Order No.                 .

This is an application u/s.12 of the C.P. Act, 1986.

          The subject matter of the instant case is that the complainant is an account holder with the State Bank of India vide A/c. No.11063004013 of Shyambazar Branch at 124A,Bidhan Sarani, Kolkata – 700 004 and availing ATM debit Card No.6220180018000047482.

          It is stated by the complainant that on 29-06-2011 he went to the Tollygunge Metro Station compound ATM Counter at about 11:28 a.m. for balance enquiry and swapped his debit card in the 2^nd ATM but found screen removed blank and he did not get any response while two men who were inside of the ATM room wherein four ATM have been installed, who told him to use the first no.1 machine as the 2^nd and others are defective and accordingly he checked balance of Rs.13,149/- and pressed the cancel button and also left along with his debit card and balance slip.  However, at about 2:30 p.m. he got SMS from SBI Shyambazar that at 11:38 a.m. Rs.13,000/- was withdrawn from his SBI Account through ATM.  Being shocked and surprised he immediately contacted with the SBI, Shyambazar Branch and talked to Mr. Naik, the ATM dealing officer and lodged complaint and also came to know another amount of Rs.100/- was also withdrawn from his account.  The complainant being aggrieved then lodged a written complaint to the Branch Manager, SBI, Shyambazar Branch, on 30-06-2011 and also filed on FIR No.152/11 with the Regent Park Police Station vide his written complaint dated 01-07-2011.  Under this circumstances, the complainant took the matter with the Consumer Service Cell, SBI through a written complaint on 08-07-2011 for taking appropriate action in the matter immediately for such fraudulent withdrawal of money from his account and also in the event of the advice of the OP official not to deposit money in his account, the cheques already issued by him got dishonoured and Rs.200/- also was debited to his account.

          On several persuasions before the OP for realization of his money for which the complainant lodged compliant before the Directorate of CA&FBP, Govt. of West Bengal who took up the matter with the OP/Bank but they did not revert the amount of Rs.13,100/- along with admissible interest in his favour.

          Hence, this case.

          On the other hand, OP/Bank by filing written version submitted that no doubt complainant is a customer of savings bank account no.11063004013 having ATM debit card No.6220180018000047482 which belongs to State Bank of India, Shyambazar Branch, Kolkata.

          Ini its submission, the OP/Bank stated that on receiving the complaint dated 30-06-2011 in respect of withdrawal of sum of Rs.13,000/- and Rs.100/- on 29-06-2011, the OP/SBI made an enquiry and came to know that on 29^th June, 2011 at 11:29:16 hours a sum of Rs.13,000/- was withdrawn through ATM, ATM ID No.S10A003084040 and on the same date at 11:29:54 hours a sum of Rs.100/- was also withdrawn through ATM ID No.S10A003084041 and the transactions were successful.  So, the allegations made against the OP/SBI are baseless, after thought and motivated to obtain illegal gains.  So, the application filed by the complainant is not maintainable in fact as well as in law and is liable to be dismissed.

Decision with Reasons

In this case practically argument was heard from the complainant who appeared personally and also heard the Ld. Lawyer for the op and Ld. Lawyer for the op submitted that the National Commission by its Judgment reported in 2011 (2) CPR 26 (NC) already observed that it is not possible for any Bank for refund of money when complainant has failed to prove by any cogent evidence that the money has been withdrawn by an unauthorized person from the ATM without ATM Card and knowledge of PIN number and in this case, the complainant has not stated about the use of ATM by the complainant or his presence on the above date before the ATM and, in fact, complainant plainly stated that on that occasion from his account Rs.13,100/- was withdrawn but no whisper whether he appeared before the said ATM and as such the entire complaint is hoax for which the complaint should be dismissed, when complainant has failed to prove negligence and deficiency on the part of op.  Further Ld. Lawyer for the op submitted as per system of ATM as prevailed at present an unauthorized person is unable to withdraw money from the ATM without using ATM Card and along with the PIN number relating to the said ATM Card.  Then it is the duty of the complainant to prove how the said money was withdrawn without using his ATM Card and related PIN number which is in the custody of the complainant, but complainant is completely silent in this regard for which the complaint should be dismissed.

