Be-aware: Sim-Swap/Phishing Money Theft from Bank accounts!


sandeepsachin

Well-Known Member
Adept
Dec 16, 2011
1,031
69
87
@Lord Nemesis yes, I was talking about those FD'S which are made in person at the branch. Aren't those more safer than the online ones? I have a few like these which I had opened a decade back, I can see the details online but no option to close.
Also, correct me if an wrong. the same rules apply even today right? If I were to open a FD at a branch in a nationalised bank, it can only be closed in person? Or has it changed?
Is it different for private banks?
Pardon my lack of knowledge in this regard cause I haven't dealt with FD'S yet with a private bank and I am gonna take your advice of moving it to a different bank
 

paarkhi

Well-Known Member
Veteran
Mar 26, 2010
2,452
832
202
@Lord Nemesis yes, I was talking about those FD'S which are made in person at the branch. Aren't those more safer than the online ones? I have a few like these which I had opened a decade back, I can see the details online but no option to close.
Also, correct me if an wrong. the same rules apply even today right? If I were to open a FD at a branch in a nationalised bank, it can only be closed in person? Or has it changed?
Is it different for private banks?
Pardon my lack of knowledge in this regard cause I haven't dealt with FD'S yet with a private bank and I am gonna take your advice of moving it to a different bank
FD's opened in person at branch can only be closed by visiting the branch and yes even today that rule applies in State Bank of India and UBI (can't say about other Nationalized banks) and in private banks it's the same atleast with HDFC
 
  • Like
Reactions: sandeepsachin

Julian

om nom nom
Veteran
Jul 31, 2008
1,842
741
201
38
Navi Mumbai
By caller ID, if you mean some app like Trucaller, then its pretty easy to fake it. True caller picks up the names from peoples contacts If a few people add the number to their contract list and set the label as HDFC Bank, then it would report as HDFC bank. This exactly sort of thing has been used for scams there days with google too. This is why advisories are being given not to trust numbers procured through google/google maps since anybody can set/change them.

As for getting hold of debit cards, there have been numerous cases of card duplication devices being setup in unguarded ATM's. The device goes on top of he card slot. You put the put in such an ATM and the card information would be copied which can then be retrieved to make a duplicate card. This is why all mag stripe cards have been banned from 1st Jan and all debit cards have to be EMV cards.
They also knew exactly how much money was in his account. And these days there's no need to clone cards really. Just copy or take a photo of the info on the card. After that it's just otp phishing.[DOUBLEPOST=1546506247][/DOUBLEPOST]This is an interesting question. Earlier you had to submit the physical FD receipt and countersign it to liquidate it.

Does it still work the same way today with completely digitised core banking?[DOUBLEPOST=1546506486][/DOUBLEPOST]Also unless something has changed, banks etc. are only liable to give you 1 lakh in case they dissolve. Keep this and the current volatile financial system in mind before investing anywhere. Anything can fold anytime. Just takes the right kind of scam.

UTI was a perfect example of this. So many people lost their life savings, everything, but the institution continued as UTI bank which is now axis...
 
Last edited:
  • Like
Reactions: vivek.krishnan

Lord Nemesis

Overlord
Veteran
Jun 3, 2005
5,936
2,407
377
They also knew exactly how much money was in his account. And these days there's no need to clone cards really. Just copy or take a photo of the info on the card. After that it's just otp phishing.
Since you said that the card was not used anywhere except ATM, I said a skimming device could have been used to get the details. Once the card details are procured, it is not difficult to know the exact balance at least with HDFC. You call HDFC, provide either customer id or last 4 digits of the card number in the IVR process and know the balance.

This is an interesting question. Earlier you had to submit the physical FD receipt and countersign it to liquidate it.

Does it still work the same way today with completely digitised core banking?
For FD's opened at branch, you have to follow the same process.

Also unless something has changed, banks etc. are only liable to give you 1 lakh in case they dissolve. Keep this and the current volatile financial system in mind before investing anywhere. Anything can fold anytime. Just takes the right kind of scam.

