As I was taking my car out on the second day after Dipawali, i.e., 15-Nov-2012, I was distracted by my phone which announced arrival of 15 messages. I thought these must be delayed Dipawali greetings and that I could defer viewing them. But then I opened the message box on impulse. Out came the Jack-in-the-box and hit me with full force. All the 15 messages were for successful transactions on my credit card! All the transactions appeared to be carried out on the Internet and they were all done within the span of one hour with the midnight hour of 14th and 15th November in the middle. The last transaction was for Rs.200/= for draining out the credit limit to the hilt.
So I parked the car right outside my house and went back in. A lot of telephone calls were made to Bobcards and umpteen mails exchanged. I also visited two websites where several of the transactions were made and left complaint notes using a form available on them. One of them promptly acknowledged the message and also charged back the amount saying that investigations showed that it was a fraudulent transaction. The other asked me to request my card company to talk to them. All these messages were passed on to Bobcards.
It seems that my password for internet card transactions was reset by the miscreants and then used for the fraudulent transactions. Now the Verified-by-Visa (VBV) implementation by Bobcards definitely lacks security. So if you have forgotten your password or are a miscreant who has got the card number, CVV and expiry date but doesn't has the password, the only additional piece of data required for resetting the password is cardholder's date of birth! All these data are available with the card company and its service providers and if a staff is so inclined he can easily carry out the password reset operation. I inquired with some other banks' customers. They have given me to understand that they have to use an OTP (One Time Password) for password reset. The OTP is sent to them on their registered mobile number. This security check is missing in the Bobcards implementation, and this weakness is sure to attract cyber criminals in hordes.
So be careful with your Bobcard. I am relying on the following (picked up from the Visa website):
So I parked the car right outside my house and went back in. A lot of telephone calls were made to Bobcards and umpteen mails exchanged. I also visited two websites where several of the transactions were made and left complaint notes using a form available on them. One of them promptly acknowledged the message and also charged back the amount saying that investigations showed that it was a fraudulent transaction. The other asked me to request my card company to talk to them. All these messages were passed on to Bobcards.
It seems that my password for internet card transactions was reset by the miscreants and then used for the fraudulent transactions. Now the Verified-by-Visa (VBV) implementation by Bobcards definitely lacks security. So if you have forgotten your password or are a miscreant who has got the card number, CVV and expiry date but doesn't has the password, the only additional piece of data required for resetting the password is cardholder's date of birth! All these data are available with the card company and its service providers and if a staff is so inclined he can easily carry out the password reset operation. I inquired with some other banks' customers. They have given me to understand that they have to use an OTP (One Time Password) for password reset. The OTP is sent to them on their registered mobile number. This security check is missing in the Bobcards implementation, and this weakness is sure to attract cyber criminals in hordes.
So be careful with your Bobcard. I am relying on the following (picked up from the Visa website):
Zero Liability
Shop anywhere with absolutely no risk
Your peace of mind and protection are paramount to Visa. Visa's Zero Liability policy is our guarantee that you won’t be held responsible for fraudulent charges made with your card or account information
In fact Visa goes on to say:
Count on quick resolution and provisional credit if your card is lost or stolen. 1
If your account is compromised, Visa is committed to setting things right without further aggravation or inconvenience to you. Visa’s cardholder protection policy requires all financial institutions issuing Visa products to extend provisional credit for losses from unauthorized card use within 5 business days of notification of the loss.
One day in the midnight my BOBCARD was used in America and someone purchased CDs. I cut the BOBCARD in pieces and thrown the BOBCARD forever.
ReplyDeleteThat is really nice to hear. thank you for the update and good luck. unicvv ru
ReplyDeleteThis is really nice to read..informative post is very good to read..thanks a lot! avance cupo en dolares
ReplyDelete