Telephonic fraud by sbi cr card
sunil agarwal
(Querist) 03 July 2013
This query is : Resolved
I am holding a SBI Credit card number xxxxxxxx0067 since long time. On 17.05.2014 at one person by name Mr. Servesh spoke to me and claimed that he is calling from SBI Credit cards and informed that SBI is offering me a special discount card & offer against my expired point free of cost. He insisted me to provide the credit card details including CVV for authentication to get the discounted card to his customer care. As I thought the person is really from SBI credit cards department, I have provided the requested details to his customer care madam.
Later, on the same day I received a SMS on my mobile about a transaction of Rs. 6999/- done by Cache Mercantile Pvt Ltd. Upon seeing the message, I called SBI credit cards department and informed about this fraudulent transaction and got my credit card blocked.
I have formally sent a written complaint along with Dispute Form duly filled-in on 18.05.2013 by email to SBI Credit Cards.
I received 2-3 calls from Cache Mercantile Pvt Ltd after it. They tried to convince me saying that I have to accept their parcel worth Rs 6999/- which they have deducted from my Credit Card. Upon questioning them on the fraud, they claimed that it will be credit the same amount to SBI after received the parcel in which one alphanumeric code in it, the code will be SMS to Mr. Servesh Mobile 8527325619, then after he will credit the same, but after one month past neither parcel received nor amt credit in my SBI Cr. Card till date on 30.06.2013.
I was surprised that how this entry done without online 3D secure password?
What did SBI investigate?
How did they provide my credit card and personal details to Cache Mercantile?
I have seen many similar complaints lodged by many victims like me against Cache Mercantile Pvt. Ltd and SBI credit cards.
It looks that there is a tie-up between SBI Credit cards and Cache Mercantile Pvt Ltd to loot the money from innocent people like me.
I request the authority to take necessary strict action against SBI Credit Cards (for providing the credit card customer data to such people like Cache Mercantile) and also on Cache Mercantile Pvt Ltd for cheating the people claiming to be from SBI credit cards and doing fraudulent transaction.
Below are some of the details of Cache Mercantile Pvt Ltd. which I have noted down, I hope these will be helpful in resolving the fraudulent transaction.
Phone numbers from which I got the call, these people are from Cache Mercantile Pvt. Ltd.
Servesh : 91-8527325619 (This person claimed that he is from SBI) Code - 610302
Priyanka : 0120-4243926, 4243950
I request the concerned authority to investigate the matter thoroughly and get back the amount to my credit card.
Regards,
Sunil Kumar Agarwal,
Agra
M: 09719001446
Raj Kumar Makkad
(Expert) 03 July 2013
No fraud seems committed by either officials of SBI rather this is your lapse and carelessness. No bank official can legally ask credit card no. or CVV which you disclosed to some unidentified persons without their due verification.
Legal process is time taking long process and it shall require at least double of the amount of your loss.
Guest
(Expert) 03 July 2013
Your own statement, "I have provided the requested details to his customer care madam" including the CVV, is the answer to your question, "how did they provide my credit card and personal details to Cache Mercantile?"
Please beware, for online transactions, CVV is the key for authorising the debit to the credit card issuing bank. Hope you must also have given particulars of the 3D PIN to that lady, if the SBI uses 3D PIN also to complete the transaction. Password is required only when cash is withdrawn from the ATM.
Your story clearly indicates that some person, namely Sarvesh made some online purchase from Cache Mercantile Pvt Ltd by taking your credit card particulars including the CVV from you only. The lady, whom you gave particulars must be Sarvesh's accomplice, relative or friend, instead of customer care official of the SBI, whom he would have handed over the receiver of the phone to take particulars. I don't think you would have asked the name of the custoner care lady official.
Anyway, you may better report the matter to the police, who can investigate on whose address the parcel of purchased goods would have reached in the name of Mr. Sarvesh on fraudulent transaction. Otherwise, bank may not be able to recover money from Cache Mercantile Pvt Ltd to credit back to your credit card account, as it is only you who compromised with confidential details of your credit card by sharing with a 3rd person.
