JUDGEMENT

          The subject matter of the instant case is that the complainant is an account holder with ICICI Bank vide No. SB 627801082891 and availing ATM banking having ATM ID SICW3461, Debit Card No.4704566278004032. 

          It is stated by the complainant that on 17.09.2013 at about 5:58 PM he withdrew of Rs.1,500/- from ICICI ATM at Vivekananda Road Branch.  Thereafter at about 6:02 PM, the complainant received another SMS showing debit of Rs.10,000/- from his account.  It is also stated by the complainant that he immediately called up customer care executive and blocked his card and lodged a complain with the Girish Park Police Station on 17.09.2013 and he submitted a card dispute form duly filled in on 07.10.2013 at the instance of the bank.

          Fact remains that by a letter dated 19.09.2013, the Bank informed that investigation has been initiated and it will be required 45 working days time.  But the complainant was astonished to learn that the investigation was completed without even calling him to dispose.  Further the CCTV footage could have easily spelled the truth which was not taken into consideration during investigation for reasons best known to the op/Bank.

          In its submission the complainant stated that he had taken due care while operating his debit card and left the ATM only after the ATM became locked after transactions of Rs.1,500/- and no other transaction was entered into by the complainant and no withdrawal of money was made by him from any other ATM on 17.09.2013 after 5:58 PM.

          The specific case of the complainant is that he never withdrew Rs.10,000/- from the ATM on 17.09.2013 and the loss of Rs.10,000/- from his account from the ATM of the op who failed to provide adequate security and could not install secured ATM machines which resulted in loss of money of the complainant.  Hence, this case.

          Whereas by filing written version the ops/Bank submitted that the complainant had made a second debit from an adjacent ATM on the same day.  It is also stated that a different ATM is used vide transaction No. 7426 at Terminal ID SIAN 1668 for an amount of Rs. 10,000/- and practically ATM card with PIN code is within his custody and no other persons has/had access to that.  He operated the machine on 17.09.2013 and had made a debit of Rs.1,500/- which was successful and subsequently the complainant received an SMS stating that Rs.10,000/- has been withdrawn/debited from his account.  It is stated that the second transaction was a successful transaction done from an adjacent ATM in the same premises.  In this regard bank has no fault and there is no deficiency in regard to safety for the ATM machine.  There is no allegation or defect of the machine within the two withdrawals and for such withdrawal practically complainant is responsible and op/Bank has no responsibility about the transaction as alleged by the complainant.  The debit card is a personal possession and the card holder needs to take proper care of its safety to prevent the misuse.  So the op is not liable to reimburse the complainant for the loss.

                                                       Decision with reasons

          On thorough study of the complaint including evidence and the written version and particularly the argument of the op it is no doubt a fact that complainant is a holder of savings bank account being No. SB 627801082891 by ICICI Bank and also availing the facilities of ATM Banking vide ATM ID No. SICW3461,Debit Card No. 4704566278004032 which is being used by him and it is admitted position that complainant particularly went to the ATM counter of ICICI Bank at Vivekananda Road Branch on 17.09.2013 and withdrew Rs.1,500/- at 5:58 PM but when he came out from the ATM Kiosk after collecting the money, thereafter, at 6:02 PM on that date the complainant received another SMS showing debit of Rs.10,000/- from his account.

          Now the main contention of the complainant is that on receiving the SMS of withdrawal Rs.10,000/- by unauthorized person, he immediately blocked his card and lodged complaint with the op no.1 on 18.09.2013 and also submitted a card dispute form duly filled in on 07.10.2013 as advised by the bank.  But the op/Bank failed to provide adequate security and who could not install secured ATM system which resulted in loss of money of the complainant.  It is also stated that security measures were also slack and it is also uncertain whether at all any CCTV was installed at the ATM Centre.  Further, it is stated by the complainant that only one ATM was placed at the said Vivekananda Road Branch of the op ICICI Bank which enhances the risk of misappropriation as there is no privacy while operating the machine.    So, it is clearly the lack of proper security measures and deficiency in service on the part of the ops that resulted in financial loss of the complainant, mental agony and harassment.

