Picture this. You are going about your life when suddenly the SMS popping on the phone gives you a jolt. It’s from your bank and it says your debit or credit card has been used to pay for a purchase. How’s that possible, you wonder, the card is right here with me. You realise you’ve been conned. So, you scramble to call the bank and run around to get the mess sorted.

That’s what happened to Pupul Dutta, a Marketing Communications Professional based in Gurgaon. In early 2012, Pupul wanted to close her HDFC Bank credit card and requested the bank to send her the final bill. To her shock, a couple of hours later, she got a message that ₹21,000 was spent on her credit card for a purchase on Flipkart. Another message soon followed — ₹1,000 was spent on the card towards a Vodafone bill.

Alarmed, she called up the bank immediately. Pupul says, “I told them I didn’t make the purchases. For big transactions, most banks send you an OTP (one-time password) or give you a confirmation call to check. So, they sent my case to dispute redressal and promised to get back to me in seven working days.”

Meanwhile, Pupul’s final credit card bill was generated — to her chagrin, it included both the charges of ₹21,000 and ₹1,000. Pupul says that when the bank got back after seven days, it said that the charge towards Flipkart was due to a technical error, and so ₹21,000 was waived off the bill. But the ₹1,000 charge towards Vodafone was retained despite Pupul’s protests. The bank, Pupul says, also did not provide the details of the charge, such as the phone number towards which the payment was made. When Pupul refused to pay the remaining bill until the matter was settled, the recovery section of the bank started making calls and interest and penalty began accumulating on the card dues.

Ultimately, Pupul decided to settle the amount after negotiation since she wanted the monkey off her back. She says, “The entire thing was one big hassle for me. You know how it is — the recovery guys call, they threaten you, there is a summons against your name. I held off for some time. But then I thought I would need a home loan in the future and this thing could become a pain.” In her Cibil records, the case appears as ‘settled’, something Pupul says has affected her credit score for no fault of hers. She doesn’t know how the fraud happened because the bank did not explain anything to her.

All’s well that ends well

Bengaluru-based publishing professional Koel* had a similar experience though it ended on a better note. Says Koel, “One evening, about two years ago, when I was sitting at home, I started getting text notifications about my credit card being used. ₹100, 200, 500, 1,000 — in those denominations. I called Standard Chartered Bank immediately. Even as I was holding the line, the text messages kept pouring in. Finally, I got through and asked to block my card. The phone banker told me to file a first information report (FIR) and go to the bank’s branch with that.”

Koel and her husband were running pillar to post the next day. When they went to the police station, they were told to go to the cyber crimes branch. There, the officer explained the whole system of cyber crimes to them — and then told them to go back to the police station, file an FIR and take it to the bank. So, off went Koel and her husband back to the police station where the cops took down their FIR and gave a copy which was submitted to the bank branch. Says Koel, “That was the end of my ordeal. The ₹13,000-odd that had gone from my account was put in a freeze. So, I wouldn’t have to pay it back until the dispute was resolved. I got a new card and some six months later, Standard Chartered sent me a letter saying the case is resolved and closed, no explanation was given.” Koel double-checked with the bank whether she would have to pay the ₹13,000. And to her relief, the phone banker replied in the negative. Koel says, “I asked what had happened to my card, the phone banker wanted me to write an email, etc. I didn’t follow up. It’s all so annoying and tiresome, I left it at that.”

Fewer security features then

Card frauds are hardly a recent phenomenon. Delhi-based media executive Rajeev Dubey was subject to one almost a decade ago in 2007. Says Rajeev, “I had got a new ICICI Bank card, had gone for a dinner to Mumbai, and was back in Delhi the next morning. That afternoon, I got an SMS that someone in Dubai had bought a ticket on Air Arabia for ₹27,000. I immediately phoned the call centre and blocked the card.” Thankfully for Rajeev, his ordeal ended there. The bank sent him a mail that it was a case of fraud, didn’t charge him anything for the transaction and issued him a new card. Rajeev thinks it’s because he noticed the transaction and informed the bank right away — this would have helped the bank trace and reverse the transaction though he’s not sure what the bank did finally.

In those days, security features such as two-factor authentication were not around. To prevent misuse, Rajeev usually scratched off the CVV number from the back of his cards. Unfortunately, he had not done this with the new card which had just landed at his desk.

He says, “Somebody obviously noted down my CVV number. Every other detail is anyway there on the face of the card. Someone at the restaurant may have copied the card details, noted the CVV number, and passed it on to an accomplice in the Middle East who did the transaction.” Rajeev feels that with improvement in security features, card frauds are getting harder to perpetrate. He says, “Today, you can’t do an (online) transaction unless you have both the phone (on which you get the OTP) and the card.”

Charge, counter-charge

That’s little solace, though, to 58-year old M Janakiraman, working with the Sundaram Group in Chennai. He was gypped of ₹30,000 from his ICICI Bank account and ₹27,000 on his ICICI Bank credit card, both on the same day in October last year. He says that the day after his salary was credited, some persons transferred ₹30,000 from his bank account to a PayU account — this happened in many instalments ranging from ₹2,000 and ₹4,000. On rushing to the nearest bank branch to complain, he was told to speak to customer care. Not getting a satisfactory response, Janakiraman dashed to his home branch where his complaint was taken. After withdrawing the remaining money from the account, he blocked his debit card and online bank transactions.

Meanwhile, to his shock, Janakiraman got 10-15 messages of transactions between ₹2,000 and ₹4,000 (totalling ₹27,000) being done on his credit card. He had his credit card blocked too, and was told to lodge a complaint with the police which, in turn, directed him to cyber crime branch. Janakiraman’s dispute with ICICI Bank continues — he says the bank holds him responsible for negligence, a charge he refutes. He counters that the bank should have checked with him before allowing the multiple debits and charges, and taken action immediately instead of making him run around. Why didn’t he get the OTPs from the bank, he asks. So, Janakiraman has refused to pay the ₹27,000 credit card charge being demanded by the bank, while the bank has not refunded him the ₹30,000 debited from his bank account.

The officer at the cyber crime branch told him that the fraudulent transactions happened in Delhi. Janakiraman says, “The inspector told me that though you may not have shared your confidential details, they could have been extracted by hackers from the keystrokes on your keyboard. So, you must use only the virtual keyboard while doing online transactions.”

Walk into my parlour

While in many cases, the victims of card frauds are caught unawares, Shalini* walked right into the spider’s parlour. In a ‘vishing’ attack last month, this young PR executive from Mumbai got a phone call from a fraudster asking for her debit card details. The person, claiming to be from SBI, told Shalini that since she did not use her SBI card, the card’s CVV number had expired, and that he would renew it if she shared her debit card details and some authentication numbers. In a weak moment, the usually savvy Shalini parted with her card details and also the OTPs that she got from the bank. She was soon poorer by ₹4,500 through two transactions made from her card on the PayU portal. When she got the debit messages Shalini realised she’d been led down the garden path.

While agreeing it was her mistake, Shalini has filed a complaint with the cyber cell of Mumbai Police. She says, “I am sure there will be thousands of such transactions happening daily; it has to stop somewhere. I may or may not be able to get my money back, but my intention is to get hold of such people who are committing these crimes. ”

* Names changed on request

comment COMMENT NOW