Misuse of my HDFC Debit Card

This article comes against "HDFC, Hitec City, Madhapur Branch's Security and Privacy Management". I, Komal Rastogi, have my salaried account with HDFC for the past two years. On 17th Mar 08, I realized that I couldn't locate my HDFC Debit Card and blocked the same within 10 minutes. But on checking my account details through the online banking , I realized that my card had already been misused .I approached the Madhapur branch and was told to submit an FIR , get an indemnity letter franked for Rs 200 and a written application of my card loss and the transaction in dispute.

I am a white collared female employee, who works like all other IT Service Company employees from 9am to 6pm officially but am actually at office, almost till 8pm to meet the client deadlines. But the day I realized the loss of my card, was the day when my journey towards hell began and when I realized how weak an infrastructure we have for Banking Securities

After a good perusal into my HDFC online banking I realized that on 13th Mar 08, somebody had swiped my debit card for Rs 5300 at Vega Mobile Store and Rs 500 at Sri Furniture store. The names sounded very familiar and within minutes I realized that one of the shops was in Madhapur, near Image Hospitals.

In the interest of those who are not aware , in the current scenario, HDFC Debit Cards can be swiped anywhere in the world without a pin / signature / photograph proof (So have a party if you grab your hands on somebody else's card!!)

I went to the shop and asked the shopkeeper to show me the receipt of the transaction done on 13th Mar by my Debit Card. To my extreme happiness of having an active detective brain and being an avid crime story reader or rather extreme depression, I saw the signature of a person called as "Raj Kishore". He had purchased Nokia Model No 5200, with my hard earned money. I requested the shopkeeper to give me the receipt, so that I may show my discovery to the Bank, but he told me that he could give the same only to Police or the Bank if it was a disputed transaction. However I could not locate the Sri Furniture house at all

I called the HDFC Customer service Call centre and asked for the details of both the transactions, but I was told, the only detail that they have is of the name. My first frustration with HDFC started here.

1-Why did the Bank call centre, not know what the location of incident was? If the Bank doesn't have the details, then who else will have the same?

2-Why did they have the name of the shop alone? Shouldn't they have the complete address?

Having worked as a writer before and being currently employed in the Security domain, a series of intelligent questions flashed my mind

3- How did the Bank approve two transactions from my account, when my signature on the back of the Debit Card did not match with the signature of the fraud?

4- Almost all banks have photographs of card holders embedded on Debit and Credit cards. Many also have pin numbers enabled on the same. And no transaction can take place by merely swiping a card. The entry of a pin is mandatory. Why was the right of banking granted to HDFC when their credit and debit card security was so poor? SBI , Citibank , ICICI have been offering this feature since ages

5- Why was the amount debited from my account without sending me any SMS alert? I remember I was once traveling to Delhi, and was shopping with my Hyderabad ICICI card, and the company was responsible enough to call me and confirm whether I was at Delhi and even sent me SMSes of the amount that was being spent from my cards.
HDFC is very smart in calling me / sending me thousand SMSes if I owe them money through Credit Card or if I transfer money from one account to another. Where did the diligence go when money was being debited from my account by some fraud?

I went to the Madhapur Police Station, as both incidents happened at Madhapur. Unfortunately, I got a very cold feedback from them, as mine was not a case of "theft or stolen", but was a case of "loss of debit card". That reminded me that on 12th Mar 08, around 10pm, when I was traveling alone, my handbag was stolen from Jubilee Hills check post and that my debit card might have been in that bag

I did not report to the Jubilee Hills police station about the same on 12th Mar, as I thought the bag did not contain any valuable items. I remember it had just some keys, few papers, cosmetic items and some cash. I got little scared after the bag snatching episode, and was not aware of any police station in the vicinity that was hidden.

