This is an application u/s.12 of the C.P. Act, 1986.

          Complainant Manotosh Bandyopadhyay, a retired pensioner holds a Savings Bank Pension Account with SBI, Sitalatala Branch, 38, Rashbehari Avenue, Kolkata – 26 having Pension Account No.10297655512 and also there is another account being no.10297615035.

          On 06-08-2011 an amount of Rs.13,000/- and on 21-08-2011 another amount of Rs.20,000/- were stolen from his Bank account through an ATM in Haltu, New Ballygunj.

          State Bank of India, Haltu, New Ballygunj SBI Bank has two ATM machines but there was no guard when the incident took place and recurrent theft in ATM Machine has been committed and both the machines are not placed inside any cubicles. 

          Practically after observing the theft of the said amount he immediately informed the Bank about the theft to Branch Manager, Haltu, New Ballygunj as relevant ATM falls under that branch but said branch manager discharged his responsibility by saying that as because in the Haltu Branch there is no Bank Account it is the liability of SBI, Sitalatala Branch.

          Complainant also informed the local P.S. of the area which is Kasba P.S. in both the cases.

          But at the age of 71 years he has been running for redressal from one branch to another branch for justice but no result has yet been achieved by the complainant.  Though complainant showed all the relevant documents and told the Branch Manager to do the needful but ultimately Branch Manager forwarded a letter on 24-10-2011 informed that he forwarded the matter to the competent authority but the complainant’s grievance was not properly redressed and being disgusted and also losing hope of getting back of the money or compensation complainant compelled to file this case for redressal. 

          On the other hand, OP Bank by filing written statement submitted that no doubt complainant is a customer of Savings Bank Account No.10297651035 and also in respect of pension account No. 10297655512 having ATM Debit Card bearing No. 6220180177200001036 in respect of Savings Bank No.10297615035 and ATM Debit Card being No.4591500003922172 in respect of Pension Account No.10297655512.

          OP has further alleged on 09-08-2011 complainant made complaint before the Manager, State Bank of India about withdrawal of Rs.13,000/- from his Pension Account on 06-08-2011 through ATM Card and again on 22-08-2011 wrote another letter about the withdrawal of Rs.20,000/- from his Savings A/c. No.10297615035 through ATM on 21-08-2011 and on receipt of the said complaints State Bank of India made enquiry in this matter and through Customer transaction Bank came to know that on 06-08-2011 at 09:42:08 hour a transaction was made in respect of withdrawn sum of Rs.13,000/- from SB A/c. No.10297615035, through ATM card being No.6220180177200001036 and on 21-08-2011 at 15:22:14 hour a transaction was made in respect of withdrawn sum of Rs.2,000/- from pension account number 10297655512 and at 09:21:04 hour a transaction was made in respect of withdrawal of Rs.20,000/- from the same pension account no. through ATM Card being No.4591500003922172 and all transactions were successful.  Accordingly, Bank informed the complainant about the said successful transactions.  So, save and except which were matter of record OP denied and disputed all the allegations and deficiency on the part of the OP when both the ATM card and Pin Number were in the custody and knowledge of the complainant.  So, under any circumstances, complainant is not entitled to any relief as prayed for and also prayed for dismissal of the complaint.

Decision with Reasons

In this case practically argument was heard from the complainant who appeared personally and also heard the Ld. Lawyer for the OP and Ld. Lawyer for the OP submitted that the National Commission by its judgment reported in 2011(2) CPR 26(NC) already observed that it is not possible for any Bank for refund of money when complainant has failed to prove by any cogent evidence that the money has withdrawn by an unauthorized person from the ATM without ATM Card and knowledge of Pin Number and in this case in the complaint complainant has not stated about the use of the ATM by the complainant or his presence on the above dates before the ATM Machine and, in fact, complainant plainly stated that on two occasions from his account Rs.13,000/- to Rs.20,000/- were withdrawn but no whisper whether he appeared on two occasions before the said ATM machine and entire complaint is hoax and for which the complaint should be dismissed when complainant has failed to prove negligence and deficiency on the part of the OP.  Further Ld. Lawyer for the for the OP submitted as per system of ATM  as prevailed at present and an unauthorized person is unable to withdraw money from the ATM without using ATM Card and knowledge of the Pin No. relating to the said ATM card.  Then it is the duty of the complainant to prove how the said money was withdrawn without using his ATM card and related pin number which is in the custody and mind of the complainant but complainant is completely silent in this regard for which the complaint should be dismissed. And that is the out and out the gist of the argument for the Ld. Lawyer of the OP.