          But in its contention op/ICICI Bank stated that the complainant had made a debit of Rs.1,500/- which was successful and subsequently the complainant received an SMS stating that Rs.10,000/- has been debited from his account.  It is stated that the second transaction was a successful transaction which was made from an adjacent ATM in the same premises.  In its submission the Ld. Lawyer for the op submitted that the National Commission by its Judgement reported in 2011 (2) CPR 26 (NC) already observed that it is not possible for any Bank for refund of money when complainant has failed to prove by any cogent evidence that the money has been withdrawn by an unauthorized person from the ATM without ATM Card and knowledge of PIN number and in this case, the complainant has not stated about the use of ATM by the complainant or his presence on the above date before the ATM and, in fact, complainant plainly stated that on that occasion from his account Rs.10,000/- was withdrawn but no whisper whether he appeared before the said ATM and as such the entire complaint is hoax for which the complaint should be dismissed, when complainant has failed to prove negligence and deficiency on the part of op.  Further Ld. Lawyer for the op submitted as per system of ATM as prevailed at present an unauthorized person is unable to withdraw money from the ATM without using ATM Card and along with the PIN number relating to the said ATM Card.  Then it is the duty of the complainant to prove how the said money was withdrawn without using his ATM Card and related PIN number which is in the custody of the complainant, but complainant is completely silent in this regard for which the complaint should be dismissed.

          On the other hand the complainant stated that he went to the ATM and withdrew of Rs.1,500/- from ICICI Bank, Vivekananda Road Branch on 17.09.2013 at 5:58 PM.   Thereafter at 6:02 PM on that date he received another SMS showing debit of Rs.10,000/- from his account.  So, the casual approach and defence of the bank that without ATM card and PIN number no unauthorized person can withdraw the money from ATM is not scientifically accepted in view of the present operation of the hackers.  So, the entire defence of the op is most unscientific and about the judgement, the bank what has pointed out even if it is accepted it can be stated that in the judgement the art of fraud in ATM as adopted by the hackers are not at all discussed and at the same time when the complainant filed this complaint has no need to tell a lie before the bank authority or the Forum for such money but because it was stolen by adopting some scientific process by the hackers, so complainant appeared before this Forum.

          Considering the argument of the Ld. Lawyer of the op and also the judgement as referred by the op, we have gathered that it is normal procedure as it is found in all the ATM cases, but fact remains that the complainant pointed out a very vital question and if the observation and ruling of the National Commission are taken into account then global problem of ATM hacking cannot be solved by the judgement.  So, for that purpose, we have gone through some types of ATM threats practically card and currency fraud which involves both direct attacks to steal and indirect attacks to steal a consumer’s identity (i.e. card, data and PIN numbers).  The intent of indirect attacks is to fraudulently use the consumer data to create counterfeit cards and obtain money from the customer’s account through fraudulent redemption.

          There is another procedure of hacking that is skimming and an ATM Card skimming is the most prevalent and well known attack against ATMs card skimming are devices used by perpetrators to capture card holder data from the magnetic stripe on the back of an ATM card, these sophisticated devices smaller than a deck of cards and resembling a hand held credit card scanner are often installed factory installed card reader his card into the card reader, the skimmer captures the card information before it passes into ATMs card reader to initiate the transaction.  The transaction continues in a normal fashion, when removed from the ATM, a skimmer allows the download of personal data belonging to everyone who used the ATM.  An expensive, commercially available skimmer can capture and retain account numbers and PINs for more than 200 ATM Card typically, criminals design skimming devices to be undetectable by consumers.

