Facilitating digital crime

A few days ago, there was a news story about a gang of bank fraudsters being arrested by the Delhi Police. The gang, which included three HDFC Bank employees, had been trying an elaborate scheme to take over a bank account of an NRI, which was described as 'very high value' in the news. They had managed to get cheque books for the account and were even able to obtain a phone number that was very similar to the NRI's original number and then were trying to change the phone number in the bank's systems. Apparently, some of their actions were flagged by the bank internally, and the police were told. There was an elaborate investigation, and a total of 13 people were arrested.

When you read this news, it comes across as a success story. The idea conveys that fraud was prevented because the bank's systems flagged the activity, and then the police followed it up with rigour. This is no doubt true, but we all know that there is a huge volume of such scams that are happening all the time and hardly any of them get detected or solved. The only thing distinctive about this case is that this was a very 'high value' account. What that actually means is that the account was of high commercial value to the bank. For customers, whatever they have is of high value. If you have just Rs 10,000 in your account, then Rs 10,000 is very high value to you.

Unlike a few years ago, anyone you talk to personally knows someone who has suffered from what one should call an 'OTP fraud'. It seems impossible to find out the true volume and amount involved as well as how it is growing. This is the flip side of the digital revolution in banking. Smooth, easy and convenient fund flows also mean the same from the bank accounts of customers to fraudsters.

What's worse is that more sophisticated methods are also becoming more common. Just a couple of days back, a senior journalist posted a detailed account of how a few lakh rupees were siphoned from his bank account. In this case, it appears that the OTP was exfiltrated from his phone by a fake app that impersonated the app of a travel portal. This kind of sophistication was quite rare a while back but no longer.

Of course, banking fraud is hardly the only kind of financial fraud that seems to be growing. Recently, I saw in a news story that the NSE has suspended 35 brokers in the last four years, mostly for misuse of clients' funds and securities. That's a flabbergasting number - around 1 per cent of the total. Since a relatively small proportion of financial frauds ever comes to light, it makes one wonder what the true scale of this particular type of fraud is. Does this not sound like an emergency situation to someone who might be in a position to do something about it?

As far as a banking fraud goes, it's quite clear that the starting point is often the leak of customer details from banks. An overwhelming number of cases that I have personally heard of are happening to senior citizens. In cases where I have details, the perpetrators always seem to already know some details of the account holder and the account which engenders the initial trust. Banks and the RBI basically pass the buck to customers for giving out OTPs but one never hears of any successful investigation and action on customer-data leakage from banks.

In general, there is complete silence about banks' own liability in creating brittle systems that are easy to bypass. As digital banking becomes the norm, rampant fraud is a huge threat that customers face. Passing the blame to customers and just highlighting the happy stories like the 'high value' case above do not help the lakhs of people who are getting robbed silently.