BRIJENDRA K SINGH
(Expert) 04 July 2013
please do not call for this topic due to long distance and i am not interested to give reply
Rajendra K Goyal
(Expert) 04 July 2013
Agree with the expert raj kumar makkad ji and PS Dhingra ji. Well advised in the matter.
BRIJENDRA K SINGH
(Expert) 04 July 2013
SBI is sure liable to pay full ammount including compansation with full expenses. It's cyber crime not a other crime . Hence giving advice on other general way is not proper. Cyber crime is total different crime , it is govern upon technical and law. Without knowing advanced technology and different laws, procedures and applicabe of rules and facts cant be give advice . I am cyber expert so I know very well how can it covered under cyber crime and how SBI is liable for it.
Raj Kumar Makkad
(Expert) 04 July 2013
This is not a self advertisement site so none of the experts should try to advertise or directly invite the queriests to contact him. This is against the aim and object of the site itself.
Guest
(Expert) 04 July 2013
@ Brijendra K Singh,
It would be nice on your part to elaborate for my knowledge, how SBI can be made liable for the transaction when Mr. Sunil Agarwal voluntarily shared even the CVV of his card with a third person. So far as I know, neither the customer care of the credit card issuing bank contacts the holder at its own, nor that asks to tell the CVV No.on phone. The CVV, if desired in rare case only, that too on the contact by the credit card holder himself, has to be dialled on phone, not intimated vocally by the credit card holder.
Raj Kumar Makkad
(Expert) 04 July 2013
*Dhingra Sir! Not only Mr, Brijender Singh providing illegal advice but also justifying that all other experts do not know about cyber law and he is the only person having such knowledge. The invitation to querist is adding colours from his side. Should not admin take care of such persons?
Guest
(Expert) 04 July 2013
Makkad ji,
Of course. I can understand well. At least he should not have ignored the fact what the querist himself stated about sharing of his confidential and sensitive information on phone without verification about the caller.
BRIJENDRA K SINGH
(Expert) 05 July 2013
Due to national and international laws rules and guidelines regarding gateway and the economic organizations have to follow , if they fail than they are fully liable for all loss. According the convention all banking sector are bound to follow the rules.
I further mentioning that it's unauthorised access which is against RBI Guidelines.
This is sufficient for this.
If you have any quarry please call me
Thanks
Raj Kumar Makkad
(Expert) 05 July 2013
*Author! Again offer is ready for you.....
prabhakar singh
(Expert) 05 July 2013
God knows Sbi would or not would be liable.
But being an advocate one should know first
the rules, moral and ethics of practice before claiming to be expert of any area of practice.
It is very mean for me to offer my services to a non seeker.
Guest
(Expert) 05 July 2013
@Brijendra K Singh,
You have avoided to reply my query on how SBI can be made liable for the transaction when Mr. Sunil Agarwal voluntarily shared even the CVV of his card with a third person.
I can understand about the "national and international laws rules and guidelines regarding gateway and the economic organizations have to follow" but how are you sure that the gateway of the customer care centre of the SBI only was used to contact the querist and he was not contacted by the fraudulent person directly from some phone/PCO?
Also, instead of getting tracked the real fraudulent person, would you prefer to book the SBI directly under the cyber law without filing a police complaint for proper investigation purpose for tracking the real offender?
Raj Kumar Makkad
(Expert) 05 July 2013
I strongly endorse the ethical views of Ld. Mr. Singh and legal advice of Ld. Dhingra g.
prabhakar singh
(Expert) 05 July 2013
Yes! I too agree with Dhingra ji's wise advice.
Bankers often warn customers that they never ask for these things from their customers and these secret things should not be shared with anybody.They even SMS it to their a/c holders.
How can banker or anybody else be liable for
negligence of his customer????
Using such facilities with care is duty of
user.
BRIJENDRA K SINGH
(Expert) 05 July 2013
Ld. Mr. PS Dhingra first I am asking you a simple question that without singing a cheque someone take cheque from you and cash taken away from bank.Now who is liable.
Answer is bank because as per the rules bank have to verify the signature from record. If still they have doubts than they have to verify by any way. As per the guidelines they have to put security on it by verify sig.