          Against that comment of the OP complainant and his son appeared before this Forum and submitted at the time or argument one occasion his father went to withdraw Rs.2,000/- and no doubt that withdrawal was rightly pointed out by the Bank and it was withdrawn on 21-08-2011 at 15:22:14 hours but no amount was withdrawn on 06-08-2011 or 21-08-2011 at about 09:21:04 hours by using ATM Cards.  But it is their submission that everything was done by some hackers and they have also submitted that the manner of withdrawal by his father.  His father never withdraw from his pension account or his personal account any heavy amount and they tried to convince by one newspaper cutting that a gang is in operation to hack the ATM and withdraw money by adopting certain procedure and practically bank authority time to time does not change software which is essentially needed for keeping the security of the ATM machines and transactions for safety of the customers and to check hackers and to control their different process and for the purpose of hacking there is no need of any ATM card or Pin Code and fact remains in the present case that was adopted.  So, the casual approach and defence of the Bank that without ATM card and Pin code no unauthorized person can withdraw the ATM is not scientifically accepted in view of the present operation of the hackers so the entire defence of the OP is most unscientific and about the judgment the bank what has pointed out even if it is accepted it can be stated that in the judgment the art of fraud in ATM as adopted by the hackers are not at all discussed and at the same time his father never went there at the relevant time for which they filed complaint and fact remains at the age of 71 years complainant has no need to tell a lie before the Bank Authority or the Forum for such money but as because it was stolen by adopting some scientific process by the hackers complainant appeared before this Forum.

          Considering the argument of the Ld. Lawyer of the OP and also the judgment as referred by the Ld. Lawyer of OP we have gathered that it is normal procedure as it is found in all the ATM Cases but fact remains the complainants pointed out a very vital question and if the observation and ruling of the National Commission are taken into account then global problem of ATM hacking cannot be solved by the judgment.  So, for that purpose we have gone through some types of ATM threats practically card and currency fraud wherefrom it is found that card and currency fraud involves both direct attacks to steal cash from the ATM and indirect attacks to steal a consumer’s identity (in the form of consumer card data and PIN theft).  The intent of indirect attacks is to fraudulently use the consumer data to create counterfeit cards and obtain money from the consumer’s account through fraudulent redemption. 

          There is another procedure of hacking that is skimming and an ATM Card skimming is the most prevalent and well-known attack against ATMs.  Card skimming are devices used by perpetrators to capture cardholder data from the magnetic stripe on the back of an ATM card, these sophisticated devices smaller than a deck of cards and resembling a hand-held credit card scanner are often installed inside or over top of an ATM’s factory-installed card reader. When the consumer inserts his card into the card reader, the skimmer captures the card information before it passes into the ATMs card reader to initiate the transaction.  The transaction continues in a normal fashion.  When removed from the ATM, a skimmer allows the download of personal data belonging to everyone who used the ATM. An inexpensive, commercially available skimmer can capture and retain account numbers and PINs for more than 200 ATM cards.  Typically, criminals design skimming devices to be undetectable by consumers. 

