At 9.39 pm on Wednesday, transactions were made from Chembur-based executive Bikash Kumar's credit card in pounds, dollars, rupees, pesos and euros across the world
Financial fraud victim, Bikash Kumar
Bikash Kumar is a thrifty man; he used his credit card all of two times, and solely to pay his electricity bills. So imagine his shock when he realised that someone else had used his card, not once, but nine times and that too in five different countries and currencies - all in a single minute.
On Wednesday, Kumar was having a peaceful night until he received a message with a One-Time Password (OTP) for a transaction on his SBI credit card. "It was around midnight when I got the OTP. I was curious, as I hadn't made any transaction," he recalled.
"When I checked my email, I found that nine transactions had been made at various international websites in various currencies," said Kumar, who lost R84,000 in a single minute.
Also read - Mumbai Crime: Card cloning scam busted at mall kiosk
Credit card fraud has been around for ages now, but this is a rare case where so many transactions were done across five different countries at the same time. The money was siphoned off in nine transactions in five currencies — Pounds, US Dollars, Rupees, Mexican pesos and the Euro. What's stranger is that even though Kumar received the OTP message at midnight, the transactions all took place earlier, at 9.39 pm.
Also read: Nearly 17 million Zomato usernames, passwords stolen from database
"It is a very rare case where so many transactions have been made in different locations at the same time. It's possible several hackers planned simultaneous transactions to avoid getting caught," said cyber law expert Prashant Mali.
Kumar said he used his credit card twice to pay electricity bills, and had never shared his OTP with anyone. "I am an educated man and know very well that OTP is not to be shared with anyone. My card's limit is R85,000, so after the ninth transaction, the bank automatically blocked my card," he said. "I have two children and I am the only breadwinner of the family. This is a huge amount for me and I can't repay it to the bank," said the marketing manager, who has now given a written complaint to the MIDC police station and will also approach the Bandra Cyber Cell.
The transactions included video game purchases, automobile parts and travel – indications that the culprits are likely a group of young hackers, perhaps even college students. "Considering the pattern of transactions, it can be a group of young hackers. Most hackers are aged between 15 and 30 years," said the expert, Mali.
While it seems like they were working in concert, they may not all be part of one group. Instead, one of the hackers likely 'bartered' the credit card details with the rest. "These young hackers follow a barter system, wherein they sell the information to others. For example, if a card's limit is R1lakh, they sell the information for Rs 50,000," added Mali.
Easier on foreign sites
As per cyber experts, it is easier to misuse cards on international websites. Unlike Indian websites, these sites don't require OTP or CVC for transactions. The hackers need to acquire only the card numbers and expiry date. "As per the RBI rules, for transactions on any website based in India, OTP is compulsory, as it is essential while tracking the source of leakage," Vicky Shah, cyber lawyer.
Also read: 'Unprecedented' cyber attack hits 100 countries including India
However, the first transaction was made in Indian rupees without an OTP. "If the victim didn't share his OTP, there are chances that the website's server is based out of India. That's why they could siphon the money," explained Shah, adding, "Banks need to be more alert and notify customers, especially in cases of multiple international transactions."
'it's a new one'
Prashant Mali, cyber law expert'It is a very rare case where so many transactions have been made in different locations at the same time. It's possible that several hackers planned simultaneous transactions to avoid getting caught'
"It is unheard of, for so many transactions to be made in so many countries at a single time. It needs timely coordination between the hackers. We will look into the new modus operandi," said a senior IAS officer.
Minute to lose it
- Rs 3,374: Play-Asia.com (video games)
- MXN 3416.07: Univ D Tercer Milenio
- US$70: Walmart.com
- GBP201.98: spesa.co.uk (automobile accessories)
- EUR105: European travel website
- US$80.7: Gocase.com (phone cases) spent on a
- GBP113: Childsplayclothing.co.uk (children's clothing)
- US$71.46: Car parts website
- US$178.72: Walmart.com