Banks are silent on Zero Liability on Frauds.. What is RBI doing?

On July 6th 2017, RBI after 10 months of thinking, released the official confirmation of the “Zero Liability Circular”. 

Naavi.org had urged the banks to go for a “Competitive Compliance Drive” and initiate measures to implement the provisions of the circular.

While no Bank seems to have taken specific measures such as the new Policy on how to handle liabilities when frauds are reported after the first 7 days etc, an interesting internal message in State Bank of India has been reported.

This is said to be a message sent as an internal circular to the staff of SBI and in the end includes a sentence that this can be shared with customers.

The message runs as follows:

SBI CARD FRAUD ALERT

For the information of all officers and staff

Due to a recent incidence of a fraudulent credit card/debit card transaction of Rs. 57000 in the account of an officer of one of the branch of our bank. It is our duty to inform all of you to disable international access/usage for your credit/debit card as international transaction do not require an OTP and are Vulnerable to huge frauds by culprits who are difficult to trace out.

MODUS OPERANDI

1. while our officer was busy with customers in peak time at his branch, he has received multiple messages for multiple fraudulent transactions amounting to Rs. 57000/-.
2. Our officer thought that his 4 in 1 in hrms is being credited by the bank.
3. He realised the fraud only after business hours after checking his account.
4. By that time Rs. 57000 was stolen by fraudster.
5. If he could have realised with in 3-4 hours of the fraudulent transaction, that amount could have been reversed by taking immediate steps. However a complaint has been lodged with the concerned department.
6. our officer felt that he has not received an OTP and so there is no possibility of a fraudulent debit but for international transactions otp is not required.
7. Just by knowing the card number and expiry date and CVV, a fraudster can do any no. of transactions.

In this connection, we advise all of you to kindly disable international access/usage for your credit/debit card by following these steps,

FOR DEBIT CARDS

1. We have to download SBI QUICK app from play store in which there is an option as ATM CUM DEBIT CARD.
2. In that we will find ATM CARD SWITCH ON/OFF option.
3. In that screen we have to enter last four digits of our ATM card No. and we have to select OFF for international usage. we can also select the OFF Option for e-commerce transactions(FOR THOSE WHO DNT DO ONLINE PURCHASES ON E-COMMERCE SITES).
4. Immediately we would receieve a confirmation message for the same. however, In the same menu and in same way, we can also activate whenever we required.
we can also de-activate the international usage just by sending a message as SWOFF INTL XXXX( last four digits of card no.) to 9223966666 from registered mobile no.

FOR CREDIT CARDS

1. We need to logon to WWW.SBICARD.COM site.
2. Left side of menu where you will find REQUESTS, in that an option as ACTIVATE INTERNATIONAL USAGE.
3. After clicking on it we will find two options as activate & deactivate, there we have to select de-activate, then immediately a service request no. will be generated&you will see a message as
Congratulations! You have successfully de-activated international usage on your SBI card ending with XXXX.

Please share to all your customers and colleagues.
Customer education customer delight

It is ironic that SBI seems to have woken up because one of its Staff members have lost the money. There are hundreds of such customers who are also busy and become victims to such frauds.

Obviously, SBI would refund the money to its staff member without asking any question on how did it happen and whether he had revealed his password to some body else  etc. I wish some body puts an RTI application to find out how they resolved this case and why they donot adopt automatic refund process for customers and prefer to drag customers to Court.

Anyway this is a “Cognizable Offence” and Police have right to investigate since the information is now available. I wish Mumbai Police investigate how the fraud happened and record whether the Bank admits that even without the customers giving out their passwords in phishing attacks they can lose money. This is important since the same Bank will stand before a Court and swear that their security is perfect and there can be no unauthorized access except by the customer’s negligence. This myth will be shattered.

If the staff member is guilty of giving out the password, then it will prove that whatever education that the Bank has been providing to its customers has not even gone to its own staff.

Either way, SBI should now automatically own all such frauds as their inefficiency and provide immediate refunds. …which is the essence of the Zero Liability circular anyway.

However, the facility to activate and deactivate international usage is some thing every Bank has to enable. The internal transactions are atleast controlled by OTP.

But this is not sufficient and as in the case of debit cards, SBI should also provide for deactivation and anytime reactivation of even the local use.

We congratulate SBI for the measure since most of the time other Banks tend to follow SBI. These are measures  suggested by the Damodaran Committee in 2011 which are coming to be implemented now. Better late than never!

Also RBI should now audit the actions taken by Banks since July 6 2017 to introduce the measures suggested by the said circular so that customers would feel safer.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.