UTI was a perfect example of this. So many people lost their life savings, everything, but the institution continued as UTI bank which is now axis...
Yep, Max insurance provided is 1 lac per customer and provided by RBI via DICGC . FRDI Bill tried to compromise this by making it the discretion of a new regulatory body, but it did not get passed.
 

Julian

om nom nom
Veteran
Jul 31, 2008
1,842
741
201
38
Navi Mumbai
Since you said that the card was not used anywhere except ATM, I said a skimming device could have been used to get the details. Once the card details are procured, it is not difficult to know the exact balance at least with HDFC. You call HDFC, provide either customer id or last 4 digits of the card number in the IVR process and know the balance.
What the hell? It's that easy to check someone's balance? Every POS clerk can do that then! There really is no need for skimming at all. And with the last layer of protection, the OTP, being compromised by tricks like SIM swapping, it's not that far fetched at all.
 

Lord Nemesis

Overlord
Veteran
Jun 3, 2005
5,936
2,407
377
You do need the debit card pin (or phone banking pin) if you are calling from a number that is not registered with the account. But if calling from registered number (say obtained via SIM swap), only customer id or debit card last 4 digits is enough to know the balance.

HDFC also has a missed call service. You give a missed call to a designated number from your registered number and it will send you the balance details via SMS.
 

Julian

om nom nom
Veteran
Jul 31, 2008
1,842
741
201
38
Navi Mumbai
In any case, it's pretty clear these frauds are getting more and more common, and even the 2FA that other countries don't have, but we do is proving inadequate. So before they come up with more complicated security measures, they should have better consumer refund and grievance redressal options, which is how those countries manage nicely without 2fa.
 

swatkats

Well-Known Member
Veteran
Jul 16, 2011
3,893
1,666
201
Hyderabad
Are there any data logs at the banks NOC if some employee access the customer details?

I know for a fact that few employees misuse their Authorization to check their relatives bank balances and helping her sister to tell about her Jijaji's expenditure and balances!
 
  • Like
Reactions: paarkhi

Julian

om nom nom
Veteran
Jul 31, 2008
1,842
741
201
38
Navi Mumbai
Now that you mention it checking balances at the local PSU banks used to be very simple. I would call the direct number of my branch (BOI & Canara) and ask them what is the balance for my account #xyz. They wouldn't verify the caller, would just inform the balance directly. But now with the missed call>>sms banking system that's not needed. But atleast for PSU banks it was very simple to get someones balance as long as you had the account no. Debit card no. would not help though.
 

rdst_1

Well-Known Member
Veteran
May 10, 2009
2,583
1,203
253
32
I think a lot more details might have been compromised in this case.
These guys even transferred all the money from the OD account. I don't think that can be done without netbanking.
For an HDFC account, even to change the netbanking password, they send half OTP to phone number and half to registered email address. Thus this guy's email would also have to be hacked in order to change the netbanking password, if it was.
 
  • Like
Reactions: paarkhi

adventureguy

Well-Known Member
Veteran
Nov 16, 2015
1,234
560
126
Hyderabad
Are there any data logs at the banks NOC if some employee access the customer details?

I know for a fact that few employees misuse their Authorization to check their relatives bank balances and helping her sister to tell about her Jijaji's expenditure and balances!
I went to replace my old debit card with new EVM chip based ones and idiot there opened my account details , saw the balance and asked me to take a credit card without any hesitation. no concept of privacy in indian banks.
 

nRiTeCh

If you can see the green dot, I'm online ;-)
Veteran
I went to replace my old debit card with new EVM chip based ones and idiot there opened my account details , saw the balance and asked me to take a credit card without any hesitation. no concept of privacy in indian banks.
Which bank? I got my decade old card changed online itself. Complete privacy.
 

paarkhi

Well-Known Member
Veteran
Mar 26, 2010
2,452
832
202
Never thought that SIM and mobile number will become the most important thing to keep secured for secured banking.
 
