Complainant by filing this complaint has submitted that he is an account holder of SBI vide A/C No. 20010244005 of Sashi Bushan Dey Street Branch Kolkata-700012 and availing the ATM Debit Card No. 6220180576800017286 since the year 2006/07.
It is stated by the complainant that on 01.01.2012 he went to the ATM Counter at Subodh Mallick Square, Kolkata-700012 about 8:15 AM and entered his ATM Card and pressed the PIN Number but could not get the money from the ATM due to hypertechnical ground as the concerned the ATM was hanged.
It is also stated by the complainant that since he was in need of money, he again went at the ATM counter of SBI at Rafi Ahmed Kidwai Road (Wellesly Park) which is 10:15 minutes is walking distance from Subodh Mallick Square ATM Counter and withdrew Rs. 2,000/- but the most striking factor is that Rs. 10,000/- has been withdrawn from his account by somebody else from the ATM Counter of Subodh Mallick Square in the morning session. He immediately took up the matter with the op/bank on 01.01.2012 and lodged FIR at Bowbazar P.S. But finding it difficult to get back money he also served legal notice on 15.06.2012 before the op/SBI to take appropriate step within 10 days and cautioned them not to erase the footage or clippings of the ATM relating to the incident on 01.01.2012.
Fact remains though the op/SBI Branch of Sashi Buhusan Dey Street Kolkata received the letter dated 18.06.2012 and also the op/SBI Subodh Mallick Square Branch Kolkata received on 16.06.2012 but no action were taken by them. He also informed Ombudsman Department, RBI, Kolkata vide its letter dated 22.03.2012 who also did not pay any heed in the matter.
Ultimately, finding no alternative way, the complaint is filed before the Ld. Forum by the complainant who to adjudicate the matter and to get relief from the Ld. Forum.
In its W/V op no.1 stated that no doubt the complainant is a customer/account holder of SBI, Sashi Buhusan Branch, Kolkata being his SB A/C No.20010244005 having ATM Debit Card No. 6220180576800017286 as issued to him against his SB A/C No.
In its submission, the op/bank stated that the ATM Card and secret PIN/Pass word have been issued exclusively and confidentially in the name of the account holder with a strict direction to use the ATM Card with secret password/code to be used properly by the complainant.
Fact remains, as per records available with the complainant, 2 (two) transactions took place on the same date on 01.01.2012 with the sum of Rs.10,000/- and Rs. 2,000/- respectively which have been withdrawn from two separate machines situated at two different places such as (1) ATM of Subodh Mallick Square, Kolkata -700012 and the other ATM at Rafi Ahmed Kidwai Road, Kolkata-700016 bearing its machine no. S10BW3084079 and S10A000004040 respectively on same day i.e. 01.01.2012 at 8:24:48 hrs AM and 08:40:11 hrs AM separately and respectively by the said account holder by using the same ATM Card of the said complainant himself. As and when the matter was brought to the attention of the bank, immediately action has been taken by them and it was found that money has been withdrawn by using the said ATM and by inserting his right password. As such there cannot be any negligence or deficiency of service on their part as alleged by the complainant. So, the op/bank cannot be held responsible under any imagination for misuse of ATM Card and/or withdrawal of money from ATM counters by use of right password as in this case. The deficiency of service and any other allegations etc. as alleged by the complainant has got no basis and as such it is denied. So, the petition of the complainant is liable to be rejected.
On the other hand, the op no.2/bank by filing written version submitted that record shows on 1st January-2012 either the petitioner/complainant or any of his representative must have visited the ATM Counter at Subodh Mallick Square, Kolkata-700012 for the purpose of withdrawal of Rs. 10,000/- at about 8:15 AM and it is denied that the complainant could not withdraw Rs. 10,000/- even after complying initial formalities for the purpose of withdrawal of Rs. 10,000/- and also denied the ATM at Subodh Mallick Square was hanged in course of transaction as alleged by the complainant and it is most surprising that he did not attempt to withdraw Rs. 10,000/- but only withdrew Rs. 2,000/- from another nearby ATM at Rafi Ahmed Kidwai Road whereas the statement of accounts reveals that the petitioner/complainant withdrew the said amount of Rs. 2,000/- from the ATM Counter of Alipore. It is also stated that only after withdrawal of money or any other facilities available in ATM and in this case the instant record shows that the transaction is completed and thus, the allegation made by the complainant is vague and based on no evidence. So, the complaint is liable to be dismissed.
