Kerala

StateCommission

CC/12/47

Shabbir Khan Rajan Rawther - Complainant(s)

Versus

The MD,Axis Bank Ltd - Opp.Party(s)

Thirumala P K Mani

09 Nov 2016

ORDER

KERALA STATE CONSUMER DISPUTES REDRESSAL COMMISSION SISUVIHARLANE VAZHUTHACADU THIRUVANANTHAPURAM

 

CC.NO.47/12

JUDGMENT DATED : 09.11.2016

PRESENT

 

SRI.K.CHANDRADAS NADAR   : JUDICIAL MEMBER

SMT.A.RADHA                         : MEMBER

 

COMPLAINANT

 

Dr.Shabbir Khan Rajan Rawther,

S/o.Ahmed Khan Rajan,

Residing at “Rafee Mahal”,

311, Prasanth Nagar,

Medical College.P.O

Thiruvananthapuram

 

(By Adv.Sri.P.K.Mani)

 

Vs

OPPOSITE PARTIES

 

1. Axis Bank Ltd,

Rep.by its Managing Director,

Chief Executive Officer,

Corporate Office,

Bombay Dying Mills Compound,

Panduranga, Bhudhkara Marg,

Worli, Mumbai

 

2. The Branch Head Axis Bank Ltd,

41/419, Ground Floor,

Chicago Plaza, Rajaji Road,

Ernakulam – 682035

 

3. The Vodafone Cellular Ltd,

Rep.by its Circle Head,

Vodafone Circle Head Office,

Angels Arcade, South Kalamassery,

Cochin – 682022

4. The Manager,

Circle Head Vodafone Cellular Ltd,

Vodafone Store,

Ground Floor, Ravi Chambers,

Nagarjuna Circle,

Panjagutta, Hyderabad – 50082

 

(Ops 1 & 2 by Adv.Sri.S.Reghukumar)

(Ops 3 & 4 by Adv.Sri.G.S.Kalkura)

 

JUDGMENT

SRI.K.CHANDRADAS NADAR   : JUDICIAL MEMBER

                This is a complaint filed Under Section 17 of the Consumer Protection Act. The allegations in the complaint in brief are the following. Complainant is having Vodafone mobile connection with No.9846289101. While working as a Medical Officer, at the Lakeshore Hospital, Cochin, complainant opened two accounts with the second opposite party a branch of the first opposite party banking company. At the time of opening the accounts complainant has availed net banking facility from opposite parties 1 & 2 on their specific assurance that net banking is highly secure. Opposite parties 1 & 2 never conveyed the complainant that net banking facility involves risk of any kind. For operating net banking, there are three levels of passwords. After entering the customer ID and password the account holder can operate the account. In order to transfer funds to another account or bank a transaction password must be entered. On entering the transaction password immediately message will be received in the mobile phone of the customer registered with the net banking containing an eight digit one time system generated password called net secure password. On entering the above one time password the transaction will be processed or completed. Thereafter, the details of the transaction will be received as S.M.S to the mobile number of the customer from the system of the bank.

        2.     On 30.03.2012 between 4.p.m and 6.p.m the mobile phone of the complainant went dead. He contacted the Vodafone customer care from another phone. But he was asked to contact the store for details. Since the store closes by 7.30.p.m. he was not able to go to the store on time. Therefore on the next day around 2.30 p.m. complainant visited the vodafone store at Kadavantra (Cochin) to know the details. Complainant was informed that his SIM was replaced with a duplicate SIM on a request submitted before the 4^th opposite party. The store manager Kadavantra showed the complainant, the request in their system made for replacement with a new SIM in the mobile number of the complainant, the request came to the Vodafone on 24.03.2012 and on the basis of such request new SIM was issued on 30.03.2012. The 4^th opposite party deactivated the SIM of the complainant when duplicate SIM was issued to some unknown persons without the knowledge of the complainant and without intimating the complainant. Even the genuineness of the request was not confirmed. Normally, when there is request to replace SIM the same would be intimated to the customer by sending SMS or by contacting over phone. But the complainant was not given any such intimation. It is understood that duplicate SIM was issued to unknown persons on the basis of forged ID proof that is a forged photocopy of the password which bears the photo  of some unknown person and forged signature. The fourth opposite party failed to verify the genuineness of the request and ID proof submitted which is clear negligence and irresponsibly on the part of the fourth opposite party. The SIM used by the complainant was issued from Kerala. But the duplicate SIM was issued at Hyderabad even without verifying the genuineness of the request for replacement of the SIM and the ID proof submitted. The details of ID proof and photo of the complainant could have been easily cross checked by opposite parties 3 & 4 in their system. The complainant questioned the illegal action of the fourth opposite party. But they could not give a satisfactory explanation.  On realising that the mobile number of the complainant was misused opposite parties 3 & 4 immediately cancelled the SIM issued to unknown persons and issued a new SIM to the complainant from the Vodafone store at Kadavantra.