In a world of gold chain snatching, day light killing, I rather felt thankful, that I lost only a hand bag. Moreover I had plans of weekend traveling on 14th Mar and return on 17th Mar 08 early morning

There was no question of going to office that morning. I immediately went to the Jubilee Hills Police Station and reported the case. To get an FIR(No 135A/2008) from them, it took me some 12 hours! Which Indian female would trust and report incidents at 10 pm to such a place? I would have landed spending an entire night alone, at the Police station in this case

I went to Ameerpet around 6pm to get the franking of Rs 200 done and then went back to the HDFC Bank after following all their formalized standards

To my utter dismay, I was told that the FIR was not sealed by any Police officer and the Bank would not accept the same. I felt like crying right there as I had reached a breaking point of my courage level. Thankfully the Bank employee saw my watery eyes and got the FIR stamped for me the next day

But worse was still to come. After 15 days I was told that the Insurance had rejected my case as it was a case of "customer negligence". What was the new discovery in this? I myself accepted that I lost my card. I had filed the case for "Bank negligence" for giving my money to some fraud without even the slightest use of authentication

In frustration, I broke down to tears in front of the Bank Manager, the staff and the overcrowded Bank. In return I was told stupid consoling statements like:
1- Madam , please be careful next time
2- Madam be happy that you lost just Rs 5800 (alias Rs 6000+ if I include the Rs 200 of Franking, auto drives, loss of pay from office etc). You are really lucky , there are people who lose lakhs

The appropriate answer to the above is:

6- Where was the Bank not careful for the money that a customer is keeping in the custody of the Bank?
7- If people lose lakhs, then it truly shows that the Banks security policies need a very sound revision. What level of authentication and authorization is done by the Bank before transferring money from one account o another? (I.e. from my account to the shopkeepers account?)

As a layman I did enough investigation to even tell the model number of the phone that was purchased by my money .Who is the vendor for HDFC insurance who couldn't decipher the difference between a fraud and an authentic user?

I was told my FIR was not worded clearly and I should get an amendment to the FIR as to why there was a delay in blocking the card. The one line answer to it was "I DID NOT realize n 12th Mar that I lost my card. I am an educated person and know that card losses should be reported immediately. I blocked it, on 17th Mar , the day I realized the same"

Needless to mention, my experience at the Police Station , I resubmitted he FIR(No 135B/2008), with the inclusion of that one line

After 2 months of no reply from the Bank, I went to Bank in person. And to my add to my agony, I was told that it's been rejected second time by Insurance due to "Customer Negligence"

8- My final question to the Bank – Is the customer not supposed to be sent a simple mail or phone cal if his / her case has been rejected / approved? Is the customer expected to stand in queues and beg day and night for updates?

The Bank refuses to allow customers to have direct interaction with the Insurance people as they are a back end body. Fine, then who the hell will give me the ground / reason for rejection?

9- Would the same treatment be offered to NRI or Foreign consumers? In such cases, HDFC would have been on its nerves. Why the same efforts are not made for Indian consumers?

If HDFC, in US or any other country of the world, which s aware of Customer Financial Security is caught of taking the customers on a ride like this, banks like HDFC will lose their credibility, in seconds, but in India, EVERY mistake is of the customer. The Police work at its sweet pace and the Banks are having a gala time

I accepted long back that I lost my card but the biggest mistake I made was to bank with an organization which does not have its "security policies, compliances, identity and access management, authentication, authorization, integrity, notification and risk governance" in place. In a nutshell, there entire "Security and Privacy Service Management" needs a sincere revision

I have taken this case to the Reserve Bank of India Ombudsman forum already and am in the process of taking it to the consumer forum too. The amount may be small, but the person who earns it, knows the value of the same

I have a very genuine question to the higher authorities who grant rights to these new upcoming private banks as to why a proper methodology or standard is not followed while giving Banking / Card distribution rights to Banks like HDFC, who are not following the latest market security trends?

If one private bank can follow a standard then why can't the other?
Debit Cards are not just Plastic Cash that any Tom, Dick, Harry, who grabs his hand on the same, can swipe it, without signature / pin/ photograph authentication. We truly need to question the Bank to change its existing unsecured cards and make them safer in the interest of its lakhs of users