Decision with reasons
In this case practically argument was heard from the complainant who appeared personally and also heard the Ld. Lawyer of the op/bank who referred that the National Commission by its judgement reported in 2011 (2) CPR 26 (NC) already observed that it is not possible for any bank for refund of money when complainant has failed to prove by any cogent evidence that the money has been withdrawn by any unauthorized person from the ATM without any ATM Card and knowledge of PIN number and in this case, complainant plainly stated on the occasion from his account Rs. 10,000/- was withdrawn from the said ATM and as such the entire complaint is hoaxed for which the complaint should be dismissed. When complainant has failed to prove negligence and deficiency on the part of the op. Further Ld. Lawyer of the op submitted as per system of ATM as prevailed at present an unauthorised person is unable to withdraw money without using the ATM card and along with the PIN number relating to the said ATM card. Then it is the duty of the complainant to prove how the said money was withdrawn without using his ATM car and related PIN number which is in the custody of the complainant, but complainant is completely silent in this regard for which the complaint should be dismissed.
On the other hand the complainant in its submission stated that he went to Subodh Mallick Square ATM counter on 01-01-2012 at 08:15 AM and he swapped his debit card in the ATM but its screen was shown blank and did not get any response and he left with his debit card. But the complainant got astonished that from SBI Subodh Mallick Square Branch an amount of Rs. 10,000/- was withdrawn from his account through ATM and thus Rs. 10,000/- has been debited by the Bank Authority who also confirmed that by using the ATM card of the complainant money was withdrawn and also mentioned that without the knowledge of secret PIN number and ATM card no transaction is possible.
So, the casual approach and defence of the bank that without ATM card and PIN number no unauthorized person can withdraw the money from ATM is not scientifically accepted in view of the present operation of the hackers. So, the entire defence of the op is most unscientific and about the judgment, the bank what has pointed out even if it is accepted it can be stated that in the judgment the art of fraud in ATM as adopted by the hackers are not at all discussed and at the same time when the complainant filed this complaint has no need to tell a lie before the bank authority or the Forum for such money but because it was stolen by adopting some scientific process by the hackers, so complainant appeared before this Forum.
Considering the argument of the Ld. Lawyer of the op and also the judgment as referred by the op, we have gathered that it is normal procedure as it is found in all the ATM cases, but fact remains that the complainant pointed out a very vital question and if the observation and ruling of the National Commission are taken into account then global problem of ATM hacking cannot be solved by the judgment. So, for that purpose, we have gone through some types of ATM threats practically card and currency fraud which involves both direct attacks to steal and indirect attacks to steal a consumer’s identity (i.e. card, data and PIN numbers). The intent of indirect attacks is to fraudulently use the consumer data to create counterfeit cards and obtain money from the customer’s account through fraudulent redemption.
There is another procedure of hacking that is skimming and an ATM Card skimming is the most prevalent and well known attack against ATMs card skimming are devices used by perpetrators to capture card holder data from the magnetic stripe on the back of an ATM card, these sophisticated devices smaller than a deck of cards and resembling a hand held credit card scanner are often installed factory installed card reader his card into the card reader, the skimmer captures the card information before it passes into ATMs card reader to initiate the transaction. The transaction continues in a normal fashion, when removed from the ATM, a skimmer allows the download of personal data belonging to everyone who used the ATM. An expensive, commercially available skimmer can capture and retain account numbers and PINs for more than 200 ATM Card typically, criminals design skimming devices to be undetectable by consumers.
