Mumbai: At 3:50 am on a quiet Kolkata morning, 35-year-old numerologist Vivek Baid woke up to a string of notifications that would upend his day. One message became two, then three. By 4 am, he had received eight transaction alerts for his forex card. All eight, he said, were successful.
“My money was being deducted in front of my eyes,” Baid said.
The deductions, he said, totalled around ₹1,45,000. The amounts were debited in United Arab Emirates Dirham, the currency loaded on his Yes Bank-BookMyForex multi-currency prepaid forex card, but the transactions reflected in Brazilian real. He has since filed a complaint with the cybercrime authorities.
The card was launched in August 2019 as a co-branded multi-currency prepaid forex card by BookMyForex, in partnership with Yes Bank, on the Visa network. Yes Bank’s website adds that the card has been developed in collaboration with M2P, a fintech company based in Chennai.
It was marketed as a seamless solution for international travellers, allowing them to load multiple foreign currencies onto a single card. Baid is among a group of customers who found their forex cards used at grocery stores and other locations in Brazil, and received little help when they tried to reach BookMyForex customer service or Yes Bank.
In the early hours of that morning, Baid said convenience turned into confusion. He immediately tried reaching out to BookMyForex, the online forex marketplace owned by MakeMyTrip. He found that customer care was unavailable until 9:30 am. “If they are operating in the finance sector, and there could be any fraud, there is no one to connect or call.”
He managed to block his card, but others, he claimed, were not as fortunate.
Reaching the bank proved equally frustrating. Without a direct customer ID linked to Yes Bank, Baid said he struggled to reach the relevant department. “They said it’s not our department. There is a forex department which opens at 9.30 am,” he said, adding that calls to numbers listed for the prepaid card did not go through for hours.
BookMyForex denies breach
Across online forums, some users reported only declined transaction messages, while others alleged actual fund losses in US dollars and AED (United Arab Emirates Dirham). While BookMyForex said customer money was safe, people Mint spoke to said otherwise.
In a later statement, BookMyForex said it is coordinating closely with Yes Bank to provide necessary customer support and ensure customer protection.
Yet, no one has been able to pinpoint the source of these alleged breaches. Emails sent to spokespeople of Visa and M2P remained unanswered.
Yes Bank on Wednesday said its Multi-Currency Prepaid Forex Cards, issued in partnership with BookMyForex, witnessed an unusual spike in transaction declines flagged by its fraud monitoring system. The bank clarified that the unauthorised transaction attempts were limited to specific Bank Identification Numbers (BINs). BINs are used to identify the bank that issued the card and secure transactions.
“These fraudulent transactions were carried out on 15 merchants that are based out of Latin American country, in the early hours on 24 February 2026, between 3:30 AM and 8:30 AM (IST). The specific country does not mandate two-factor authentication for e-commerce transactions,” the bank statement read.
As a precautionary step, the bank said it has restricted e-commerce transactions originating from the identified country.
“The internal investigation by the private sector bank has revealed that during the incident period transactions approximately equivalent of $0.28 million have been approved on behalf of 5,000 customers.”
“Due to the bank’s monitoring and control mechanisms, 688 unauthorised transaction attempts were declined, which led to the safeguarding of approximately equivalent to $0.1 million.”
The bank added that it is working with the card network to initiate chargebacks to ensure that impacted customers do not suffer any financial loss.
“Yes Bank remains committed to the highest standards of data security and customer protection. The bank continues to closely monitor the situation and is working with all relevant stakeholders to ensure customer interests are safeguarded,” it said.
BookMyForex has denied any breach. “There has been no data breach involving BookMyForex systems or customer data. Yes Bank observed unusual volumes of false transaction attempts on Yes Bank—BookMyForex Multi-Currency Prepaid Forex Cards, which resulted in a high number of declined transactions,” the company’s spokesperson told Mint.
The company said that when analyzed, these transactions were found to originate from a specific country, and Yes Bank has blocked transactions from this country, which was identified as the source of all these attempts. As a precaution, cards involved in these attempted transactions were also proactively blocked, the official statement said.
Baid’s experience was mirrored by Himanshu Raj. The 39-year-old said he woke up on Tuesday morning to a barrage of messages saying that transactions on his BookMyForex card were being declined, while others were being approved. All of these said that the card was used in Brazil, even as the physical card lay with Raj. In three transactions, the Gurugram-based PR consultant lost $370 or over ₹33,000 from his forex card.
According to screenshots shared by Raj, these transactions were based in Brazil.
“I spoke to the police in the cybercrime department. They asked for transaction IDs, but those were not available on the app,” said Raj.
He, too, said his attempts to reach BookMyForex and Yes Bank were futile.
- Multiple users of the BookMyForex-Yes Bank card reported unauthorized transactions, with many transactions going through without OTP authentication.
- As people rushed to find out what happened, customer service fell short, unavailable and unable to provide answers.
- While BookMyForex says there was no data breach and customer funds are safe, several people took to social media to talk about their plight.
- Legal experts said that the customer should have zero liability in fraudulent transactions.
- Cybersecurity watchers believe that the ability to identify a malicious transaction should be built into systems that handle public money.
Customer care playing truant
Meanwhile, the spokesperson for BookMyForex maintained that customer balances remain fully secure. “We are arranging complimentary replacement cards to ensure uninterrupted access to their forex balances,” the spokesperson said.
Other customers shared the frustration of not being able to reach anyone at BookMyForex to resolve the issue.
Moninder Pal Singh, a 65-year-old retired businessman from Gurugram, said that after receiving emails stating that money had been debited, he tried to reach out to BookMyForex.
“There is no separate number available for existing customers. Those on the website are for sales, and nobody even picked up my calls,” said Singh. “Then, I went on to their online chatbot, which did not respond for four hours, all while the app was down and the transactions were not reflecting there either.”
Singh told Mint that his entire forex card balance was wiped out, and he lost $600 or over ₹54,000.
Even as the transactions have seemingly stopped, customers want to know when they will be refunded.
Full refund?
Legal experts said that in cases of unauthorized transactions where the customer has not contributed to the fraud through negligence, the liability primarily rests with the issuing bank.
“According to the Reserve Bank of India’s (RBI) ‘Zero Liability’ guidelines, a customer has no liability if the fraud occurs due to a ‘contributory fraud, negligence, or deficiency’ on the part of the bank or a third-party breach elsewhere in the ecosystem,” said Prerna Robin, principal associate, B Shanker Advocates LLP.
Robin said that, since these transactions reportedly bypassed one-time password (OTP) protocols and occurred in foreign jurisdictions like Brazil without user intervention, they suggest a potential compromise of the card security system or the fintech-bank interface.
While the customer is entitled to a full refund if reported within three working days of receiving the alert, the onus is on the cardholder to formally dispute the transactions and file a police complaint or a report with the National Cyber Crime Portal.
"Given that these were international transactions without OTPs, the bank is generally obligated to resolve the dispute and restore the funds after conducting a forensic audit of the breach,” said Robin.
Cybersecurity experts said that theoretically it is not difficult to locate the source of a breach.
“In practice, the number of digital transactions taking place in India is very high, and everything depends on the systems and processes in place, the technologies and infrastructure used, and the skill set of the operations and technical teams running the show,” said Manu Zacharia, a cyber security professional.
Zacharia said that the system should have the capability to detect anything malicious, suspicious, or unauthorized. “If you are unable to identify a malicious transaction, then you are not fit to run this business.”