          There are certain kinds of card skimming attack and that generally occasion External Card Skimming – Skimming is made by placing a device over the card reader stop (motorized or dip) to capture consumer data from the magnetic stripe on the card during a transaction.  This is the most common form of card skimming.  There is another procedure i.e. called card trapping or fishing and card trapping and fishing attempt to steal consumer’s card as they are inserted into the card reader during a transaction.  The purpose of this type of attack is to steal the card and use it at a later time to make fraudulent withdrawals from the consumer’s accounts but this type of hacking was not happened in this case.  There is another type of trapping and fishing and currency trapping and fishing is an attempt by perpetrators to capture currency that is dispensed by the ATM during a transaction whether it be in an envelope or as cash that is being deposited by the consumer during a transaction and trapping is made by a false dispenser front placed over the shoulder of the dispenser with adhesive or tape on the inside  to trap the notes before they are dispensed whereas fishing is the methods used are similar to those used to fish or cards, virus proves and hooks that are difficult for the consumer to see are used to prevent cash from being dispensed.  When the unwary consumer leaves the ATM, the perpetrator returns and uses the fishing device to retrieve the currency.  There is another hacking system with malware and with any computer system the purpose of installing malicious software (malware) is to violate the confidentiality, integrity and/or authenticity or data on that computer system.  Designed to collect card holder data and/or dispense card, malware and hacking can occur both locally or remotely.  Local attacks operate by accessing the top hat and down loading the malware using a USB or attacking a USB sniffing device to intercept communication between the card readers and the ATM’s computer. Remote attacks on ATM network occur at some point in the communication with the host or at the backend infrastructure.  Typically, these sophisticated attacks are carried out by well-funded criminal organizations.  As per present global problem of ATM hacking malware threats are of particular concern as they are on the rise and constant by evolving on attempt to stay a head of security measures.  For malware to be installed physical and administrative access to the ATM platform’s operative system is necessary.  There are some other hacking of ATM by the hackers which are collected from some books on the subject the present situation in the global market on the ATM fraud around the world.  But peculiarity is that in all judgements nowhere all these types of hacking are discussed.  But only the simple method is adopted that an unauthorized person cannot withdraw money from ATM without using ATM card and PIN Code, but worldwide computer systems have expressed that there is no necessity to get the card and ATM PIN Code from the customer.  A person having computer knowledge of ATM system can easily trap the ATM card number and ATM by using devices and also the PIN code by playing some process by applying devices and thereafter they use it.  So, the juegement is passed by the different hierarchies have not discussed or considered the total method of hackers of ATM when card skimming is the most prevalent problem and it is the report of the banking sector of India that different types of ATM theft huge loss is being faced by the banking sector.  So, we have gathered that the present ATM card system are not at par scientific method because in the present ATM as being used by the banking authority has no skim resistance chip cards and at the same time the banking authority have their no knowledge of technologies of ATM fleet, but in whole Asia more and more countries in Europe are migrating towards embedded chip cards and FIS in Asia are rapidly expanding their network size, Asia is first becoming a target for ATM fraud.  The most prevalent type of fraud in Asia is card skimming.  It is to be mentioned in this regard if the bank authority does not submit any such document before this Forum that they have adopted devices to check the ATM from card skimming then we are convinced to hold that the op’s version that ATM was quite OK cannot be accepted but truth is that there is no such certificate issued by the bank authority that against the present ATM to check the fraud and card skimming they have expanded their network by migrating towards embedded chip and FIS in India but truth is that Malayasia and Taiwan like a smaller countries have already arranged such devices and most of the FIS in the region are adopting fraud deterrence technologies for their ATM fleet.  All these matters are not in the mind of administration of bank though more and more technologies are being invented by the hackers who are not simple thief but most intelligent and operate the ATM without any PIN code and ATM card and they are engaged in preparing system and devices to capture the customers card and PIN code and in such a manner and in this case that procedure was adopted by the hackers and in absence of ATM card and PIN code they withdrew it.  If anyone or any hacker complete skimming or malware that is sufficient during transaction and it is collected by present such devices and it is impossible to search out by security also that what has been done and subsequently it was preserved in their devices and in their software system and subsequently they use it.  So, practically in this case we have found that the ruling what has been referred by the Ld. Lawyer for the op is found not on the basis of any technologies but more and more studies are required by the Forum and also by the Lawyers to cope up with the present technologies, related to fraud adopted who are handling the ATM fraud to learn how and what manner fraud can be practiced by the hackers by adopting different technologies.  We pointed out two or three technologies but there are thousands of techniques.