          There are certain kinds of card skimming attack and that generally occurs : External Card Skimming – skimming is made by placing a device over the card reader slop(motorized or dip) to capture consumer data from the magnetic stripe on the card during a transaction.  This is the most common form of card skimming.  There is another procedure i.e. called card trapping or fishing and card trapping and fishing attempt to steal consumers’ cards as they are inserted into the card reader during a transaction.  The purpose of this type of attack is to steal the card and use it at a later time to make fraudulent withdrawals from the consumers’ compromised accounts but this type of hacking was not happened in this case.  There is another type of trapping and fishing and currency trapping and fishing is an attempt by perpetrators to capture currency that is dispensed by the ATM during a transaction, whether it be in an envelope or as cash that is being deposited by the consumer during a transaction and trapping is made by a false dispenser front placed over the shutter of the dispenser with adhesive or tape on the inside to trap the notes before they are dispensed whereas fishing is the methods used are similar to those used to fish for cards.  Wires probes and hooks that are difficult for the consumer to see are used to prevent cash from being dispensed or deposits from being made.  When the unwary consumer leaves the ATM, the perpetrator returns and uses the fishing device to retrieve the currency or deposit envelope.   There is another hacking system with malware and with any computer system the purpose of installing malicious software (malware) is to violate the confidentiality, integrity and/or authenticity of data on that computer system.  Designed to collect cardholder data and/or dispense cash, malware and hacking can occur both locally or remotely.  Local attacks operate by accessing the top hat and downloading the malware using a USB drive or attaching a USB sniffing device to intercept communication between the card reader and the ATM’s computer.  Remote attacks on an ATM network occur at some point in the communication with the host or at the backend infrastructure.  Typically, these sophisticated attacks are carried out by well-funded criminal organizations.  As per present global problem of ATM hacking malware threats are of particular concern as they are on the rise and constantly evolving an attempt to stay ahead of security measures.  For malware to be installed, physical and administrative access to the ATM platform’s operating system is necessary.  There are some other hacking of ATM by the hackers which are collected from some books on the subject the present situation in the global market on the ATM fraud around the world.  But peculiarity is that in all judgments nowhere all these types of hacking are discussed.  But only the simple method is adopted that an unauthorized person cannot withdraw money from ATM without using ATM Card and Pin Code but worldwide computer systems have expressed that there is no necessity to get the card and ATM Pin code from the customer.  A person having computer knowledge of ATM System can easily trap the ATM card number and ATM by using devices and also the pin code by playing some process by applying devices and thereafter, they use it.  So, the judgment as passed by the different hierarchies have not discussed or considered the total method of hackers of ATM when card skim is the most prevalent problem and it is the report of the banking sector of India that for card skimming and different types of ATM theft huge los is being faced by the Banking Sector.  So, we have gathered that the present ATM Card system are not at per scientific method because in the present ATM as being used by the Banking authority has no skim resistance chip cards and at the same time the banking authority have their no knowledge of technologies of ATM fleet but in whole Asia more and more countries in Europe are migrating towards embedded chip cards and Fls in Asia are rapidly expanding their network size, Asia is first becoming a target for ATM fraud.  The most prevalent type of fraud in Asia is card skimming.  It is to be mentioned in this regard if the bank authority does not submit any such document before this Forum that they have adopted devices to check the ATM machine from card skimming then we are convinced to hold that OPs version that ATM was quite ‘ok’ cannot be accepted but truth is that there is no such certificate issued by the Bank Authority that against the present two ATM Machines to check the fraud and card skimming they have expanded their network by migrating towards embedded chip and Fls in India but truth is that Malayasia and Taiwan like a smaller countries have already arranged such devices and most of the Fls in the region are adopting fraud deterrence technologies for their ATM fleet.  All these matters are not in the mind of administration of bank though more and more technologies are being invented by the hackers who are not simple thief but most intelligent thief  but they are operating the ATM without any pin code and ATM card and they are engaged in preparing system and devices to capture the customers card and pin code and in such a manner in this case that procedure was adopted by the hackers and in absence of ATM card and Pin Code they withdrew it.  If anyone or any hacker complete skimming or malware that is sufficient during transaction and it is collected by present such devices and it is impossible to search out by security also that what has been done and subsequently it was preserved in their devices and in their software system and subsequently they use it.  So, practically in this case we have found that the ruling what has been referred by the Ld. Lawyer for the OP is found not on the basis of any present technologies but more and more studies are required by the Forum and also by the lawyers to cope up with the present technologies, related to fraud adopted who are handling the ATM fraud to learn how and what manner fraud can be practiced by the hackers by adopting different technologies.  We pointed out two or three technologies but there are thousands of techniques.  Fact remains in this case similar incident happened but bank is always casual and in their hand there are three or four rulings of National Commission or State Commission and said view are common in all respects but we have failed to understand why even today no such authoritative approach has been adopted  by the hierarchy when all over the world ATM fraud is treated as a cyber crime so present technologies must be read daily or at the time of handling such case it shall be dealt with the line of technologies as adopted by the hackers and at the same time anti devices should be used by the authorities of the bank to save their ATMs or online transaction etc.  So, it is the duty of the Bank to submit such certificate that anti devices are taken with the ATM so question of hackings does not arise but Bank Authority has not say so and that certificate has not been submitted by the bank Authority but it is the duty of the Bank to transact all type of transactions the safely and when Bank has fixed ATM for smooth service then smooth security and smooth anti devices must be fixed so that the hacker must not any access by applying the technologies to withdraw the amount in absence of ATM card and Pin.  After thorough study of different books of ATM fraud and securities and also different types of anti devices which are being used by Taiwan, Indonesia like the poor countries we are astonished that their thinking for the customers but Indian Bank are thinking for their only ruling of State Commission and National Commission to dismiss the case of the complainant but science is progressing, technologies are progressing daily but we are lagging behind to go through the books because we are always relying upon some verdict but it is must be kept in our mind when we deal with particular matter we must have to go through the particular subject also before coming into any conclusion.  So, in this case after thorough study of the entire method of hacking and also the above discussions we are convinced to hold that the present type of hacking is logical attacks and same are being used in the ATM operating system by applying different modes and in the present case no doubt skimming has been adopted by the hackers and as because there is no anti devices in the ATM to defend the hackers attempt to withdraw money and fact is that the complainant never went at the relevant time to the said ATM machine when said amount was withdrawn i.e. in those occasions complainant did not use their ATM card but it was skimmed along with the pin code because it is one type of device used by hackers and they kept it and formed a system what is used as per their need.

