Noida-based Neha Chandra had a shock of her life when, on a New Year vacation to Paris, got her wallet stolen in the Metro and within 15-20 minutes, hackers stole over Rs 1.5 lakh from her debit and credit cards without any OTP or PIN.
The three fraudulent transactions -- two on her HDFC debit card worth Rs 52,499.99 and Rs 44,544.24 and one on HDFC credit card worth Rs 52,499.99 were done at the same merchant called ASHANTI, PARIS 10/FR, on New Year's Eve.
Neha, who works with a PR firm, immediately informed the HDFC customer care, got both the cards blocked, transferred the rest of the amount from the affected savings account to another joint HDFC account, and lodged an FIR in Paris.
"All the necessary information and paperwork required was done well within time as per the RBI guidelines (within one hour of the transaction happening, I blocked my card and within 12 hours, I sent all the paperwork to HDFC Bank)," Neha told IANS.
As per the Reserve Bank of India (RBI) guidelines, there is a three-day window for the affected customers to do the necessary formalities in case of a fraudulent online transaction and once done, the bank will reverse the amount stolen on credit card within 10 working days.
"I am yet to receive any amount from the bank despite following the RBI guidelines. I was even asked by the bank to get the FIR translated into English that will cost me Rs 8,000. Instead of reversing my stolen money, they are asking me to spend more," Neha added.
HDFC Bank said they are investigating the case.
"Prima facie, the customer's money is safe, We will intimate the customer upon the completion of the investigation," said an HDFC Bank spokesperson.
Neha's plight, however, is far from over after 20 days of the incident first reported to the bank.
She is not alone as such cases have grown in the past and since the money is lost in foreign countries where hackers have devised a novel way, it is at times difficult to explain the case to the authorities back home.
According to Rahul Tyagi, co-founder of the cybersecurity firm Lucideus, when using debit cards issued in India abroad, one does not receive an OTP while making an online transaction up to a certain amount.
"All a hacker needs is the card number and CVV. For ATM transactions, there are multiple ways a hacker can get access to the user's PIN, depending on the scenario. For example, a hacker can reset the PIN, use compromised ATMs to track data or can perform a skimming attack," Tyagi told IANS.
Manan Shah, Founder and CEO of Mumbai-based Avalance Global Solutions, agreed: "Hackers have devised unique ways to bypass PIN and OTPs on both debit and credit cards. There are point of sale (PoS) machines in use that do not need OTP for a transaction for a certain amount and I have seen such cases growing in the near past".
From a user's perspective, when travelling abroad, users should request the bank to decrease the minimum transaction amount, continuously monitor the usage of their card and immediately report any anomalies to the bank.
"In the past, we have seen similar incidents happen and as technology continues to develop, people will have to be more aware and be trained when it comes to cybersecurity to tackle such situations better," Tyagi added.
However, despite alerting the bank well within time, Neha is still unable to recover her hard-earned money.