          Fact remains in this case similar accident happened but bank is always casual and in their hand there are three or four rulings of National Commission or State Commission and said view are common in all respects but we have failed to understand why even today no such authoritative approach has been adopted by the hierarchy when all over the world ATM fraud is treated as a cyber crime.  So, present technologies must be read daily or at the time of handling such case it shall be dealt with the line of technologies as adopted by the hackers and at the same time anti devices should be used by the authorities of the bank to save their ATMs or online transaction etc.  So, it is the duty of the bank to submit such certificate that anti devices are taken with the ATM. So, question of hacking does not arise, but bank authority has not said so that certificate has not been submitted by the bank authority but it is the duty of the bank to transact all type of transaction the safety and when bank has fixed ATM for smooth service then smooth security and smooth anti devices must be fixed so that the hacker must not any access by applying the technologies to withdraw the amount in absence of ATM card and PIN.

          After thorough study of different books of ATM fraud and securities and also different types of anti devices which are being used by the Taiwan Indonesia like the poor countries, we are astonished that their thinking for the customers but Indian banks are thinking for their only ruling of State Commission and National Commission to dismiss the case of the complainant but science is progressing technologies are progressing daily but we are lagging behind to go through the books because we are always relying upon some verdict but it is must be kept in our mind when we deal with particular matter, we must to go through the particular subject also before coming into any conclusion.  So, in this case after thorough study of the entire method of hacking and also the above discussion, we are convinced to hold that the present type of hacking is logical attacks and same are being used in another ATM operating system of the same premises by applying different modes and in the present case, no doubt skimming has been adopted by the hackers and as because there is no anti devices in the ATM to defend the hackers attempt to withdraw money and fact is that the complainant went at the ATM Counter to withdraw Rs.1,500/- and received the money from the ATM, but when he went back he received another SMS on that date after a few minutes that Rs.10,000/- has been debited from his savings account.         

          So considering all the methods and facts as discussed, we are convinced to hold that bank administration has failed to that, they in their system the ATM counter attacks the anti fraud technologies was applied for skimming resistance i.e. job cards or FIS.  So, it is proved that bank is no doubt negligent and deficient to give proper protection to the ATM card holder regarding security and safety of the identity of the card and confidential numbers and no such certificate has been submitted by the bank authority that they are using it in Bangalore, Mumbai and other states.

          In the light of the above observations, we are convinced to hold that bank authority is negligent and deficient to give protection in respect of the ATM and also to the card holder and his PIN code and for which we are convinced to hold that complainant is entitled to get back the amount of Rs.10,000/- with 8% interest and the op/bank shall pay and refund the same with interest against the savings bank account of the complainant.  After concluding our judgement we want to say that the bank authority to be more careful in future and their administration who are controlling the entire ATM all over India so that they may apply the present technologies to defend the fraud technology from the ATM fleet.  Otherwise the bank shall be always committed by producing two or three judgements of all the Commissions but truth is otherwise.

          In the result, the case succeeds.

          Hence,                                         ORDERED

          That the case be and the same is allowed on contest with cost of Rs.5,000/- against the op/Bank.

          Op is hereby directed to pay the amount of Rs.10,000/- only with 8% interest from the date of stolen of money by the hackers or authorized person from the ATM but same shall be refunded to the complainant and be deposited against his bank account within 15 (fifteen) days from the date of this order failing which for non-compliance of the Forum’s order op shall have to pay punitive damages of Rs.10,000/- only to this Forum but even then if it is found that op/Bank is reluctant to comply this order in that case the penal proceedings shall be started for which they may be imposed further penalty u/s 27 of the C.P. Act 1986.