          On the other hand the complainant in its submission stated that he went to Tollygunge Metro Station Compound ATM counter on 29-06-2011 for balance enquiry and in that room there were four ATM machines and he swapped his debit card in the 2^nd ATM at about 11:28 a.m. but its screen was shown blank and did not get any response wherein two persons were present in ATM No.1(one) who told him to use the 1^st one ATM since the two other ATM were defective and thereby he checked the balance amount of Rs.13,149/- from No.1 ATM and received the balance slip, pressed the cancel button and left with his debit card.  But the complainant got SMS from SBI Shyambazar at 11:38 a.m. that Rs.13,000/- was withdrawn from his account through ATM and also Rs.100/- was withdrawn in the 2^nd time from his same account and thus total amount of Rs.13,100/- has been debited by the Bank Authority who also confirmed that by using the ATM card of the complainant money was withdrawn and also mentioned that without the knowledge of secret PIN number and ATM card no transaction is possible.

          So, the casual approach and defence of the bank that without ATM card and PIN number no unauthorized person can withdraw the money from ATM is not scientifically accepted in view of the present operation of the hackers.  So, the entire defence of the op is most unscientific and about the judgment, the bank what has pointed out even if it is accepted it can be stated that in the judgment the art of fraud in ATM as adopted by the hackers are not at all discussed and at the same time when the complainant filed this complaint has no need to tell a lie before the bank authority or the Forum for such money but because it was stolen by adopting some scientific process by the hackers, so complainant appeared before this Forum.

          Considering the argument of the Ld. Lawyer of the op and also the judgment as referred by the op, we have gathered that it is normal procedure as it is found in all the ATM cases, but fact remains that the complainant pointed out a very vital question and if the observation and ruling of the National Commission are taken into account then global problem of ATM hacking cannot be solved by the judgment.  So, for that purpose, we have gone through some types of ATM threats practically card and currency fraud which involves both direct attacks to steal and indirect attacks to steal a consumer’s identity (i.e. card, data and PIN numbers).  The intent of indirect attacks is to fraudulently use the consumer data to create counterfeit cards and obtain money from the customer’s account through fraudulent redemption.

          There is another procedure of hacking that is skimming and an ATM Card skimming is the most prevalent and well known attack against ATMs card skimming are devices used by perpetrators to capture card holder data from the magnetic stripe on the back of an ATM card, these sophisticated devices smaller than a deck of cards and resembling a hand held credit card scanner are often installed factory installed card reader his card into the card reader, the skimmer captures the card information before it passes into ATMs card reader to initiate the transaction.  The transaction continues in a normal fashion, when removed from the ATM, a skimmer allows the download of personal data belonging to everyone who used the ATM.  An expensive, commercially available skimmer can capture and retain account numbers and PINs for more than 200 ATM Card typically, criminals design skimming devices to be undetectable by consumers.

