• Hey there! Welcome to TFC! View fewer ads on the website just by signing up on TF Community.

How some Axis Bank credit cards became fraud targets

SSV

TF Reserve
Contributor
VIP Lounge

. .
It seems this is mints premium article.
Normal users may not get access to the account..

for normal users benefit..

premium
MONEY

How some Axis Bank credit cards became fraud targets​

Shipra Singh 4 min read 02 Apr 2024, 04:41 PM IST
Banks should reveal the modus operandi of such attacks so that other institutions and customers can be prepared, say security experts.


Banks should reveal the modus operandi of such attacks so that other institutions and customers can be prepared, say security experts.

SUMMARY​

  • Lender says dubious online international transactions were random attacks on certain cards.
It was at around 9 pm on Tuesday, 26 March, that Ajay Vasani’s phone buzzed a couple of times. He had just received two messages from the bank and froze when he saw the contents. These were two alerts for transactions of 150 New Zealand Dollars (NZD) for ‘Google services’ made using his Axis credit card. But, Vasani, a resident of Ahmedabad, had not subscribed to any such services, in New Zealand or elsewhere. He was quick to figure out that these were fraudulent transactions and immediately called the bank’s customer care helpline to get his credit card blocked.
A few minutes later, the Ahmedabad-based resident got eight more alerts of failed transactions worth NZD 800 (about ₹40,000 after forex conversion).
Vasani was not the only Axis Bank credit card holder targeted that day. There were many others, all Axis Banks customers, who were victimized by a series of international fraudulent transactions . The lender, in an official statement, claimed that it was a malicious attempt from certain foreign merchants and averred that there was no breach of its systems. “There has been no data leak. Some of these transactions are in the nature of random attacks on certain credit cards," the bank said.
To be sure, the malicious attempt by foreign merchants implies that hackers had misused the card details to carry out payments on foreign merchant sites and that the merchants themselves did not attempt the fraudulent transactions.
In interactions with Mint, some cardholders reported that they had received several one-time-passwords (OTPs) for transactions that were not initiated by them, while others said transactions on their cards were unauthorized and went through without their receiving an OTP, a numerical code sent by text messages for cardholders to authorise a transaction.
Kashif Ansari, assistant professor at Jindal School of banking and finance, O P Jindal Global University, said customers do not usually get any OTPs for online international transactions so these are more susceptible to frauds. A six digit OTP, generated randomly by banking systems, acts as a layer of security as these are sent to the cardholder’s phone number or email ID and the transactions can’t proceed without the customer authorizing the transactions by keying in these digits.
Further, in India, after regulations on tokenization were introduced by the Reserve Bank of India (RBI), domestic merchants cannot save or access card details of customers as the details are saved as encrypted tokens. However, this does not apply to international merchants and hence, customer data is saved with them, and thus are more susceptible to frauds.
While fraudulent transactions on cards, both debit and credit, is not uncommon, structured attack on a certain bank or card issuer’s users in a single day, as was the case with Axis, is rare. However, Sanjeev Moghe, head of cards and payments, Axis Bank, told Mint that the scale of the attack was small compared to the bank’s total number of credit card users, reiterating that the customer data from the bank’s end was not compromised.

What went wrong​

Most cardholders said Axis Bank was quick to reverse the payments within 3-4 days. However, the bank did not send an official communication to the affected customers explaining the reasons for the fraudulent payments.
Some users, who had blocked the card and asked the bank to reissue a new one, reported that fraudsters had attempted transactions on the new cards as well —this, when the customers were themselves yet to receive the full details of the new card. A cyber security expert, who did not wish to be named, said this can happen if the fraudsters get access to the server that hosts details of the new card. “The details of the new cards are first pushed virtually into a server and then these are sent for printing the physical cards. Fraudsters would have got access to these servers and used the card details to activate them and attempt fraudulent transactions, " he said.
Banks should reveal the modus operandi of such attacks so that other institutions and customers can be prepared, say other security experts. “Instead of hiding the details, banks need to do a better job of communicating these to customers to increase awareness," said Ritesh Bhatia, a cybersecurity consultant and cybercrime investigator.
The expert quoted in the first instance said banks often remain tight-lipped on the scale of such attacks to avoid investigation from the RBI or Computer Emergency Report Team (CERT), a nodal agency that deals with cybersecurity incidents.

What users can do​

In case of unauthorized card transactions, the first step that a cardholder should take is to get the card blocked by calling the lender’s helpline number. As a second step, they should report the fraud to the bank within three days of such incident, as that ensures zero liability on the card user, as per RBI guidelines.
However, if the user reports the fraud between four and seven days, they are entitled to a compensation of only up to ₹25,000, irrespective of a higher amount lost to such fraud, and when reported after seven days, it’s up to the bank to decide the compensation.
Early reporting will also ensure that you don’t have to pay for the fraudulent transactions while clearing the credit card monthly bills . In such cases, the bank either gives temporary credit to the cardholder or reverses the payment within a few days.
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
more

TOPICS​

MINT SPECIALS​

 
Last edited:
Attaching the article page for everyone's benefit.

BTW, from what I understand, if the fraudulent transaction is posted, and the amount taken from CC to Posters account, Axis might not be able to recover it (particularly on international ones). So, Axis bank covers this with insurance. The risk premium associated with such transactions is going up with Axis; hence, they will have to tackle this sooner rather than later.

ZNioqIka3G.png
 
Last edited:
I have also faced a fraud transaction issue with chuxis 4 years back. I was holding a Privilege Card and hadn't disabled international transactions. One night at 2AM, 3 transaction of USD2 happened which were successful and then a transaction of USD2000 was attempted. Luckily for such large amount, i received multiple calls from the bank and those calls were silent and the card was immediately blocked. Next day I was in utter shock. I immediately spoke to customer support team and they clarified that 2000 USd was blocked and there were more attempts with smaller amount like 2 or 5 usd after 2000USd but the card was blocked.

I asked to reverse the first 3 transaction totaling 6 USD and then their drama started. They asked me to visit branch, fill a form and show my passport to bank official and the submit a copy of passport. They mentioned about some more processes. It was really annoying. I just left it. Seriously, quite a horrible experience.
 
Back
Top