        3.     On 31.03.2012 around 8.30.p.m.complainant received an SMS in his mobile phone stating that an amount of Rs.50,000/- had been credited in his account. Since it was unexpected he checked his account through on line. But he was not able to access his account, but it was displayed in valid user name or password. The repeated attempts to trace out his account failed. Hence he suspected that something wrong had happened and he rushed to an ATM machine near his hospital and took a mini statement from his accounts. He found that an amount of Rs.9,42,000/- was transferred to some other accounts by that time without his knowledge from one of his account and another Rs.1,72,500/- was transferred from the other account. Thus, complainant lost total amount of Rs.11,14,500/- from his accounts. Complainant immediately contacted the customer care of the first opposite party and got both these accounts blocked. But the bank was not able to give any proper explanation. Hence complainant lodged a complaint with the Central Police Station, Cochin. On the basis of the complainant police registered FIR No.840/12 on 01.04.2012. Nine persons were arrested in connection with the crime and the investigation is continuing. Complainant came to understand that the amounts were transferred to 20 different accounts during the night on 30^th and morning on  31^st April 2012.Amounts were transferred to 18 other accounts of the first opposite party bank all over the country. ICICI Bank, Calcutta branch and Kodak Mahendra , Secundrabad branch are the two other banks to which amounts were transferred. The SMS received by the complainant that an amount of Rs.50,000/- was credited to his account was actually the amount returned to his account due to some problem when fraudulent attempt was made to transfer amount to HDFC bank. After the fraudulent transactions only negligible balance remained in the accounts of the complainant. Complainant sought explanation from the bank but the reply given was casual.  The bank is primarily responsible to keep the amounts deposited with them in utmost security. If something happens to the amounts deposited with the bank they are bound to return the amounts to the customer. The fact that amounts were transferred to 18 other accounts of the first opposite party bank itself proves that it could not have been done without the help of the first opposite party. They are bound to recover all the above amounts from the culprits and reimburse the loss sustained by the complainant. The amounts transferred to the ICICI and Kodak Mahendra banks are also liable to be recovered from the persons concerned. The bank has not initiated any legal proceedings before the police or any other appropriate forum to recover the amount lost by the complainant. This inaction points to the culpability of the bank. Opposite parties 1 & 2 have also failed to follow the guidelines of the Reserve Bank of India regarding net banking. They failed to take sufficient protective measures to avoid hacking of the accounts of its customers. The ID and password of the complainant could have been leaked from the bank itself. All this amounts to deficiency in service on the part of opposite parties 1 & 2. The complainant is also liable to be compensated for the mental agony and mental trauma suffered by him. Complainant issued notice through lawyer to the Axis Bank on 09.04.2012 calling upon them to pay the amounts lost by the complainant in addition to compensation for the mental trauma and agony suffered by him. But the first opposite party denied their liability raising untenable contentions. The complainant had not leaked his ID or password to any third party. But the bank failed to provide sufficient security to prevent fraudulent transactions in banking. The first opposite party uses 128 bit encription which is easy to hack. First opposite party does not provide virtual key pad in internet banking to prevent key loggers attack. All the banks provide virtual key pad, so that hackers do not get hold of the key strokes by sending key logger virus to the personal computers. The bank has also failed to comply with the provisions of the Prevention of Money Laundering Act of 2002. Such a huge amount was allowed to be withdrawn on a single day when sealing limit for a single day transaction through net banking used to be Rs.50,000/- only. The relationship manager of the bank was aware of the fact that the amount was deposited by the complainant for the purpose of higher studies in London.

        4.     There was also attempt on the part of the culprits to get a prepaid connection in the name of the complainant which was issued by the fourth opposite party but when they failed to operate with duplicate SIM and transfer money, they applied for post paid connection in the name of the complainant which was also issued by the 4^th opposite party. The third opposite party also did not take any step to lodge complaint with the police. They are also equally liable to compensate the complainant. Notice was issued to the Vodafone Company also through the lawyer of the complainant claiming compensation. But in the reply notice they could not meet the allegations levelled against them. Since the complainant lost his money, he could not remit amount for his higher studies and he lost admission for higher studies. Opposite parties are also liable to compensate the complainant under section 43 A of the Information Technology Act 2000.  Complainant seeks direction to the opposite parties to pay an amount of Rs.11,14,500/- with interest at the rate 18 % per annum from 30.03.2012. Further complainant seeks compensation of Rs.75,00,000/- for the mental trauma agony and loss suffered by him.

