Remember those days when anyone could take down your credit card number and the CVV (the three-digit card verification value) on the back of the card and use it to make purchases online?
The 'Second Factor Validation' for all online transactions introduced by the banking regulator two years ago has certainly given consumers better protection and according to the Reserve Bank, it has also brought about a considerable reduction in the number of online credit card frauds.
However, the second factor verification has raised another issue - of banks routinely transferring responsibility for any online fraud (which can happen despite the SFV) to customers, even if the customer is not in any way to blame for it. In fact, when customers choose their IPINs online, they are asked to agree to the terms and conditions that hold the customer fully liable for any misuse of the card.
These are obviously one-sided terms and conditions drawn up by the banks and the customer has no option but to agree or else he/she cannot use the credit card for online purchases.
For these very reasons, these terms and conditions can well be challenged by the customer, but seems like as of now, banks are using them to make the customer pay for the fraud, even if it has happened on account of breach of security at their end.
Rabindra Kejriwal: On November 4, I received an SMS informing me that my card had been used for an online transaction at 5.12 am for Rs 13,619.94. Since I had not used the card, I immediately informed the bank and their only response was that I should contact the merchant and provide the cancellation slip. When I checked on the Internet, I found the merchant to be a company based (or so it claimed) in Orlando, Florida, US, but the website gave no telephone number or any e-mail ID. I sent the details to the bank, but the bank insisted that 'the transaction had been performed in a secure electronic commerce environment and validated by my CVV and date of birth over the Internet'. Hence the liability for the transaction rests with me. What do I do?
Answer: File a complaint with the Economic Offences Wing of the police immediately. Also, lodge a complaint with the nodal officer of the bank and if he does not respond positively, complain to the Banking Ombudsman.
In case of online fraud, the bank can escape liability only in cases where the customer is at fault and has compromised his IPIN number in some way - either by giving the IPIN number to a third party or keeping the card and the IPIN number together in the wallet, or used the credit card for an online transaction through an unsecured website. However, the bank has to prove such carelessness on the part of the customer. Or else, the bank has to pay. It cannot expect the customer to bear the cost of a transaction that he did not do.
In this case, what surprises me is that the bank is using the date of birth as a second layer of validation for transaction. It's true that the RBI, in its circular mandating banks to put in place an additional authentication, said that such authentication should be 'based on information not visible on the cards".
However, in this Internet age, one would hardly think of date of birth as a secure password. So, the very fact that the bank was using DOB and not an IPIN especially generated for the purpose would weaken the bank's case.