  • Like
Reactions: Julian

rdst_1

Well-Known Member
Veteran
May 10, 2009
2,583
1,203
253
32
Never thought that SIM and mobile number will become the most important thing to keep secured for secured banking.
This is so true. I would rather have just Internet Banking. Phone no should be only for alerts. But thanks to our govt/RBI who mandated OTP for online usage, banks have gone ahead and made available so many features just through OTP. It helps both banks and consumers, so I guess we can't put the blame just on banks, as we consumers also want every feature available online for our ease.
In this case, banks are clearly not at fault as the hackers used the loopholes in the telecom service provider's system. The protocols in those regards will have to be beefed up.
 
  • Like
Reactions: paarkhi

Lord Nemesis

Overlord
Veteran
Jun 3, 2005
5,936
2,407
377
I went to replace my old debit card with new EVM chip based ones and idiot there opened my account details , saw the balance and asked me to take a credit card without any hesitation. no concept of privacy in indian banks.
Why do you think the staff can't view the basic profile including worth of the customer relationship (bank balance + credit cards + FDs + any other touch points with the bank)? It is universal to all banks, not just canara bank. There will be access roles, but anybody who can take a request for debit card replacement will be able to view your profile as well.

Are there any data logs at the banks NOC if some employee access the customer details?

I know for a fact that few employees misuse their Authorization to check their relatives bank balances and helping her sister to tell about her Jijaji's expenditure and balances!
Yes, security audit logs would be mandatory in banking systems to track who is accessing what via the back office. Bank Employees will be able to pull up information about account subject to their access control policy allowing it. Staff sitting in tellers would have significant access. Checking account balance is trivial. Most people working int the branch except for the security guards and the attenders will have access to it.

Banking systems have to comply by PCI DSS standards and periodic audits are performed for this purpose. The one time I have seen this violated is when Govt forced the BHIM UPI app to be released to public without going through any security audits and people who installed the app early on out of misguided patriotism suffered for it. UPI Integration regulation itself states that PCI DSS compliance is mandatory.
 

adventureguy

Well-Known Member
Veteran
Nov 16, 2015
1,234
560
126
Hyderabad
Why do you think the staff can't view the basic profile including worth of the customer relationship (bank balance + credit cards + FDs + any other touch points with the bank)? It is universal to all banks, not just canara bank. There will be access roles, but anybody who can take a request for debit card replacement will be able to view your profile as well.
I'd wish this were'nt available for normal officers who do money work infront of other customers. my hdfc has a separate officer how takes these requests in separate cubicle. normal officers who do the manual money collecting work don't have access to this customer info
 

Lord Nemesis

Overlord
Veteran
Jun 3, 2005
5,936
2,407
377
All staff sitting in bank tellers in HDFC have access to the details. My main savings account is with HDFC. When I went for some work, the lady in the teller tried to pitch me Recurring Deposit, Fixed Deposits and ULIP policies saying I have over 5 lac in savings account. I told her that I already do FD's online, but she begged to take a FD at the branch as they probably get some commissions for that. I just told her that the surplus funds were because I wanted to make a part payment towards my home loan and walked away. Recently, I called HDFC about EMV enabled debit card and even that executive checked my bank balance and credit card and tried to sell me a ULIP policy on the credit card.

This sort of cross/up selling has become quite common with banks and that's why they get access to basic profile of the customer. Even the ICICI corporate relationship manager tried to pitch me ULIP polices when I approached him about EMV debit card.[DOUBLEPOST=1546589306][/DOUBLEPOST]Just to add, they probably will also have some analytics and recommendation engine to tell the staff what to pitch to the customer when they pull up the profile.
 

nRiTeCh

If you can see the green dot, I'm online ;-)
Veteran
As per my experience with major banks, any designated cubicle person esp on the counter windows do have similar access throughout their band levels except for the branch manager who have special privileges.

Take an eg: If pc on counter no 1 suddenly goes into some issue you are redirected to window no 2 and so on. So no counter has any excuses related to customer db access etc. Unless it is relative to any special or sensitive request you are redirected to a special counter or allotted a representative.
So for normal operations like savings, salary, fd, loan, credit cards, etc everything is transparent and accessible across all counters.

This was for sbi, axis, yes, icici & hdfc.