There are certain kinds of card skimming attack and that generally occasion External Card Skimming – Skimming is made by placing a device over the card reader stop (motorized or dip) to capture consumer data from the magnetic stripe on the card during a transaction. This is the most common form of card skimming. There is another procedure i.e. called card trapping or fishing and card trapping and fishing attempt to steal consumer’s card as they are inserted into the card reader during a transaction. The purpose of this type of attack is to steal the card and use it at a later time to make fraudulent withdrawals from the consumer’s accounts but this type of hacking was not happened in this case. There is another type of trapping and fishing and currency trapping and fishing is an attempt by perpitrators to capture currency that is dispensed by the ATM during a transaction whether it be in an envelope or as cash that is being deposited by the consumer during a transaction and trapping is made by a false dispenser front placed over the shoulder of the dispenser with adhesive or tape on the inside to trap the notes before they are dispensed whereas fishing is the methods used are similar to those used to fish or cards, virus proves and hooks that are difficult for the consumer to see are used to prevent cash from being dispensed. When the unwary consumer leaves the ATM, the perpetrator returns and uses the fishing device to retrieve the currency. There is another hacking system with malware and with any computer system the purpose of installing malicious software (malware) is to violate the confidentiality, integrity and/or authenticity or data on that computer system. Designed to collect card holder data and/or dispense card, malware and hacking can occur both locally or remotely. Local attacks operate by accessing the top hat and down loading the malware using a USB or attacking a USB sniffing device to intercept communication between the card readers and the ATM’s computer. Remote attacks on ATM network occur at some point in the communication with the host or at the backend infrastructure. Typically, these sophisticated attacks are carried out by well-funded criminal organizations. As per present global problem of ATM hacking malware threats are of particular concern as they are on the rise and constant by evolving on attempt to stay a head of security measures. For malware to be installed physical and administrative access to the ATM platform’s operative system is necessary. There are some other hacking of ATM by the hackers which are collected from some books on the subject the present situation in the global market on the ATM fraud around the world. But peculiarity is that in all judgements nowhere all these types of hacking are discussed. But only the simple method is adopted that an unauthorized person cannot withdraw money from ATM without using ATM card and PIN Code, but worldwide computer systems have expressed that there is no necessity to get the card and ATM PIN Code from the customer. A person having computer knowledge of ATM system can easily trap the ATM card number and ATM by using devices and also the PIN code by playing some process by applying devices and thereafter they use it. So, the judgment is passed by the different hierarchies have not discussed or considered the total method of hackers of ATM when card skimming is the most prevalent problem and it is the report of the banking sector of India that different types of ATM theft huge loss is being faced by the banking sector. So, we have gathered that the present ATM card system are not at par scientific method because in the present ATM as being used by the banking authority has no skim resistance chip cards and at the same time the banking authority have their no knowledge of technologies of ATM fleet, but in whole Asia more and more countries in Europe are migrating towards embedded chip cards and FIS in Asia are rapidly expanding their network size, Asia is first becoming a target for ATM fraud. The most prevalent type of fraud in Asia is card skimming. It is to be mentioned in this regard if the bank authority does not submit any such document before this Forum that they have adopted devices to check the ATM from card skimming then we are convinced to hold that the op’s version that ATM was quite OK cannot be accepted but truth is that there is no such certificate issued by the bank authority that against the present ATM to check the fraud and card skimming they have expanded their network by migrating towards embedded chip and FLS in India but truth is that Malayasia and Taiwan like a smaller countries have already arranged such devices and most of the FIS in the region are adopting fraud deterrence technologies for their ATM fleet. All these matters are not in the mind of administration of bank though more and more technologies are being invented by the hackers who are not simple thief but most intelligent and operate the ATM without any PIN code and ATM card and they are engaged in preparing system and devices to capture the customers card and PIN code and in such a manner and in this case that procedure was adopted by the hackers and in absence of ATM card and PIN code they withdrew it. If anyone or any hacker complete skimming or malware that is sufficient during transaction and it is collected by present such devices and it is impossible to search out by security also that what has been done and subsequently it was preserved in their devices and in their software system and subsequently they use it. So, practically in this case we have found that the ruling what has been referred by the Ld. Lawyer for the op is found not on the basis of any technologies but more and more studies are required by the Forum and also by the Lawyers to cope up with the present technologies, related to fraud adopted who are handling the ATM fraud to learn how and what manner fraud can be practiced by the hackers by adopting different technologies. We pointed out two or three technologies but there are thousands of techniques.
Fact remains in this case similar accident happened but bank is always casual and in their hand there are three or four rulings of National Commission or State Commission and said view are common in all respects but we have failed to understand why even today no such authoritative approach has been adopted by the hierarchy when all over the world ATM fraud is treated as a cyber crime. So, present technologies must be read daily or at the time of handling such case it shall be dealt with the line of technologies as adopted by the hackers and at the same time anti devices should be used by the authorities of the bank to save their ATMs or online transaction etc. So, it is the duty of the bank to submit such certificate that anti devices are taken with the ATM. So, question of hacking does not arise, but bank authority has not said so that certificate has not been submitted by the bank authority but it is the duty of the bank to transact all type of transaction the safety and when bank has fixed ATM for smooth service then smooth security and smooth anti devices must be fixed so that the hacker must not have any access by applying the technologies to withdraw the amount in absence of ATM card and PIN.