          There are certain kinds of card skimming attack and that generally occasion External Card Skimming – Skimming is made by placing a device over the card reader stop (motorized or dip) to capture consumer data from the magnetic stripe on the card during a transaction.  This is the most common form of card skimming.  There is another procedure i.e. called card trapping or fishing and card trapping and fishing attempt to steal consumer’s card as they are inserted into the card reader during a transaction.  The purpose of this type of attack is to steal the card and use it at a later time to make fraudulent withdrawals from the consumer’s accounts but this type of hacking was not happened in this case.  There is another type of trapping and fishing and currency trapping and fishing is an attempt by perpitrators to capture currency that is dispensed by the ATM during a transaction whether it be in an envelope or as cash that is being deposited by the consumer during a transaction and trapping is made by a false dispenser front placed over the shoulder of the dispenser with adhesive or tape on the inside  to trap the notes before they are dispensed whereas fishing is the methods used are similar to those used to fish or cards, virus proves and hooks that are difficult for the consumer to see are used to prevent cash from being dispensed.  When the unwary consumer leaves the ATM, the perpetrator returns and uses the fishing device to retrieve the currency.  There is another hacking system with malware and with any computer system the purpose of installing malicious software (malware) is to violate the confidentiality, integrity and/or authenticity or data on that computer system.  Designed to collect card holder data and/or dispense card, malware and hacking can occur both locally or remotely.  Local attacks operate by accessing the top hat and down loading the malware using a USB or attacking a USB sniffing device to intercept communication between the card readers and the ATM’s computer. Remote attacks on ATM network occur at some point in the communication with the host or at the backend infrastructure.  Typically, these sophisticated attacks are carried out by well-funded criminal organizations.  As per present global problem of ATM hacking malware threats are of particular concern as they are on the rise and constant by evolving on attempt to stay a head of security measures.  For malware to be installed physical and administrative access to the ATM platform’s operative system is necessary.  There are some other hacking of ATM by the hackers which are collected from some books on the subject the present situation in the global market on the ATM fraud around the world.  But peculiarity is that in all judgements nowhere all these types of hacking are discussed.  But only the simple method is adopted that an unauthorized person cannot withdraw money from ATM without using ATM card and PIN Code, but worldwide computer systems have expressed that there is no necessity to get the card and ATM PIN Code from the customer.  A person having computer knowledge of ATM system can easily trap the ATM card number and ATM by using devices and also the PIN code by playing some process by applying devices and thereafter they use it.  So, the judgment is passed by the different hierarchies have not discussed or considered the total method of hackers of ATM when card skimming is the most prevalent problem and it is the report of the banking sector of India that different types of ATM theft huge loss is being faced by the banking sector.  So, we have gathered that the present ATM card system are not at par scientific method because in the present ATM as being used by the banking authority has no skim resistance chip cards and at the same time the banking authority have their no knowledge of technologies of ATM fleet, but in whole Asia more and more countries in Europe are migrating towards embedded chip cards and FIS in Asia are rapidly expanding their network size, Asia is first becoming a target for ATM fraud.  The most prevalent type of fraud in Asia is card skimming.  It is to be mentioned in this regard if the bank authority does not submit any such document before this Forum that they have adopted devices to check the ATM from card skimming then we are convinced to hold that the op’s version that ATM was quite OK cannot be accepted but truth is that there is no such certificate issued by the bank authority that against the present ATM to check the fraud and card skimming they have expanded their network by migrating towards embedded chip and FLS in India but truth is that Malayasia and Taiwan like a smaller countries have already arranged such devices and most of the FIS in the region are adopting fraud deterrence technologies for their ATM fleet.  All these matters are not in the mind of administration of bank though more and more technologies are being invented by the hackers who are not simple thief but most intelligent and operate the ATM without any PIN code and ATM card and they are engaged in preparing system and devices to capture the customers card and PIN code and in such a manner and in this case that procedure was adopted by the hackers and in absence of ATM card and PIN code they withdrew it.  If anyone or any hacker complete skimming or malware that is sufficient during transaction and it is collected by present such devices and it is impossible to search out by security also that what has been done and subsequently it was preserved in their devices and in their software system and subsequently they use it.  So, practically in this case we have found that the ruling what has been referred by the Ld. Lawyer for the op is found not on the basis of any technologies but more and more studies are required by the Forum and also by the Lawyers to cope up with the present technologies, related to fraud adopted who are handling the ATM fraud to learn how and what manner fraud can be practiced by the hackers by adopting different technologies.  We pointed out two or three technologies but there are thousands of techniques.

          Fact remains in this case similar accident happened but bank is always casual and in their hand there are three or four rulings of National Commission or State Commission and said view are common in all respects but we have failed to understand why even today no such authoritative approach has been adopted by the hierarchy when all over the world ATM fraud is treated as a cyber crime.  So, present technologies must be read daily or at the time of handling such case it shall be dealt with the line of technologies as adopted by the hackers and at the same time anti devices should be used by the authorities of the bank to save their ATMs or online transaction etc.  So, it is the duty of the bank to submit such certificate that anti devices are taken with the ATM. So, question of hacking does not arise, but bank authority has not said so that certificate has not been submitted by the bank authority but it is the duty of the bank to transact all type of transaction the safety and when bank has fixed ATM for smooth service then smooth security and smooth anti devices must be fixed so that the hacker must not have any access by applying the technologies to withdraw the amount in absence of ATM card and PIN.