        5.     Opposite parties 1 & 2 filed joint version and opposite parties 3 & 4 filed separate joint version. The contentions raised by opposite parties 1 & 2 are that the mobile phone number mentioned in the complaint is the one registered by the complainant with the bank. The complainant opened the second account with the bank as he was fully satisfied with the services provided by the bank. To the enquiries made by the complainant about net banking the officials of the bank explained the procedure involved in internet banking and also the advantages and disadvantages of the same. Opposite parties 1 & 2 categorically explained to the complainant that at any cost the security password and other details should not be compromised with a third party unknowingly or as answer to phishing messages received from unknown persons. The bank has categorically informed all its internet banking customers that they should not divulge the confidential credentials to any person including the bank or its officials. The banking systems including the internet banking system of opposite parties 1 & 2 is technically sound and is in accordance with the provisions of the Information Technology Act and Rules as well as the guidelines and regulations of the Reserve Bank of India. The details of procedure involved in internet banking are as narrated in the version. The transactions are carried out online. In the internet banking scenario, the customer is faceless. The customer is provided with user ID and password printed in a PIN MAILER and is passed on to the customer duly sealed. The password in internet banking is stored in the system in a hashed form which is better than encrypted form. The internet system administrators or any other user do not have access to customer’s internet banking account. Internet banking security cheque is conducted regularly and the software is free from security vulnerabilities as per audit reports.

        6.     On getting message on 31^st March about the credit of Rs.50,000/- in the account of the complainant he directly logged into the net banking. However, he could not operate the same as the fraudsters changed the password / user name etc. Phishing attacks are very common these days by which the miscreants obtain customers credentials through social engineering. Malicious programmes like Trojans are also serious threat these days. It is possible that the customer may be innocent. But the credentials were compromised through Trojan. The bank has taken all possible measures to help the complainant. The allegations to the contrary are incorrect. When the complainant’s father contacted the RM of the second opposite party and informed about the unauthorised debits, he was advised to immediately contact the customer care. The beneficiary accounts were checked and steps were taken to block the said accounts. But the amounts unauthosedly transferred to those accounts had already been withdrawn on 30^th and 31^st itself through ATMS and only nominal balances were available in the said accounts.  On 02.04.2012 the second opposite party received written complaint and blocked the debit cards and deactivated the i-connect ids of all the beneficiary accounts. Mails were also sent to all concerned branches and branch heads of respective branches were personally contacted over phone and apprised of the situation. Later, the local branches of ICICI Bank and Kodak Mahindra Bank were apprised of the situation directly in person. The accounts were frozen by the respective banks. The second opposite party submitted statement of accounts of all the beneficiaries to the investigation team and readily co-operated with the investigation. The money deposited by the complainant is not lost on account of the negligence of opposite parties 1 & 2. It is incorrect to say that the employees of the bank or the branch will be in a position to know the details of complainant’s password transactions etc. The server is located at Mumbai and all the data is stored in computer language. In the instant case the fraudsters logged into complainants’ account using login id. Login password and transaction password and other details which he has compromised knowingly or unknowingly and further using the duplicate SIM card procured in the name of the complainant and not that the banks system was hacked. The bank has also implemented strong authentication system through two factor  authentication in their retail internet banking for fund transfers above Rs.5,000/- which binds the customer to the transactions through a onetime password token. The complainant is a innocent victim of internet fraudsters and the bank had no role directly or indirectly in the fraudulent phishing attack that happened in the account of the complainant. If  a person comes to open an account and if it talleys with all necessary KYC documents and directions of RBI and is in terms of banking Law and practice the bank cannot refuse to open such an account on mere apprehensions. The co-operation of opposite parties 1 & 2 paved the way for the arrest of two culprits by police. The investigating officers also came to the conclusion after investigation that fraud was played by outsiders and not by any of the employees of opposite parties 1 & 2. The fact is that due to some coincidence the complainant knowingly or unknowingly might have compromised the personal details known only to him. So someone was able to hack into complainant’s account and do a phishing attack. It was complainants system that was hacked using his duplicate SIM card and information including the password only known to him. Opposite parties 1 & 2 have denied all the allegations in the legal notice issued to them. Hackers cannot hack the bank’s server as banks systems are free from vulnerability as per security tests Moreover a fraudulent transaction cannot be made as there are many security parameters required for making a transaction successful. The RBI Team which conducted Annual Audit of the first opposite party bank has not reported that the system and procedure followed by the first opposite party does not conform to the RBI norms and stipulations. Hacking of the complainant’s system did not happen due to any deficiency in service on the part of opposite parties 1 & 2. The bank had issued machine generated messages to the mobile phone of the complainant after each transfer of money. Unfortunately, the fraudsters were operating his accounts with the duplicate SIM card, they obtained clandestinely, There is no permanent ceiling on the financial transactions a user wants to do through internet, though the default ceiling of transaction limit is Rs.50,000/-. If a user wants to increase the limit he can do so through internet banking up to Rs.5 lakhs. It is admitted in the version that the loss to the complainant due to the fraud committed by unknown persons is Rs.11,14,500/-.Opposite parties 1 & 2 have denied the allegation that they have disclosed details of the complainants accounts to third parties. Opposite parties 1 & 2 have no control or authority over the affairs of opposite parties 3 & 4. Opposite parties 1 & 2 are not liable to make good the loss sustained by the complainant.