Now in this case evin he delivers information to third party, so now the bank is liable for verify that the transaction is going in authorise manner or not, for this the bank have to put security on it according to the law if it failed than it will be liable to pay or fulfill the loss.
Here the bank have lapsed the security which bank have to implement the security guidelines which is mandatory to follow as per RBI
BRIJENDRA K SINGH
(Expert) 05 July 2013
prabhakar singh sir the bank taking precautions by alert by anyway to their customers nothing else.
Rajendra K Goyal
(Expert) 05 July 2013
The phone nos. from where you have received the call,it is hoped that these are the nos. of STD booth or public telephones installed for use by public. You may lodge a police complaint possibly due to your good luck the culprits may be nabbed by police and a large no. of people may be saved from such fraud.
State Bank of India or any Govt. agency never ask confidential details of credit card of any person.
Guest
(Expert) 05 July 2013
@ Brijendra K Singh,
I wonder to see reply of a cyber crime expert, when you say "I am cyber expert so I know very well how can it covered under cyber crime." You also said that "cyber crime is not a other crime . Hence giving advice on other general way is not proper. Cyber crime is total different crime , it is govern upon technical and law. Without knowing advanced technology and different laws, procedures and applicabe of rules and facts cant be give advice."
Contrarily, instead of discussing on the the IT Act 2000 and the I.T. Amendment Act 2008, you are talking in general terms in a layman's language about 132 years old Negotiable Instruments Act by comparing signatures on a cheque with that of the CVV.
I wonder, if you found any similarity between the signature of a person to be checked by the bank officials and the CVV that has to be identified by the software being run in the computer (not manually), while the former is known to everyone but CVV is a confidential and sensitive information of a Credit Card, which is forbidden to be shared with anyone else, even with any bank official.
BRIJENDRA K SINGH
(Expert) 05 July 2013
Mr PS Dhingra sir I have given a example , you are misguided due to not mentioning IT Act by me but i have mentioned authorisation word which is covered under IT act . And implimentation of guidelines is big factor for security here liablity self generate Another thing is protection which is taken by bank which is mandatory by guidelines issued by RBI
You are expert and you know act verywell so i don't inclind to describe IT Act.
Raj Kumar Makkad
(Expert) 05 July 2013
*Brijesh Singh! Which section of IT Act makes liable to the banker if the account holder discloses online account information to the a third party? Can you please cite that particular section and post it her for the benefit of all expers and general public?
The example given by you pertaining to a blank cheque also do not make liable to the bank if the holder of the cheque misuses it. If you have any contradicting law ten do post it here instead of forcing to accept your own interpretation.
prabhakar singh
(Expert) 05 July 2013
Dear Mr. BRIJENDRA K SINGH!
Here below I am posting the TOP SECRET YOU CLAIM TO HAVE:
The Reserve Bank of India has recently announced a new set of guidelines security and risk measures that banks need to take for electronic payment transactions. Some key changes:
International use of debit and credit cards: A key change being made is the provision that credit and debit cards should be issued only for domestic use by default, and if a customer needs a credit/debit card for international use they will have to specifically apply for the card for international transactions. The deadline for this is June 30th 2013.
Implications: one doesn’t know how banks will implement this, but ideally, card users should apply to allow usage of debit cards internationally. There could be situations where a card, by default, is for domestic transactions only, but because app stores like that of Apple's Store) or Google (Google Play) route payment through international payment gateways, their cards might not be accepted for international payments. A similar situation for buying advertising on Google or Facebook. This is not quite the solution we had in mind when we had asked for a level playing field for online transactions.
Second Factor Authentication for International transactions: Banks should move towards a system that facilitates implementation of additional factor of authentication for cards issued in India and used internationally (transactions acquired by banks located abroad). No deadline has been set for this, and this is probably because it is not clear how banks will force international payment gateways for implement a second factor of authentication. This is exactly the issue we had pointed out when asking for a level playing field for payments.