          After thorough study of different books of ATM fraud and securities and also different types of anti devices which are being used by the Taiwan Indonesia like the poor countries, we are astonished that their thinking for the customers but Indian banks are thinking for their only ruling of State Commission and National Commission to dismiss the case of the complainant but science is progressing technologies are progressing daily but we are lagging behind to go through the books because we are always relying upon some verdict but it must be kept in our mind when we deal with particular matter, we must to go through the particular subject also before coming into any conclusion.  So, in this case after thorough study of the entire method of hacking and also the above discussion, we are convinced to hold that the present type of hacking is logical attacks and same are being used in the ATM operating system by applying different modes and in the present case, no doubt skimming has been adopted by the hackers and as because there is no anti devices in the ATM to defend the hackers attempt to withdraw money and fact is that the complainant went at the SBI ATM at Tollygung Metro Station Compound, the room with 4(four) ATM wherein two persons were inside the room and also in the 1^st ATM, he then swiped his debit card in the 2^nd ATM but the screen remained blank and the two persons standing inside the room asked him to operate the 1^st one and told that the other two ATM are defective.  He then checked the balance amount of Rs.13,149/- from No.1 ATM and returned with his balance slip along with debit card.  But his money amounting to Rs.13,100/- was withdrawn from SBI, Shyambazar ATM at 11:29:16 hours first of all Rs.13,000/- and then Rs.100/-.  The complainant immediately took up the matter with the Bank Authority and also made a FIR with the Regent Park Police Station vide No.152/11 dated 01-07-2011 and ultimately with the intervention of Mr. P. Banerjee, ATM Section, SBI, 1, Strand Road, Kolkata who had shown the CCTV footage wherein it reveals that two persons had withdrawn the money from the ATM and they identified them as fraudsters.  Fact remains that the investigating officer of Regent Park P.S. had sent a report to the Dy. Director Mr. S. Choudhury stating that the money was withdrawn by two fraudsters.  In fact, though the concerned P.S. issued an order on 14-06-2013 asking the OP/SBI, Shyambazar Branch, to pay back the said amount with interest to the complainant, but the OP/SBI did not pay any heed in the matter.

          On overall study of the written version of the Bank it is admitted fact that complainant is a customer in respect of Account No.11063004013 belonged to Shyambazar Branch having an ATM Debit Card bearing No.6220 1800 1800 0047 482 which was issued against that account of the complainant and complainant has been using that card and it is admitted by the OP that they received a complaint on 30-06-2011 in respect of fraudulent withdrawal of Rs.13,000/- and Rs.100 on 29-06-2011 and State Bank made enquiry and came to learn that on 29-06-2011 at 11:29:16 hours a sum of Rs.13,000/- was withdrawn through ATM against ATM ID No.S10A003084040 and on the same date at 11:29:54 hours the sum of Rs.100/- was withdrawn through ATM from another ATM ID No.S10A003084041 which belonged to SBI.  It is a fact that complainant has challenged that withdrawal and claimed that it is a fraudulent type of withdrawal by some unknown person and in this regard he also lodged a complaint to Police and Investigation Officer, Regent Park Street enquired and came to a conclusion that same were withdrawn by fraudsters and police authority asked the Shyambazar Branch Bank to pay back the said amount with interest.  Now, the question is whether the theory as taken by the Bank in all cases that when the ATM card including secret Pin No. are within the custody of the customer, the customer shall have to prove how the card went to the hand of third party and how third party came to learn the secret Pin No.  But truth is that in this case complainant has not stated that at any point of time he handed over the same to the third party informing his secret Pin No.  So, invariably there is no scope to get the said secret Pin No. and card by any third person then question is how it was withdrawn by fraudster.  It is the common perception of different authorities who are deciding such disputes that without secret Pin No. and the ATM card no money can be withdrawn.  But this perception has no scientific basis which is evident in the case because in this case complainant has very specifically submitted on 29-06-2011 he went to Tolly Metro Station compound ATM counter for balance enquiry and that has not been denied by the OP Bank and from the copy of the very slip that is transaction No.5462 dated 29-06-2011 it is found that that transaction was made for getting balance enquiry at about 11:28 hours and from that slip (enquiry 2 ) it is clear that available balance was Rs.13,149-67 and said ATM ID was S10A003084027 whereas within 61 sec. and the disputed amount of Rs.13,000/- and Rs.100/- were withdrawn from separate two ATMs but there is no explanation on the part of the OP that how a person would be able to withdraw such amount from Regent Park area SBI ATM within 60 sec. from checking balance by using card by the complainant and it is impossible for any person to go from one place to another place to withdraw the amount.  So, it is clear that hacking was made by such intelligent group of hackers who applied the very scientific method malware by placing such devices and developed software and invariably at the time of taking balance of the account of the complainant vide transaction No.5466 at about 11:28 hours.  So, it is clear that bank has failed to prove how it was possible to withdraw within 60 sec. the said amount withdrawn by the fraudster not only that the Cyber Crime Detective Police Cell investigated the same considering the entire video footage and found that it was withdrawn by some fraudsters and not by the complainant and police authority asked the bank to refund the same and considering the fact it is clear that the theory of the bank that when a customer possesses ATM Card and secret Pin No. and if any withdrawal from the ATM is successful in that case it shall be always presumed that the customer has withdrawn it or he placed some persons to withdraw it but this theory has no scientific basis which is proved in this case and police also investigate and found that third person withdrew the same and no doubt in the present case hacker was successful and those fraudsters have their more sophisticated computer knowledge in hacking and they have committed such offence but bank authority is only one book i.e. reported ruling like a placard before all the Forums that when ATM and Pin No. are within the custody of the customer there is no question of hacking, there is no question of withdrawn by fraudster but that theorization is proved false theory and bank in this case no doubt has not submitted such material to show in the present case that there are no laches, deficiency on the part of the Bank for not applying the anti-devices to check the fraudsters or hackers and practically in their system no modern technologies have been applied for checking skimming or FLS and in view of the above premises we are convinced to hold that the present amount of Rs.13,000/- and Rs.100/- were not withdrawn by the complainant.  It was withdrawn by the fraudsters that was proved by the Police Investigation and Police Authority of Regent Park issued an order to the Bank Authority asking them to pay back the said amount with interest but Bank has not complied it.  So, we are convinced that allegation of the complainant is proved beyond any manner of doubt.  Further it is proved that in absence of ATM card and secret Pin No. the modern fraudsters and hackers are able to withdraw it by adopting several process of hacking and it is a science and that science and technique are being practiced by the hackers daily at different stages.  But Bank is here and there knowing nothing about that and Bank has also failed to produce any document to show that in the said ATM machine anti-hacking devices were fitted and they have their authorities those who are called anti-devices software (testing) but in casual manner only producing two rulings they are defending before all the Forums, Civil Courts and other but in this case it is proved beyond any manner of doubt that their ruling failed to help their defence which is casual defence haviing no scientific basis.

