Tuesday, May 22, 2018

State Bank of India ( SBI ) suspected Fraud transaction

As a Software Engineer, when you move from one company to another, you will get new bank accounts. So have been using various banks credit card / debit card for the last couple of years. But have never experienced something like this.

Recently I re-activated my SBI account when it got dorment, and applied for a debit card. Only used 2 times for cash withdrawal from ATM. And no online transactions were done via SBI Debit Card.

Yesterday ( 22-05-2018 ) I got 2 messages

1. TM-SBPAYU at 12:47PM

xxx is your onetime password for online purchase of 30.00 at rechargeitnow.com thru state Bank Debitcard ending xxxx. Don't share this with anyone.

2. BW-ATMSBI at 12:47 PM

Dear customer, your txn at POS PAYUST000000076 declined due to incorrect PIN. Please enter the correct PIN.

I send an email to contactcenter and report.phishing at sbi.co.in. Also tweeted to @TheOfficialSBI

According to the response got for the complaint, it mentions

The bank will not be liable for any losses that might occur due to transactions upon card blocking/hot listing request over email.
We also have a facility to block the ATM card through SMS. We request you to kindly send an SMS from the registered mobile number in the following format to get your ATM card blocked:BLOCK<space>XXXX to 567676 from Card holders registered mobile number (in CBS) only (XXXX is the last 4 digits of State Bank Debit Card which Card holder wishes to block).

So I blocked the card.

I got a reply for my complaint from contactcenter.
We request you to go ahead and destroy the card once the card is blocked since cannot be used.
Note: The card replacement charges will be Rs.300.00 + GST.

So lets look into more details what happened here.

1. I have not used the Debit Card in any other place other than 2 ATM withdrawals.
2. Only the bank and me knows my Debit Card number , Password and CVV .
3. The 3rd party was able to provide Debit Card and CVV / Password, only thing missing was OTP.

So the questions are 

1. Who is doing these transactions ?
2. Is it the bank employees ?
3. Is there any audit for your software ? If so, who did it and when ?
4. I wonder if the employees can get the password and wonder whether the password itself is  encrypted or not.
5. It looks the bank is making money via 300 + GST via doing this them selves.
6. Or the system has loopholes.

When a fraud transaction happens, you don't need to be at the near by branch. What you do is notify via email / twitter. Still they can't take any actions? It will be fun for SBI to play with our money.

So request all to stop using SBI credit / debit cards. In the last 6 month span, doing 2 ATM withdrawals, the card details are in the hands of 3rd party. Who is liable for this?

Tuesday, March 13, 2018

Tips and tricks to buy MiTV 4a / Redmi5A Phone via Flash Sale on Flipkart and Mi.com


I have tried buying Redmi5A Phone and MiTV 4a via Flash Sale on Flipkart and Mi.com : Is it worth the time I spend? Have you ever bought an Mi Phone or TV from Flipkart or Mi.com via Flash sale?

Mi Phones comes with variety of Price range. I was looking at Redmi5A which advertised as a 5000 phone. I have tried 3 weeks to buy the same. It was out of stock in a couple of seconds. Sometimes before the flash sale begins it shows out of stock. Now after 3 week the price is 6000 ;-). Did you learned anything from this ?

UPDATE 19-03-2018 : Now the maximum price is 6499 INR.

Today ( 13-03-2018 ) I even tried to buy an MI 32 inch smart TV. It also went out of stock in a couple of seconds. Lets look into twitter and see if any of them have bought any TV.


You can see 2 people mentioned they got it. If you look closely one account have 6 tweets and is genuinely spam. I believe these are all fake accounts. Don't count on me, just verify yourself. But the majority of twitter says no one have ordered. And sometimes even when people say they ordered the product after a few days we can see they complaining about the order is cancelled.

So is it worth to spend your time on Mi Products on a Flash sale? The answer is NO.

What are they doing in the name of Flash sale?

They don't have these product, but just trying to see / understand the market. They are studying how many customers are interested in their product and at what price they can sell these products.

Lets look at Redmi5A, they offered it for 5000, and they learned about this from each week how many customers are online trying to buy the same. On the next flash sale they are again looking how many are interested to buy the same in 6000 INR.

My wife have one xiaomi phone. I don't see a battery, everything is embedded to phone. From my understanding it is a use and throw phone, you will not able to replace the battery once it is dead. So think whether you want to buy a "use and throw" phone or a good one available in the market. Just don't think about the price. Your time is worth the amount.

Don't even trust them and link your bank / credit card information. The connection is not even secure. The one below is taken when I changed to https , but the site defaults load to http. I don't know whether they are really PCI Compliance when they are storing your credit card and bank informations.

If you are interested delete your account from xiaomi.com , you can click on the link https://account.xiaomi.com/pass/del .

What if Xiaomi really wanted to sell their Products?

They would have told their customers, we don't have adequate product with us. But you still can book with us, and when it is ready we will ship it. This is similar to how the Indian Railway booking system works. We all are in a queue. I believe people will be ready to pay the amount for the same if that is the strategy. But they are not actually looking to sell anything as they boast.

UPDATE : 19-03-2017 , MiTV4A when you get on your hands will be priced 16000 and not as they advertise. See Redmi5A price increased from 4999 to 5999 and now maximum price shown as 6499. Similarly the TV price will increase. See screenshot below.

