Phishing is emerging in India as a major concern for the Banking industry. The recent revelation from a security agency that security in 88 Indian Banks have been compromised at one time or the other in recent days places an alarming question on the security of the Indian Banking systems.

While Banks are shortchanging their customers on security for better profits, the hapless customers are bearing the loss on account of the Banks unsafe practices. Phishing is one of the off-shoots of such negligence of Banks and there is an urgent need for the Indian Banking industry to recognize that the liability for the Customer’s loss due to phishing should be borne by the Banks and not transferred to the customers.

Today’s Times of India carries a report that more than  Rs 1 crore has been reported lost by customers in Chennai City alone in recent days through Phishing Frauds. The Police have admitted  that a syndicate is operating from Mumbai but are unable to make any progress in preventing the customers from being defrauded except suggesting an awareness campaign amongst the Customers.

Public however fail to understand why the Police are unable to question the Banks for following weak information security policies causing loss to the customers. 

In a recent case in Chennai, it had been pointed out to the Police that the concerned Bank had been grossly negligent in its duties causing a loss to the customer and hence they should be liable under Section 85 of Information Technology Act for the offence committed through their network. In this case the fraudulent money had been transferred out of one of the customers of the Bank in Tuticorin to another customer of the Bank in Mumbai . The money was partly appropriated by the Bank to recover its overdraft dues from the customer and the balance was withdrawn in Cash by the customer.

Despite the customer being a Current account and Overdraft account holder, the Bank was unable to trace him though the  Anti Money Laundering obligations cast on them make it mandatory to keep proper identification of all customers. The Bank admitted as having a CCTV footage of the customer withdrawing the money but failed to pass it on to the complainant for investigations. Bank failed to provide IP address particulars from their servers to enable the Police to undertake investigations.

Despite all these failures having been pointed out,  Chennai Police failed to question the Bank and filed an FIR only against the unknown customer who had vanished with the money.  This approach is typical of the experiences of most Bank customers who are victims of online Banking frauds. Banks conveniently say that the customer is negligent but fail to admit their own negligence. Police are either unable or unwilling to call a spade a spade and let the Banks go scot free.

We strongly feel that a time has come to pull up Banks in India to improve the security for their online Banking transactions. In this case we may recall that the Reserve Bank of India has provided a clear mandate to the Banks that they need to use Digital Signatures for authenticated communication online and failure to do so would be a legal risk for the Banks. Banks are conveniently ignoring the mandate and enabling easy impersonation of Banks.

It is only when the judiciary starts holding Banks liable for Phishing type of frauds will Banks wake up to their responsibility.

It is necessary here to recall that very recently, a German Court has held a Bank liable for phisihing and established a principle. This principle of Banks being liable for contributory negligence leading to frauds should be extended to some of the decisions in India.

In the case mentioned earlier, the Bank was even more guilty because it had used the fraudulent money to cover its own overdraft to the fraudster and hence became an accomplice in the con game.

Banks do follow an age-old  principle regarding forged cheques that a customer is never liable on forged cheques however good the forgery is unless he has abetted in the fraud. The same principle of Banking Law has to be extended to forgery in online Banking transactions.  

Though Police have failed to recognize this point in the cited Chennai case,  we hope that when this case goes to the Courts or the adjudicating officer, they would hold the Bank liable directly or vicariously for the negligent handling of the incident and also for not co-operating with the investigation by withholding evidence in their hands.

This would be a historic development and  perhaps catalyze the industry towards better security.

Press in India should raise this issue and ensure that Online Banking Customers are provided adequate security and not held liable for Phishing frauds. 

Naavi of Naavi.org  

Be Sociable, Share!