          In view of the above, we are of the opinion that in this case the complainants a consumer and the SBI/OP is providing service as defined u/s.2(1)(o) of the Act.  Though the video footage in connection with the incident was in the custody of the Bank authority, but it is not clear whether they saw it on a regular basis for security of money of their customers and the said ATM premises with 4(four) ATM had no security guard/authorized person to look after and protect the consumers.  Had the ATM premises being guarded the miscreants would not have moved freely inside the ATM premises.  So, the bank authority failed to arrange for proper service to the complainant what tantamounts to deficiency in service as defined u/s.2(1)(g) and 2(1)(o) of the C.P. Act, 1986 respectively and for such act of SBI/OP, the complainant has to suffer financial loss, harassment and mental agony and lost his money amounting to Rs.13,100/- lying with his ATM bank account with the SBI, Shyambazar, Kolkata and in spite of knowing the incident of such withdrawal of Rs.13,100/- through unauthorized persons/fraudsters/miscreants, the OP/SBI did not refund the money to the complainant and take appropriate steps to protect the money of the customers who kept in its savings bank account on the ground of savings of their hard earned money.

          So considering all the methods and facts as discussed, we are convinced to hold that bank administration has failed to that, they in their system the ATM counter attacks the anti fraud technologies was applied for skimming resistance i.e. job cards or FLS.  So, it is proved that bank is no doubt negligent and deficient to give proper protection to the ATM card holder regarding security and safety of the identity of the card and confidential numbers and no such certificate has been submitted by the bank authority that they are using it in Bangalore, Mumbai and other states.

          In the light of the above observations, we are convinced to hold that bank authority is negligent and deficient to give protection in respect of the ATM and also to the card holder and his PIN code and for which we are convinced to hold that complainant is entitled to get back the amount of Rs.13,100/- with 8% interest and the op/bank shall pay and refund the same with interest against the savings bank account of the complainant.  After concluding our judgment we want to say that the bank authority to be more careful in future and their administration who are controlling the entire ATM all over India so that they may apply the present technologies to defend the fraud technology from the ATM fleet.  Otherwise the bank shall be always committed by producing two or three judgments of all the Commissions but truth is otherwise.

          In the result, the case succeeds.

          Hence,

ORDERED

That the case be and the same is allowed on contest with cost of Rs.5,000/- (Rupees Five thousand only) against the OP/Bank.

          OP is hereby directed to pay the amount of Rs.13,100/- (Rupees Thirteen thousand and one hundred only) with 8% interest from the date of stolen of money by the hackers or authorized person from the ATM but same shall be refunded to the complainant and be deposited against his bank account within 15 (fifteen) days from the date of this order failing which for non-compliance of the Forum’s order OP shall have to pay punitive damages of Rs.10,000/- (Rupees Ten thousand only) only to this Forum but even then if it is found that OP/Bank is reluctant to comply this order in that case the penal proceedings shall be started for which they may be imposed further penalty u/s 27 of the C.P. Act 1986.