After thorough study of different books of ATM fraud and securities and also different types of anti devices which are being used by the Taiwan Indonesia like the poor countries, we are astonished that their thinking for the customers but Indian banks are thinking for their only ruling of State Commission and National Commission to dismiss the case of the complainant but science is progressing technologies are progressing daily but we are lagging behind to go through the books because we are always relying upon some verdict but it must be kept in our mind when we deal with particular matter, we must to go through the particular subject also before coming into any conclusion. So, in this case after thorough study of the entire method of hacking and also the above discussion, we are convinced to hold that the present type of hacking is logical attacks and same are being used in the ATM operating system by applying different modes and in the present case, no doubt skimming has been adopted by the hackers and as because there is no anti devices in the ATM to defend the hackers attempt to withdraw money and fact is that the complainant went at the SBI ATM at Subodh Maullick Square, Kolkata- 700012 about 08:15 AM on 01.01.2012 and he swiped his debit card in the ATM but the screen remained blank and he did not get the money from the ATM due to hypertechnical ground as the concerned ATM was hanged. He then returned and again went to the ATM counter of SBI, Rafi Ahmed Kidwai Road (Wellesely Park) at 10:15 AM and withdrew Rs. 2,000/- but most stricking factor which surprised the complainant that Rs. 10,000/- was withdrawn from his account by somebody else. The complainant immediately took up the matter with the Bank Authority and also made a FIR with the Bowbazar Police Station but ultimately he did not get any favourable assurance either from the bank or from the other authorities concern that is the Ombudsman Department also and in spite of several requests/persuasions no CCTV footage was shown by the op/bank.
On overall study of the written version of the Bank it is admitted fact that complainant is a customer in respect of Account No.20010244005 belonged to Sashi Bhusan Dey Street Branch having an ATM Debit Card bearing No.6220 1805 76800017286 which was issued against that account of the complainant and complainant has been using that card and it is admitted by the OP that they received a complaint on 03-01-2012 in respect of fraudulent withdrawal of Rs.10,000/- on 01-01-2012 and State Bank made the submission that the allegation made by the complainant is self contradictory as it is not possible for anyone to withdraw his money from the ATM when he himself alleged that the ATM of Subodh Mullick Square was hanged at around 08:15 AM. It is a fact that complainant has challenged that withdrawal and claimed that it is a fraudulent type of withdrawal by some unknown person and in this regard he also lodged a complaint to Police but no action was initiated from their end. Now, the question is whether the theory as taken by the Bank in all cases that when the ATM card including secret Pin No. are within the custody of the customer, the customer shall have to prove how the card went to the hand of third party and how third party came to learn the secret Pin No. But truth is that in this case complainant has not stated that at any point of time he handed over the same to the third party informing his secret Pin No. So, invariably there is no scope to get the said secret Pin No. and card by any third person then question is how it was withdrawn by fraudster. It is the common perception of different authorities who are deciding such disputes that without secret Pin No. and the ATM card no money can be withdrawn. But this perception has no scientific basis which is evident in the case because in this case complainant has very specifically submitted on 01-01-2012 he went to Subodh Maullick Square, Kolkata- 700012 for withdrawal of Rs. 10,000/- at about 08:15 AM but withdrawal was not possible due to hypertechnical ground as the concerned ATM was hanged. But at about 08:40 AM he withdrew Rs. 2,000/- from the ATM counter of Rafi Ahmed Kidwai Road and to his utter surprise he found that Rs. 10,000/- was withdrawn from his account by somebody else. But there is no explanation on the part of the OP that how a person would be able to withdraw such amount from Subodh Maullick Square, Kolkata- 700012 within 25 minutes from using card by the complainant. So, it is clear that hacking was made by such intelligent group of hackers who applied the very scientific method malware by placing such devices and developed software. So, it is clear that bank has failed to prove how it was possible to withdraw the said amount withdrawn by some fraudsters and considering the fact it is clear that the theory of the bank that when a customer possesses ATM Card and secret Pin No. and if any withdrawal from the ATM is successful in that case it shall be always presumed that the customer has withdrawn it or he placed some persons to withdraw it but this theory has no scientific basis which is proved in this case and police also investigate and found that third person withdrew the same and no doubt in the present case hacker was successful and those fraudsters have their more sophisticated computer knowledge in hacking and they have committed such offence but bank authority is only one book i.e. reported ruling like a placard before all the Forums that when ATM and Pin No. are within the custody of the customer there is no question of hacking, there is no question of withdrawn by fraudster but that theorization is proved false theory and bank in this case no doubt has not submitted such material to show in the present case that there are no laches, deficiency on the part of the Bank for not applying the anti-devices to check the fraudsters or hackers and practically in their system no modern technologies have been applied for checking skimming or FLS and in view of the above premises we are convinced to hold that the present amount of Rs.10,000/- was not withdrawn by the complainant. It was withdrawn by the fraudsters that was proved but Bank has not complied it. So, we are convinced that allegation of the complainant is proved beyond any manner of doubt. Further it is proved that in absence of ATM card and secret Pin No. the modern fraudsters and hackers are able to withdraw it by adopting several process of hacking and it is a science and that science and technique are being practiced by the hackers daily at different stages. But Bank is here and there knowing nothing about that and Bank has also failed to produce any document to show that in the said ATM machine anti-hacking devices were fitted and they have their authorities those who are called anti-devices software (testing) but in casual manner only producing two rulings they are defending before all the Forums, Civil Courts and other but in this case it is proved beyond any manner of doubt that their ruling failed to help their defence which is casual defence haviing no scientific basis.
