How some Axis Bank credit cards became fraud targets

Banks should reveal the modus operandi of such attacks so that other institutions and customers can be prepared, say security experts.
Banks should reveal the modus operandi of such attacks so that other institutions and customers can be prepared, say security experts.


  • Lender says dubious online international transactions were random attacks on certain cards.

It was at around 9 pm on Tuesday, 26 March, that Ajay Vasani’s phone buzzed a couple of times. He had just received two messages from the bank and froze when he saw the contents. These were two alerts for transactions of 150 New Zealand Dollars (NZD) for ‘Google services’ made using his Axis credit card. But, Vasani, a resident of Ahmedabad, had not subscribed to any such services, in New Zealand or elsewhere. He was quick to figure out that these were fraudulent transactions and immediately called the bank’s customer care helpline to get his credit card blocked.

A few minutes later, the Ahmedabad-based resident got eight more alerts of failed transactions worth NZD 800 (about 40,000 after forex conversion).

Vasani was not the only Axis Bank credit card holder targeted that day. There were many others, all Axis Banks customers, who were victimized by a series of international fraudulent transactions . The lender, in an official statement, claimed that it was a malicious attempt from certain foreign merchants and averred that there was no breach of its systems. “There has been no data leak. Some of these transactions are in the nature of random attacks on certain credit cards," the bank said.

To be sure, the malicious attempt by foreign merchants implies that hackers had misused the card details to carry out payments on foreign merchant sites and that the merchants themselves did not attempt the fraudulent transactions.

In interactions with Mint, some cardholders reported that they had received several one-time-passwords (OTPs) for transactions that were not initiated by them, while others said transactions on their cards were unauthorized and went through without their receiving an OTP, a numerical code sent by text messages for cardholders to authorise a transaction.

Kashif Ansari, assistant professor at Jindal School of banking and finance, O P Jindal Global University, said customers do not usually get any OTPs for online international transactions so these are more susceptible to frauds. A six digit OTP, generated randomly by banking systems, acts as a layer of security as these are sent to the cardholder’s phone number or email ID and the transactions can’t proceed without the customer authorizing the transactions by keying in these digits.

Further, in India, after regulations on tokenization were introduced by the Reserve Bank of India (RBI), domestic merchants cannot save or access card details of customers as the details are saved as encrypted tokens. However, this does not apply to international merchants and hence, customer data is saved with them, and thus are more susceptible to frauds.

While fraudulent transactions on cards, both debit and credit, is not uncommon, structured attack on a certain bank or card issuer’s users in a single day, as was the case with Axis, is rare. However, Sanjeev Moghe, head of cards and payments, Axis Bank, told Mint that the scale of the attack was small compared to the bank’s total number of credit card users, reiterating that the customer data from the bank’s end was not compromised.

What went wrong

Most cardholders said Axis Bank was quick to reverse the payments within 3-4 days. However, the bank did not send an official communication to the affected customers explaining the reasons for the fraudulent payments.

Some users, who had blocked the card and asked the bank to reissue a new one, reported that fraudsters had attempted transactions on the new cards as well —this, when the customers were themselves yet to receive the full details of the new card. A cyber security expert, who did not wish to be named, said this can happen if the fraudsters get access to the server that hosts details of the new card. “The details of the new cards are first pushed virtually into a server and then these are sent for printing the physical cards. Fraudsters would have got access to these servers and used the card details to activate them and attempt fraudulent transactions, " he said.

Banks should reveal the modus operandi of such attacks so that other institutions and customers can be prepared, say other security experts. “Instead of hiding the details, banks need to do a better job of communicating these to customers to increase awareness," said Ritesh Bhatia, a cybersecurity consultant and cybercrime investigator.

The expert quoted in the first instance said banks often remain tight-lipped on the scale of such attacks to avoid investigation from the RBI or Computer Emergency Report Team (CERT), a nodal agency that deals with cybersecurity incidents.

What users can do

In case of unauthorized card transactions, the first step that a cardholder should take is to get the card blocked by calling the lender’s helpline number. As a second step, they should report the fraud to the bank within three days of such incident, as that ensures zero liability on the card user, as per RBI guidelines.

However, if the user reports the fraud between four and seven days, they are entitled to a compensation of only up to 25,000, irrespective of a higher amount lost to such fraud, and when reported after seven days, it’s up to the bank to decide the compensation.

Early reporting will also ensure that you don’t have to pay for the fraudulent transactions while clearing the credit card monthly bills . In such cases, the bank either gives temporary credit to the cardholder or reverses the payment within a few days.

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.



Switch to the Mint app for fast and personalized news - Get App