Tuesday, May 22, 2018

State Bank of India ( SBI ) suspected Fraud transaction

As a Software Engineer, when you move from one company to another, you will get new bank accounts. So have been using various banks credit card / debit card for the last couple of years. But have never experienced something like this.

Recently I re-activated my SBI account when it got dorment, and applied for a debit card. Only used 2 times for cash withdrawal from ATM. And no online transactions were done via SBI Debit Card.

Yesterday ( 22-05-2018 ) I got 2 messages

1. TM-SBPAYU at 12:47PM

xxx is your onetime password for online purchase of 30.00 at rechargeitnow.com thru state Bank Debitcard ending xxxx. Don't share this with anyone.

2. BW-ATMSBI at 12:47 PM

Dear customer, your txn at POS PAYUST000000076 declined due to incorrect PIN. Please enter the correct PIN.

I send an email to contactcenter and report.phishing at sbi.co.in. Also tweeted to @TheOfficialSBI

According to the response got for the complaint, it mentions

The bank will not be liable for any losses that might occur due to transactions upon card blocking/hot listing request over email.
We also have a facility to block the ATM card through SMS. We request you to kindly send an SMS from the registered mobile number in the following format to get your ATM card blocked:BLOCK<space>XXXX to 567676 from Card holders registered mobile number (in CBS) only (XXXX is the last 4 digits of State Bank Debit Card which Card holder wishes to block).

So I blocked the card.

I got a reply for my complaint from contactcenter.
We request you to go ahead and destroy the card once the card is blocked since cannot be used.
Note: The card replacement charges will be Rs.300.00 + GST.

So lets look into more details what happened here.

1. I have not used the Debit Card in any other place other than 2 ATM withdrawals.
2. Only the bank and me knows my Debit Card number , Password and CVV .
3. The 3rd party was able to provide Debit Card and CVV / Password, only thing missing was OTP.

So the questions are 

1. Who is doing these transactions ?
2. Is it the bank employees ?
3. Is there any audit for your software ? If so, who did it and when ?
4. I wonder if the employees can get the password and wonder whether the password itself is  encrypted or not.
5. It looks the bank is making money via 300 + GST via doing this them selves.
6. Or the system has loopholes.

When a fraud transaction happens, you don't need to be at the near by branch. What you do is notify via email / twitter. Still they can't take any actions? It will be fun for SBI to play with our money.

So request all to stop using SBI credit / debit cards. In the last 6 month span, doing 2 ATM withdrawals, the card details are in the hands of 3rd party. Who is liable for this?