Mumbai: Indian credit-card holders are increasingly becoming the target of online fraud with thieves using the cards frequently on online sites abroad, raising questions about how secure bank data is and why they seem reluctant to crack down on the leaking of customer information even when alerted to such crimes as soon as they happen.
Not only that, the redressal appears to be a convoluted process.
Unlike in some countries, there is no immediate reversal of the charges. And when the money is restored, customers must sometimes bear a part of the sum, thereby ending up paying for the crimes of which they were the victims. That’s besides the inconvenience of having the cards replaced, a process that can take days.
Holders of cards, issued mostly by private and foreign banks in India, come to know they have become the latest victim of such fraud when they get text messages alerting them to transactions in their name in some distant country in currencies including pounds, euros, dollars, roubles and kronor.
ICICI Bank Ltd, the country’s largest private sector lender, seemed to be the worst affected.
The complaints, posted on the government’s customer grievances site Grahak Seva, have been rising steadily since November last year.
In August and September, the websites of Amazon.com Inc. and Apple Inc. were hacked and more than one million card details sold off to others who sought them with the intent to commit fraud.
Users register credit cards on the sites for a smooth online purchase process. In some cases, such registration isn’t optional.
But, as the complainants point out, many of them haven’t ever used the cards for international purchases; so the leaks have come from elsewhere, with the holders putting the onus on the banks’ own security apparatus.
No bank has been spared. Victims in the last few months include holders of cards issued by Standard Chartered, Citibank, HDFC Bank and ICICI Bank, apart from others such as SBI Card. The latter is a joint venture between the country’s largest lender, State Bank of India, and GE Capital.
As for ICICI Bank, fraudsters seem to have a particular fondness for cards starting with the digits 4477.
“ICICI Bank has already examined these transactions,” the bank said in an email. “They are not just specific to ICICI Bank and have taken place on sites which do not have 3D Secure authentication protocol. The bank confirms that all e-commerce transactions on sites located within India are protected by 3D Secure authentication protocol which has been mandated by RBI.” 3D Secure is an additional authentication process that’s required for online transactions in India.
Many of the purchases have been made at a Swedish merchant that goes by the name of Comviq Vesta since mid-January. An HDFC Bank spokesperson said it’s looking into the matter and offered no further comment.
SBI Card was the only issuer to answer queries in detail, confirming that it has received complaints against fraudulent transactions.
“So far we have received a few complaints from our card holders for fraudulent transactions with the Swedish merchant Comviq Vesta,” SBI Card said in an email.
As the merchant is based overseas, the additional authentication is not required, SBI Card said. That makes fraud easier. In the US and elsewhere, transactions don’t require this.
“As a process, we have a financial recourse to the merchant/acquirer through a charge back process,” SBI Card said. “This will ensure that the card holders are not held liable to pay for the disputed transactions. In the interim, till the card holders’ disputes are settled in their favour and we receive the money on the disputed transactions from the respective merchant/acquirer, we can extend a temporary credit to the card holder,” said SBI Card.
SBI Card added: “We have also blocked this merchant (Comviq Vesta) so that no more card holders are
inconvenienced with such instances.”
The company denied its servers have been compromised. As part of its investigation, SBI Card has informed Visa as well as MasterCard about such disputes so that the card issuers can investigate the matter.
Comviq is a Swedish mobile telecom provider and is owned by Tele2, a European telecom services provider. It is not clear if Comviq Vesta is part of Comviq. An email sent to Comviq was not replied to. The same merchant received payments in fraudulent transactions using HDFC Bank cards in November and Citibank in December.
In December, a website, www.Rzd.Ru, originating from Russia, began cropping up in complaints. The victims were holders of credit cards issued by ICICI Bank and Citibank, with as much as Rs.50,000 being siphoned off from each customer.
Citibank customers were among those that fell prey to a UK-based merchant called Entropay. To be sure, cards have also been used fraudulently at such reputed merchants as Best Buy in the US.
In most cases, the money is relatively small, unlike high-value global hacking frauds.
According to Sanjay Sharma, MD and CEO of IDBI Intech, a banking platform provider, bank servers may not have been hacked but individual cards may have been compromised by vendors and passed on to international hackers.
“In East Asian countries, this practice is prevalent. If you visit these countries and swipe your card, all the information is registered and can be passed on to sites that don’t require second-factor authentication,” he said.
The reason why the transactions are of relatively small value could be because higher sums sometimes trigger a phone call from the bank to authenticate the transaction, said Sharma.