Today the newspaper carried this article and as I read the ‘advisory’ a thought struck me that this “gyaan” is for the poor sod of a common man. It is for the poos sod who got swindled of Rs 300k.
And I got thinking about this one sided game being played out, over and over, since the start online banking. I am sure this was happening before the net came along too.
Anyway – the first point is that the bank is a custodian for our money but is behaving like once the money is deposited with them, it belongs to them. When the chips are compromised, their risk management seems to be dead, their public responsibility is (apparently) only for the glossy annual reports, their cyber security enablement is a washout, and everyone from Board to Watchman gets involved in covering up the crap citing inane confidentiality clauses which are conveniently in smallest type.
in short, if anything goes wrong with your bank account – remember it is your fault! Then start asking questions!
Never seen a Public Advisory for Banks!
Seems all the rules for safety and security apply to the depositor and none to the bank. I mean have you EVER seen a public advisory in a mainstream newspaper for banks?
Even in the recent WannaCry malware outbreak when the country was discussing the presence of Windows XP in most ATM machines, and how they can be at risk of compromise – NOT A SINGLE LINE OF PRINT OR WEB-CONTENT said “banks are advised to clean their crap” Not a single word of advise directed at banks from CERT, NCSC, RBI, ReBIT, IBA, IDRBT or anyone. All the advisories gave gyaan to the users and enterprises and banks have just swept the episode under multiple carpets.
No point digging the skeletons from the Mother of all ATM malware incidents of October 2016 because it is conveniently under wraps too. Who cares about what action was taken against Hitachi, or the PCI assessor or the auditor(s) or the banks (for not having ‘reasonable” oversight on their vendors).
BTW does anyone care of the Axis bank of evil – getting hacked, then involved in criminal use of Aadhaar information.
If any advisory was issued it is not in public domain.
Bankers are “sarv gyaani” and cannot do any wrong!
Why is this bank’s risk management system sleeping in Kumbhkaran mode!
Every bank talks BIG about their risk management system and how they get alerted to anomalies in transactions but this is the biggest BS story when it comes down to brass tacks. From what we see in the news, these very same bankers have done a pretty bad job of risk management all along.
In this case, a card is being misused, and the red flags are up – why are you making phone calls. The system should have automatically blocked the transactions when it observed multiple transactions in that short period of time with (nearly) matching amounts and being charged online. This is a standard pattern and should have set alarm bells ringing. Now the bank will say – we called you!
Every bank, today, is running a CBS (how good or bad is another debate) and a CBS SHOULD have risk management at the very core. I am no banker but do understand that this a fundamental need when dealing with money. Seems this is missing from many banks! Can anyone enlighten me.
What I cannot understand is why can’t these “gyaani” bankers buy cyber insurance to cover the risk of small value frauds. I don’t think the all India total will be more than a 1000 cr which is way way less than the nearest NPA the loan given by them to their favorite fraudsters. (you can call me to help <hahah>)
The BIGGEST Spammers on the Block – Banks
Seems that the marketing idiots in the banks have not read the story about “crying wolf” and, over the years, these guys have become the biggest spammers of all. It is the reason why this Navy gent just switched off his phone when he saw the caller was the bank.
You give your phone number to the bank and everyday you get what ! [1] crappy repetitive messages about not giving your password and PIN number to unknown callers; [2] OTP; [3] transaction information when a card is used or account is accesses; [4] marketing messages for loans, and government schemes; [5] reminder about your loan / credit card payment; [6] re-reminder for your loan/credit card payment; [7] re-re-reminder for your loan/credit card payment (if you have paid, please ignore); [8] warning about late payments; [9] warning that our collection agency will call you; [10] you changed your PIN/password; [11] you contacted our call center please give feedback (even if they could not help); [12] you are eligible for new loan / top-up…. and so on.
So if you do not have friends, but have a bank account, you can be happy in the thought that your banker will send you a lot of messages then will charge you Rs 150 per transaction.
With a plethora of emails and SMS messages being sent by banks and their marketing agents it is no wonder that many people would have blocked them or will delete messages.
The biggest joke is that when you till try to report a lost / stolen card or ‘account misuse’ your first challenge will be to find the phone number to call (inspite of all the spam from the banks); then the second challenge is to get through the IVR, and then to explain to the CSR who will ask you to go to the nearest cop station. And, therein begins another challenge in your life.
It’s all confidential, like state secrets
No one will ever know what transpires between RBI (and our multiple regulators) and the bank(s). It’s all secret, or so it is made out to be. It’s like – hey you common poor sod on the street – this is beyond your understanding so just go about your business.
Just bring your money, deposit it here and shove off. If you get hacked / screwed / social engineered / compromised – it’s your fault. I have PCI, DKIM, DLP, SIEM, IPS/IDS, NGFW, SOC, NOC, AI, ML, RM, IM, ITSM, SHIT and you only have MAA.
It is easy to understand the comfortable relationship between the regulator and the bank else it will not be possible to see 1000 crore NPA announcements every other day. Besides, the NPAs it will not be possible for the convicts to run to meet the Queen once they are declared offenders here…. unless there is a quid pro quo!
I don’t understand why the regulators will not provide a list of banks which are not having “reasonable” and “effective” security practices and procedures in place.
The Fall Guy on the Street
Banks are investing millions in cutting edge technology, systems and systems to bring the best experience to the customer but will run miles to duck the responsibility of any liability towards the small guy. RBI had come up with a circular in August 2016 (Customer Protection – Limiting Liability of Customers ) and everyone was happy that the regulator was (finally) showing empathy for the Fraud Peedith Account Holder. Alas, this was short lived as it turns out this was a make-junta-feel-good gimmick. The circular has been buried and no one talks about it. Instead banks have initiated charges for transactions!
The common man does not know how badly the bank is doing in terms of security or in terms of their NPA. The bank can merrily use the personal information for all sorts of sales calls and can even sell or share the information. Bank transaction data is available with the social engineering fraudsters who are calling and defrauding thousands of account holders but the bank says it is not responsible ! This is just a another joke being played on the account holder!
The bank has my information which is supposed to be held in confidence and safely. The bank’s data store is compromised physically or digitally or a bank insider sells it to a fraudster. The fraudster calls me and swindles me by convincing me that he / she is a legitimate banker (using my verified information). Now the banker says it is my fault i gave the information. The joke is on me – they took my info, they sold it, the criminal used it, he took my money, and i am at fault!
HOW COME NO BANK OFFICIAL HAS EVER BEEN SWINDLED (show me one RBI, REBIT, IBA, IDRBT, ICICI, HDFC, PNB, SBI, ….. ANY BANK GUY WHO HAS HAD HIS/HER ACCOUNT COMPROMISED
Banks need to change their outlook
Frankly it is high time, bankers start looking at real issues, walk the talk and have empathy with victims. Mere lip service will not help and soon the banks will have to struggle with social boycott and trolls. What then ? Ask the government to put a BAN to discuss bank functioning.
There is a lot more to do, and maybe boards need to listen to the bankers who are members of various social groups where such issues are discussed.
One hopes for the best, and one hopes that this Navy guy gets his money back from the bank (which is a remote possibility)