NEFT, RTGS & IMPS Payments: RBI has also announced measures to make funds transfer via NEFT, RTGS and IMPS methods to prevent online frauds. It has asked banks to:
a. Include customer induced caps on usage, in terms of the value / mode of transactions/beneficiaries. If an user wants to add an additional beneficiary or transaction, they will have to go through an additional authorization.
b. Limit the number of beneficiaries that may be added in a day per account. A system of alert to be introduced when a beneficiary is added.
c. Monitoring and alerts: A way to monitor the number of transactions effected per day per beneficiary to be implemented. In case of any suspicious operations, the bank and the account holder to be alerted.
d. Consider a dynamic factor of authentication for NEFT, RTGS & IMPS: To introduce additional factor of dynamic authentication for these transactions. It appears that the RBI is recommended the dreaded OTP method of authentication for NEFT, RTGS and IMPS.
e. Banks should capture Internet Protocol (IP) address as an additional validation check.
f. Banks that sub-members should ensure that the security measures put in place by the sub members are on par with the standards followed by them so as to ensure the safety and mitigate the reputation risk.
e. It has suggested that banks could also implement technologies like adaptive authentication, etc. for fraud detection.
International cards will have to be EMV Chip and PIN enabled. What this essentially means is customers will have to enter a PIN for every card swipe or transaction. While this adds an extra security to prevent frauds, this might also cause an inconvenience to users. Still, this is a standard international card practice.
- Block card via SMS: the RBI has said that banks should be allowed to block cards via easier methods like SMS for the customer to block his card, and get a confirmation to that effect after blocking the card.
- Convert existing cards to EMV Chip: Issuing banks should convert all existing MagStripe cards to EMV Chip card for all customers who have used their cards internationally at least once (for/through e- commerce/ATM/POS) (By June 30, 2013)
- Transaction Limit for Magstripe international cards: All the active Magstripe international cards issued by banks should have threshold limit for international usage. The threshold should be determined by the banks based on the risk profile of the customer and accepted by the customer (By June 30, 2013). Till such time this process is completed an omnibus threshold limit as determined by each bank may be put in place for all debit cards and all credit cards that have not been used for international transactions in the past.
Compliance Norms for Internet Protocol based solutions: Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants (By June 30, 2013).
Banks should ensure that the terminals installed at the merchants for capturing card payments (including the double swipe terminals used) should be certified for PCI-DSS (Payment Card Industry- Data Security Standards) and PA-DSS (Payment Applications -Data Security Standards) (By June 30, 2013)
- Frame rules based on transaction patterns: Bank should frame rules based on the transaction pattern of the usage of cards by the customers in coordination with the authorized card payment networks for arresting fraud. This would act as a fraud prevention measure (By June 30, 2013).
Other developments: Note that, RBI had reported 8,322 cases of cyber frauds in 2012, a decline from 9,588 cases and 15,018 cases registered in 2011 and 2010 respectively.
RBI has increasingly making online/mobile transactions a tad difficult for users with their limits and restrictions. In September 2012, RBI had reiterated that it won’t allow telecom operators offering mobile wallets to offer cash-out facility, unless they sign up customers under a Banking Correspondent tie-up.
SOURCE:
http://www.medianama.com/2013/03/223-rbi-credit-card-money-transfer-guidelines/
prabhakar singh
(Expert) 05 July 2013
NOW IT IS NOT AS SECRET AS YOU TRIED TO MAKE IT.
Raj Kumar Makkad
(Expert) 05 July 2013
Nothing is secret as all such changes are within the knowledge of maximum persons who are even general account-holders what to talk of legal experts but Mr. Brijesh is behaving as if he is the first person to disclose it.
prabhakar singh
(Expert) 05 July 2013
Here experts are expected to share the knowledge.To practice Cyber laws no advocate needs to be an engineer and to cross examine
any doctor no advocate requires to have Md degree first.
I am i clear.
True i have had no chance to handle any cyber brief but if i shall get any i would be as much prepared with as any acclaimed name in the field having names and fame would be.
When it comes to learning i always feel young .
Guest
(Expert) 06 July 2013
@ Brijendra K Singh,
Besides the observations of S/Shri Raj Kumar Makkad and Prabhakar Singh ji, I would like to pose three simple questions for you to ponder upon and give clarification for my knowledge:
1) Is there any source with the bank to interfere between the individual private communications between the holder of the credit/debit card and the third party to prohibit sharing of information about CVV?
