A young executive gets a text alert at midnight saying he has been charged $96 on his debit card by an unknown shopping portal as payment for a purchase he did not make. He immediately checks his text messages to see if any one-time-password was sent to him to authenticate the transaction but does not find any. Next day his bank confirms that his card details have been used to make an online purchase at the portal, based abroad.
Sept. 24: Calcutta police are being flooded with complaints that the requirement of one-time password (OTP) for online transactions is being bypassed to facilitate fraudulent purchases during the festive season.
Investigators found that all the fraudulent transactions were made through foreign payment gateways that apparently do not have a two-step verification system in place and hence did not ask for an OTP.
On an average, Lalbazar has been receiving over two dozens such complaints every week for the past two months, sources said. While phishing calls to extract OTP and subsequent fraud are common in Calcutta, complaints of money being withdrawn without OTP were rare till the floodgates opened recently.
The fraudulent transactions have been reported through several types of foreign payment gateways including recharge portals, shopping portals and even a poultry company in the US, sources said.
"In each of these complaints, the victim had used his/her card a few hours before the money has got deducted. So we are sure that the fraud is related to the use of debit and credit cards," said a senior officer.
For instance, officers investigating the young executive's complaint concluded that his card details fell in the hands of the fraudsters the day before the transaction, when he had used his cards at a pizza outlet, a petrol pump and an online shopping portal (different from the one where his card was used fraudulently) to buy a watch.
Alarmed by the number of such complaints Calcutta police have contacted the banks whose account holders have faced this problem and shared with them the list of foreign payment gateways through which such transactions have been made.
Police's preliminary suspicion lies in the fact that people behind these dubious transactions have somehow accessed to the card details that they are using in foreign gateways that, unlike the Indian portals, do not prompt for OTPs.
Only payments are made through payment gateways that act as a link between the buyer and the seller.
In case of the Indian payment gateways, once a transaction is initiated, the gateway prompts for an OTP or a password to prevent misuse of a card details by an unauthorised user.
"The rules in India are stringent under the RBI guidelines. No online transaction can be carried out without an OTP. But that is not the case for foreign portals. For making purchases through foreign payment gateways, one just needs the card details. Anyone who has the card details (card number, expiry date and CVV) can carry out a transaction without alerting the authorised user," said a senior officer at Lalbazar.
Card details can be copied in a schemer once the card is swiped through it.
So, according to investigators, it is advisable that card users while making payments should be cautious that the card should not be taken out of sight.