          So, considering all the methods and facts as discussed we are convinced to hold that bank administration has failed to prove that they in their system two ATM counter attacks the anti-fraud technologies were applied for skimming resistance i.e. job cards or Fls.  So, it is proved that bank is no doubt negligent and deficient to give proper protection to the ATM card holders regarding security and safety of the identity the card and confidential number and no such certificate has been submitted by the Bank Authority that they are using it in Bangalore, Mumbai and other states.  In the light of the above observations we are convinced to hold that Bank authority is negligent and deficient to give protection in respect of the ATM machine and also to the card holders and their pin code and for which we are convinced to hold that complainants are entitled to get the entire amount of Rs.33,000/- with 8% interest and OP Bank shall pay and refund the same with interest against the respective savings banks account of the complainant.  After concluding our judgment we want to say that the bank authority to be more careful in future and train their administration who are controlling the entire ATM machines all over India so that they may apply the present technologies to defend the fraud technology from the ATM fleet.  Otherwise the bank shall be always committed by producing two or three judgments of all the commissions but truth is otherwise. 

In the result, the case succeeds.

Hence,

Ordered

That the case be and the same is allowed on contest with cost of Rs.10,000/- against the OP Bank.

          OP is hereby directed to pay entire amount of Rs.33,000/- (Rupees Thirty three thousand only) with 8%(Eight per cent) interest from the date of stolen of money by the hackers or unauthorized person from the ATM but same shall be refunded to the complainant against his respective bank account within 15(fifteen) days from the date of this order failing which for non-compliance of the Forum’s order OP shall have to pay punitive damages of Rs.10,000/- (Rupees Ten thousand only) to this Forum but even then if it is found that complainant is reluctant to comply this order in that case the penal proceeding shall be started for which they may be imposed further penalty u/s.27 of the C.P. Act.