2) Can the bank physically and manually verify the CVV, like a specimen signature on cheque, and be able to know whether the CVV is being keyed in by the holder of the card or a third person to avoid misuse of CVV when the holder of the card himself has communicated the sensitive information privately?
3) Is there any provision in the IT Act to verify the CVV manually by a bank official before allowing a transaction, when hundreds or thousands of transactions are handled at a time by a computer through a a customised software without the intervention of any human being?
I hope, a cyber crime expert, like you, would satisfy a layman like me, with your perfect cyber law knowledge by replying the above questions.
V R SHROFF
(Expert) 06 July 2013
Fully agreed with Shri Dhingraji & Shri Prabhakarji .
*Dhingra Sir! Not only Mr, Brijender Singh providing illegal advice but also ""
Mr, Brijender Singh, do u know a single case that support your statement???
Being Advocate, try to prove and be HERO here. after all, it is our profession. But certainly do not misguide.
Cyber criminals are operating from remote foreign area, and in 99 % of cases of amount below 1L, No recovery..
SBI is not liable.
ajay sethi
(Expert) 06 July 2013
i agree with DHIngraji . the querist has himself dislcosed his CV number and other details . he cannot hold the bank liable for his negligence
Raj Kumar Makkad
(Expert) 06 July 2013
I also strongly do stand with the legal questions raised by Ld. Dhingra Sir.
Rajendra K Goyal
(Expert) 06 July 2013
Agree with Expert Dhingra ji, prabhakar singh ji. I am thankful for the knowledge I have gained. Thanks.
prabhakar singh
(Expert) 06 July 2013
There can be nobody here to disagree with rightly opined opinion of Dhingra JI
Guest
(Expert) 06 July 2013
I heartily thank learned Prabhakar ji, Makkad ji, Shroff ji, Ajay Sethi ji, and Rajendra K Goyal ji for endorsing my views on the issue.
Sudhir Kumar, Advocate
(Expert) 12 July 2013
claiming to by cyber law expert and still insisting on old requirement of signing cheques.
I will recommend the querist to have paid services of the expert and contest till Apex court. and if he succeeds he is Victor or at least he be a subject of law text books for future guidance of lawyers and judges
BRIJENDRA K SINGH
(Expert) 13 July 2013
I think it is sufficient for you all
You can find near about all answers or quarries
I do not want to disclose other things due to practice in public place if any one want know more than call me or mail me.
Before doing cyber law i was saying cyber law like you but after done PG in cyber law my thinking view totally changed, the original view of this act cleared. As per ITAct without knowing information technology cant be interpretate.
Information technology can not be learn in one day or one month.
Being an advocate not necessary to do MS for practice in criminal side but we have to follow medical jurisprudence which is decisions of Medical Practitioners or scientist or relevant experts not a philosophical thoughts which are not acceptable by Hon'ble Court.
Also without doing LLB we are non entittle for practice as an advocate before court.Without doing MS or MBBS you can do practice but you cant priscribe medicine or do treatment of ill.
According Information Technology Act
(a) the signature creation data or the authentication data are, within the
context in which they are used, linked to the signatory or, as the case may be, the
authenticator and to no other person;
(3) The Central Government may prescribe the procedure for the purpose of
ascertaining whether electronic signature is that of the person by whom it is purported
to have been affixed or authenticated.
'6A. (1) The appropriate Government may, for the purposes of this Chapter and
for efficient delivery of services to the public through electronic means authorise, by
order, any service provider to set up, maintain and upgrade the computerised facilities
and perform such other services as it may specify, by notification in the Official
Gazette.
Explanation.—For the purposes of this section, service provider so authorised
includes any individual, private agency, private company, partnership firm, sole
proprietor firm or any such other body or agency which has been granted permission
by the appropriate Government to offer services through electronic means in
accordance with the policy governing such service sector.