 Before you buy MI Product itself do check the thread by Elliot Alderson who have found many security flaws of different systems. Eg : Aadhar.

UPDATE : ( 20-03-2018 )

Some of the people already have taken how the flash sale lasts. See and enjoy!

On Mi

On Flipkart

via https://twitter.com/Harish_WebDev/status/968377215036674048

Monday, October 23, 2017

In the name of Aadhar

I am having an account at State Bank of Travancore the now called State Bank of India Kunnamangalam branch, Kozhikode. I was not been using it for a while, so before I gave the cheque for something, I called SBI Kunnamangalam on 19-10-2017 at 11:31 AM and was informed it was inactive.

I reached SBI Kunnamangalam around 3:00 PM and got the KYC form. The form mentions PAN Card, Driving Licence, Voter-ID etc are valid KYC proof which I was already having with me at the time. I was also having my Aadhar digital copy on my mobile. The lady ( ~ 50 year old ) who was verifying the document was not willing to take anything except the original Aadhar ( By original I mean the physical copy send to you via courier or post ). I have not received my original aadhar, so I told her I cannot submit the same, but can provide the number or photocopies or even show her on my mobile.

But she was not willing and was telling me to come another day with Original aadhar and then only she can make the account active. I asked here where can I get this original Aadhar and she told you can collect from Akshaya. I wasn't aware where Akshaya was, for I have moved from Kunnamangalam some years back. I enquired to some other shop and finally reached Akshaya.

The officials at Akshaya told they cannot give the original aadhar. We can only take print outs, laminate it and give this. They told me to enquire what the lady officer really need. Now she was telling me to get something that Akshaya can give you. I went and collected a print out from Akshaya and reached SBI. By the time it was around 3:35 PM.

I was irritated with this old lady and this KYC process and was asking how to close the account. She pointed me to another young lady. She did her job well that the bank retains the account. She made the necessary changes and to make the account active I was asked to do a debit of 100 INR. No clerical staffs were willing to do the same and I told the old lady to do something. She was telling me to come another day that I can even close the account. I don't know what she is doing there? Does SBI pays for her to close every accounts?

Let me clarify that she was not quaralling with me, but was polite and not ready to accept any of the documents ( Voters-ID, PAN card or Driving license ).

Further I created

1. 3381020359
2. 3382956049

via http://cms.onlinesbi.com/CMS/ .

Both the tickets are closed without informing what actions are taken or giving me proper replies to the questions. SBI let the customers know what actions are taken, or how did you addressed the queries related to the customer. Ask them whether they are satisfied or not etc. That is how you resolve a ticket.

The questions are :

1. Why is my Voters-ID, PAN, Driving license not considered as valid KYC ?

2. Doesn't the bank have a way to verify my aadhar number online? If so why does your staff send me multiple times to Akshaya?

3. Why do you compell people to show original aadhar when ekyc is available at banks? ( I came to know this facility is available at many banks )

My account got active, you may be wondering why am I still behind this? There are many illiterate people who comes to bank and who don't know what to do. When the officials duty is to help, they instead is not willing to do the same. Aren't the officials irritating the people who comes to take their money in the name of governement policies / Aadhar ?

NOTE : UIDAI says 10 INR for black and white print out, but people collect 20 INR, but I am ok about paying the same to make things work.

Wednesday, May 03, 2017

BSNL online recharge

I used to recharge / pay BSNL bills via portal.bsnl.in . Recently something got into my attention. After a successful recharge, I always note the transaction-id etc for future references.

It came to my notice that a popup window was opening to another website freebeemart.com with your phone numbers being passed as a get request.

The exact url is as :  freebeemart.com/?Ph_no=9400XXXXXX .

I haven't even clicked any of the offers it mentioned, but without my concern BSNL website gives my number to a 3rd party service. I have already activated DND and BSNL is selling my mobile number to a 3rd party service.

I send my grievance at pgportal.gov.in .

I informed @CMDBSNL regarding the same.

Thank you Anupam Shrivastava for notifying @BSNLCorporate.

And I got a reply from BSNL_Kerala

If you are not a web developer you may probably don't know what an http GET request is. It is ok, ask someone who is good in it and learn what they get when you pass someone else mobile number.

Sites likes this is actually storing the information to their database.

The screenshot below shows an error when you pass a string to freebeemart as : freebeemart.com/?Ph_no=9400XXXXXX .

And now just laugh and read it is BSNL's policy to send mobile numbers to 3rd party services.

I also wonder when will BSNL employees understand they cannot sell someone else mobile number like this.

So this is currently what I added to /etc/hosts .

Tuesday, February 07, 2017

Turning 2

Some days back Ishaan turned 2 years. I always think about him, and what to do next. Life is all about mystery. I am still unsure about what decision I should take for him.

As a reader of this blog, you probably may be wondering what I am talking about. Ishaan is my only kid, who was diagnosed with profound hearing loss. It is really a pain to know your kid can't hear without any hearing aid or cochlear implant. We ( family ) have been giving him speech therapy from the age of 8 months.

Ishaan has slowly started to speak a few words. Some of the words are not so clear. It is really a happy moment to know he is able to hear and when he start speaking. But at the same time, it also makes things tough taking the right decision, whether we need to go for cochlear implant or not.