HYDERABAD: ON April 24, 2019, the cyber crime wing of the Cyberabad police unearthed a first, and definitely not the last, of its kind fraud which cost the customers of ICICI bank nearly Rs 3 crore. While bank customers have been on the hit list of fraudsters for decades now, this particular fraud stood out because this time, a whole banking corporation and its data management systems were under attack.
Although the scam was plucked in time and the money being returned to the customers, the police have made it clear that banks need to upgrade their security systems, considering the trend this particular case could set.
The modus operandi was to clone cards of customers and withdraw money from ATMs. Card cloning is the process of using a skimming device to fraudulently copy a bank customer’s data stored on the magnetic stripe of a debit or credit card. While the process itself is not new, the method used by fraudsters in this case to acquire the customer data, was unique.
The first step was to identify a legitimate 16-digit card number of an existing customer, followed by the personal identification number or PIN.
To identify a legitimate card number, an online bus ticketing platform was used. A random set of numbers were being entered into the payment portal of the website, to identify authorised card number. Since the first six digits of a card number are common to every customer and make up the identification number of the bank, their options were limited to guessing the last 10 digits. In this way, 3,500 authentic card number was identified.
To acquire the PIN, the fraudsters took advantage of ICICI bank’s faulty procedure of validating the account details, even if a customer approached them using an unregistered mobile number. They began calling up the bank’s customer care service on behalf of each of the 3,500 accounts, on the pretext of inquiring about the account balance, and tried to validate the PIN through random attempts. In this way, they succeeded in cloning over 1,000 accounts, and siphoning off Rs 3 crore.
The fraudsters knew better than concentrating all the withdrawals in one geographical area. Although Cyberabad police unearthed the scam, only a small fraction of the fraudulent transactions actually happened in Hyderabad limits. However, it was only when the concerned bank’s internal checks revealed suspicious activities, that the authorities approached the police. But other banks, with lesser turnovers or with losses, may not conduct internal checks, thereby putting the customers’ money at risk, say officials.