transaction Limit on his account
2. Axis bank claims that the Limit can be
increased online and that was done in this case
.
3. Axis bank claims that this is a pfishing
attack and He has revealed his account
information to the hackers and they cannot be
held liable for this attack .
4. 22 Beneficiary accounts were added on the
30th night and the bank had no restrictions on
the no of beneficiary's that can be added on a
single day .
5. There was not red flag/ alert that was raised
when these unexpected transactions took place .
The
Police enquiry has reveled the following facts so
far :
1. The Funds were transferred to 22 accounts from
which they were withdrawn .
2. One of the beneficiary account details was wrong
, which resulted in a sum of 50,000 being reversed .
3. 8 people have been arrested so far , of which 6
claim to have been working on a commission basis
4. The IMEI number of the phone on which the
duplicate Sim was inserted was tracked to a Nigerian
national who is in jail in Kolkata for a similar
Banking fraud case . This person has been remanded
to the kerala Police for questioning
5. One of the Account Holders is the Son of a
trinamul congress politician who was arrested from
his home in Kolkata by the kerala police .
6. Many of the bank accounts are fake with fake
names and addresses
7. Some of the accounts are salary accounts of
employees who have resigned but their bank accounts
still active . The culprits have somehow got hold of
the ATM cards of these accounts .
8. The Cyber crimes division has taken Shabbir's
Laptop Hard disk to investigate on how his password
may have gone out .
9. The Hackers used a Tata Photon data card , and
the police could trace this to only a Gateway Server
in kolkata so far .
The investigation is progressing well , but will
take time to prove any concrete links with those
arrested in this regard . Axis bank is not willing
to take responsibility for this incident and Shabbir
can only hope to recover his money if the police
investigation is successful .
He has also filed a case against Axis Bank on the
matter . "
I would like
to add. Axis Bank and Vodafone are both jointly and
severally liable for making good the amount lost along with
adequate compensation.
RBI should
take note that in all the 22 beneficairy accounts there is a
failure of KYC and the Bank can be levied a fine of at least
Rs 5 lakhs per failure.
Naavi has been
suggesting that RBI should create a "Fraud Guarantee Fund"
and use the KYC fine collected to repay the loss to the
victim.