In view of the above, we are of the opinion that in this case the complainant is a consumer and the SBI/OP is providing service as defined u/s.2(1)(o) of the Act. Though the video footage in connection with the incident was in the custody of the Bank authority, but it is not clear whether they saw it on a regular basis for security of money of their customers and the said ATM premises and whether ATM had no security guard/authorized person to look after and protect the consumers. Had the ATM premises being guarded the miscreants would not have moved inside the ATM premises having ATM card and been able to withdraw money without PIN Code No. So, the bank authority failed to arrange for proper service to the complainant what tantamounts to deficiency in service as defined u/s.2(1)(g) and 2(1)(o) of the C.P. Act, 1986 respectively and for such act of SBI/OP, the complainant has to suffer financial loss, harassment and mental agony and lost his money amounting to Rs.10,000/- lying with his ATM bank account with the SBI, Subodh Maullick Square, Kolkata- 700012 and in spite of knowing the incident of such withdrawal of Rs.10,000/- through unauthorized persons/fraudsters/miscreants, the OP/SBI did not refund the money to the complainant and take appropriate steps to protect the money of the customers who kept in its savings bank account on the ground of savings of their hard earned money.
Merely because the ATM equipment does not accept anything except ATM card and PIN and the PIN is like a password and only in the knowledge of the ATM card holder does not mean that such withdrawals cannot be made unauthorisedly or fraudulently. Had it been so there would not have been large number of cases of fraudulent withdrawals from the ATM accounts of consumers. This is not the first case of its kind that we are dealing with. In the past also we have dealt with large number of such cases and the same pleas were raised by the counsel for the bank that ATM equipment does not accept anything except ATM and PIN and the PIN is like a password and only in the knowledge of the ATM card holder. Either such withdraw also are made by unauthorized persons who come to know about the PIN number either from the staff of the bank of or by some unauthorized persons every bank is obliged to install CCTV Footage and it was only through those CCTV’s that large numbers of banks were able to detect fraudulent withdrawals.
So considering all the methods and facts as discussed, we are convinced to hold that bank administration has failed to that, they in their system the ATM counter attacks the anti fraud technologies was applied for skimming resistance i.e. job cards or FLS. So, it is proved that bank is no doubt negligent and deficient to give proper protection to the ATM card holder regarding security and safety of the identity of the card and confidential numbers and no such certificate has been submitted by the bank authority that they are using it in Bangalore, Mumbai and other states.
In the light of the above observations, we are convinced to hold that bank authority is negligent and deficient to give protection in respect of the ATM and also to the card holder and his PIN code and for which we are convinced to hold that complainant is entitled to get back the amount of Rs.10,000/- with 8% interest and the op/bank shall pay and refund the same with interest against the savings bank account of the complainant. After concluding our judgment we want to say that the bank authority to be more careful in future and their administration who are controlling the entire ATM all over India so that they may apply the present technologies to defend the fraud technology from the ATM fleet. Otherwise the bank shall be always committed by producing two or three judgments of all the Commissions but truth is otherwise.
In the result, the case succeeds.
Hence,
ORDERED
That the case be and the same is allowed on contest with cost of Rs.5,000/- (Rupees Five thousand only) against the OP/Bank.
OP is hereby directed to pay the amount of Rs.10,000/- (Rupees Ten thousand only) with 8% interest from the date of stolen of money by the hackers or authorized person from the ATM but same shall be refunded to the complainant and be deposited against his bank account within 30 (thirty) days from the date of this order failing which for non-compliance of the Forum’s order OP shall have to pay punitive damages of Rs.10,000/- (Rupees Ten thousand only) only to this Forum but even then if it is found that OP/Bank is reluctant to comply this order in that case the penal proceedings shall be started for which they may be imposed further penalty u/s 27 of the C.P. Act 1986.
