Shekhar Shenoy realised much later that someone had been watching him while he was in Italy. In May this year, Shenoy, vice-president of a pharmaceutical company in Bangalore, went to Milan for a conference and extended it to a tourist visit to Rome, Pisa and Florence. There, in the course of admiring Michelangelo’s paintings and the marvel of the Colosseum, he did something mundane—withdrew money from the local ATMs (automated teller machines) on three occasions.
Cut to July in Bangalore. Between a Saturday and Monday, there were continuous withdrawals from Shenoy’s ICICI Bank Ltd account, which was a sweep in account, linked to a fixed deposit. Shenoy remained blissfully unaware about the frenetic activity happening in his account, because he was travelling that weekend and ignored the couple of SMSes from the bank.
On Tuesday afternoon, while tucking into bisibele bhat (a spicy rice dish) in the office canteen, Shenoy’s phone beeped continuously and many mobile banking messages poured in one after the other. (Later he would learn that there was a server problem that weekend, so messages had piled up.) Alerted by the fact that there were 16 withdrawals, he asked his wife at home if she had gone on a berserk shopping spree. She reported that she had not, checked net banking and was shocked to discover that the withdrawals totalled to Rs 1.67 lakh. Shenoy called the bank immediately and blocked his card. When he enquired if he would be able to get the money back, the call centre executive said that such cases happened occasionally and it was unlikely that the money would be returned, but he could write an email and check. Shenoy did that and promptly got a response that said that the bank was sorry about this but this was organised crime conducted by agencies beyond its control and hence it could not reimburse him. Shenoy did what any right thinking Indian would do under the circumstances—he used influence. He got in touch with a college friend in an influential position in the bank. Then things began moving. The bank advised him to file a police complaint and assigned a third party to investigate the case, as is the process in such cases. The third party took all the relevant documents, asked a zillion questions and left. A few weeks later, Shenoy received the entire sum back.
Also Read | Vandana Vasudevan’s earlier columns
All the transactions had happened in Russia. Shenoy was a victim of a Russian fraud ring which infects ATMs with malware—short for malicious software. Through this, the thieves get access to the magnetic strip of the card which they use to produce duplicate cards having the same code and then swipe away till the cows come home or the customer wakes up, whichever is earlier.
Such frauds are termed phishing, a variant of the regular fishing where a bait is thrown in the hope that while most will ignore it, some will bite. Phishing is the term used for fraudulently acquiring sensitive information like passwords and credit card details in an electronic transaction by masquerading as a legitimate entity.
I asked a banker friend who heads the cards division for a leading bank, if it is easy for customers who are victims of phishing to get their money back, considering Shenoy was initially refused. “The bank receives 15 to 20 such card cloning cases in a year, which is not much. There are phishing frauds where the customer has wilfully disclosed ATM personal identification number (PIN) to strangers or handed over their cards to someone, when he should not have. But in cases where it is really not the customer’s fault, the bank does compensate,” he told me. Having said that, there is another case where an executive travelled to the US for a training programme, used his credit card in a couple of ATMs. Soon, he found that his entire limit of Rs 2.5 lakh had been used up in a day! His card issuer, HDFC Bank Ltd, denied compensation until he went to an ombudsman and fought to get his money back.
In the US, there is a federal law called Electronic Fund Transfer Act (EFTA). Through this consumers are protected for misuse of ATM or debit cards such that if they are liable only for the unauthorised transactions that happen after 60 days of their statements being mailed to them. So if the bank mailed the statement on 1 April , and before 30 June if there is an unauthorised transaction, customers are not liable for it, giving them the benefit of doubt that there is no other way they could have known, except through the statement. In India, banks are trying to protect consumers against such frauds. Of late banks have started issuing chip cards to vulnerable customers—those who travel abroad frequently—because chip cards cannot be cloned as easily. But while Europe is a chip card market, the US is not, so these cards are recognised as regular cards there. Many banks also have a monitoring cell which calls up customers who have transacted in countries in south east Asia or eastern Europe or Africa, and advises them to reissue their cards, free of cost, to be on the safe side.
As for the other preventable ATM card frauds, all banks frequently warn customers to not reveal their PIN to strangers, watch out for suspicious characters in ATMs, never hand over the card even to someone who claims to be from the bank and report loss of card immediately. “You would be surprised how gullible customers can be, so we keep repeating these warnings,” says my banker friend.
Vandana Vasudevan is a graduate from the Indian Institute of Management, Ahmedabad, and writes on mass urban consumer issues. Your comments are welcome at email@example.com