‘15. An electronic signature shall be deemed to be a secure electronic signature
if—
(i) the signature creation data, at the time of affixing signature, was under
the exclusive control of signatory and no other person; and
(ii) the signature creation data was stored and affixed in such exclusive
manner as may be prescribed.
Explanation.—In case of digital signature, the “signature creation data” means
the private key of the subscriber.
16. The Central Government may, for the purposes of sections 14 and 15,
prescribe the security procedures and practices:
Provided that in prescribing such security procedures and practices, the Central
Government shall have regard to the commercial circumstances, nature of transactions
and such other related factors as it may consider appropriate.'.
‘(v) “computer source code” means the listing of programmes, computer
commands, design and layout and programme analysis of computer resource in any
form.”.
‘43A. Where a body corporate, possessing, dealing or handling any sensitive
personal data or information in a computer resource which it owns, controls or operates,
is negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation to the person
so affected.
Explanation.—For the purposes of this section,—
(i) “body corporate” means any company and includes a firm, sole
proprietorship or other association of individuals engaged in commercial or
professional activities;
(ii) “reasonable security practices and procedures” means security
practices and procedures designed to protect such information from unauthorised
access, damage, use, modification, disclosure or impairment, as may be specified
in an agreement between the parties or as may be specified in any law for the time
being in force and in the absence of such agreement or any law, such reasonable
security practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it
may deem fit;
(a) in sub-section (1), for the words “direction or order made thereunder”, the
words “direction or order made thereunder which renders him liable to pay penalty or
compensation,” shall be substituted;
(b) after sub-section (1), the following sub-section shall be inserted, nanmely:—
“(1A). The adjudicating officer appointed under sub-section (1) shall
exercise jurisdiction to adjudicate matters in which the claim for injury or damage
does not exceed rupees five crore:
Provided that the jurisdiction in respect of the claim for injury or damage
exceeding rupees five crore shall vest with the competent court.”;
BRIJENDRA K SINGH
(Expert) 13 July 2013
as per disclosed his CV number and other details the institution duty to verify the transaction is doing by owner or other as per guidelines of RBI . Now institution have bound to put advance level authentication and security . if it fails to implement security then it must be liable to pay all damages, it attracts 43A of IT Act.
authentication is described under iso27001 and controls on which RBI govern.
BRIJENDRA K SINGH
(Expert) 13 July 2013
Here I am not trying to advertise or directly invite the queriests to contact him for my personal profit, I am inviting him for only guide and free advice.
V R SHROFF
(Expert) 13 July 2013
Adv . Brijendra Singh:
Get back Rs. 6999/- to Sunil;
And have a feather in your Cap.
Though we know, you cannot!!!
Machinery to detect and identify cyber crimes are not approved or taken in Evidence in India. not validated in India.
Foreign validation nor allowed in Indian Evidence . Do Adv . Brijendra realised it??
Every day, 100's of crores are drained out of India by cyber criminals sitting and operating from abroad. Who could prove who did it!!!
If you are Cyber Expert, pl Let us know it.
Cyber Laws and theory are different from practical : the result!!!
How many times you succeeded recovered Cyber Law Losses, till date?? Especially amt below 2L ??
If you can deliver the goods, efficient enough at this stage, pl do it, otherwise advise persons like Sunil to be careful next time, and do not part with personal information to anyone in future. Prevention is better than cure. .
R.K Nanda
(Expert) 13 July 2013
nothing to add.
Rajendra K Goyal
(Expert) 13 July 2013
I agree with expert V R Shroff ji and others.
Expert Mr. Brijendra K Singh can not succeed in holding SBI Card liable legally in the given facts.
R.V.RAO
(Expert) 25 February 2014
the date 17/05/2014 put by queriest as date of transaction , could be mistake .it could be 17/05/2013.
about more than year back, SBI introduced transaction pass word.
unless the SBI card holder enters the transaction password,the transaction will not be cleared.
if a SBI card holder forgets the password,the new temporary password comes to his registered mobile ,which must be entered to carry out the transaction.
i am wondering how this important check was missed out in the above transaction?
the queriest can ask SBI CREdit CARD dept, as to why and whether this important step wa avoided and transaction carried out?