        7.     Opposite parties 3 & 4 have contended that the complaint is not sustainable against them as there is no direct nexus between the alleged transaction and opposite parties 3 & 4. Opposite parties 3 & 4 are providing tele communication services and extends normal acceptable standard of service to his subscribers. 4^th opposite party is wrongly named in the complaint. Complainant is a subscriber of the third opposite party. Opposite parties 3 & 4 are separate and independent entities. If any subscriber effects banking transaction the same is at the sole option of that subscriber. The allegation that the mobile of the complainant went dead etc are not correct. SIM replacement was made within the realm of the 4^th opposite party, after due verification of identity. There were no procedural anomalies or non compliance of any legal formality. The third opposite party after confirming the details as per the intimation of the executive granted consent for SIM replacement. Due diligence was shown while replacing the SIM card of the complainant. The required document copies were collected along with due request for SIM replacement. In the case of SIM loss or SIM damage it will not be practical to contact the subscriber before SIM replacement. Opposite parties 3 & 4 filed police complaint in the matter. Only subsequently opposite parties 3 & 4 came to know that forged ID proof was produced. Reasonable variation of identity in the photograph could also be appreciated. The forged ID proof brought by the person to the office of the fourth opposite party showed substantial resemblances to the photograph in the archive file of the third opposite party. The allegations to the contrary are not correct. Opposite parties 3 & 4 cannot be held accountable for any of the actions of opposite parties 1& 2.  The allegations pertaining to what transpired during the transactions in the bank are not known to opposite parties 3 & 4. It is incorrect to say that opposite parties 3 & 4 issued duplicate SIM card in an irrepsonabile and callous manner. Police investigation revealed that the ID proof originally submitted was also forged. It is incorrect to say that there was no verification of genuineness of ID proof. Opposite parties 3 & 4 never helped the alleged transfer of money. There was no deficiency in service on the part of opposite parties 3 & 4 and the complaint is liable to be dismissed.

        8.     On the allegations in the complaint and the contentions raised the following points arise for determination.

1. Whether the opposite parties or any of them have committed deficiency in service as alleged in the complaint?

2. What are the reliefs if any the complainant is entitled to?

        9.     The evidence consists of the deposition of the complainant as PW1. Exts. A1 to A11 marked on his side, the oral evidence of three witnesses on the side of the opposite parties as DWs 1 to 3 and Exts. B1 to B9 marked on their side.

        After recording evidence arguments were heard.

Point No.1

        10.   Complainant admittedly held two accounts in the second opposite party branch of the first opposite party Axis Bank Ltd. He was also admittedly a subscriber of mobile phone connection issued by the third opposite party Vodafone circle head, south kalamassery, Cochin. The fourth opposite party is the Manager, Circle Head, Vodafone Store, Panjagutta, Hyderabad. The grievance of the complainant is that on 30.03.2012 between 4.p.m and 6.p.m. his mobile phone went dead. His attempt to contact the Vodafone store succeeded only around 2.30.p.m on 31.03.2012. Then he was informed that his SIM was replaced with a duplicate one on a request submitted before the 4^th opposite party at Hyderabad. It turned out that complainant’s SIM was deactivated and duplicate SIM was issued to unknown persons without due care and proper enquiry thereby facilitating fraudulent withdrawal of amounts from his two accounts. Admittedly, the complainant had availed net banking facility from opposite parties 1 & 2. Using the duplicate SIM unknown persons operated the accounts of the complainant on 30.03.2012 and 31.03.2012 and effected 20 transfers whereby amounts from the two accounts maintained by the complainant were transferred to other accounts. Of these transfers 18 transfers were to other accounts of the Axis Bank itself but outside the State of Kerala. The beneficiary accounts of the first opposite party bank were maintained in various branches of the Axis Bank at places like Hyderabad, Mumbai, West Bengal, New Delhi etc. The remaining two beneficiary accounts were maintained by the branches of ICICI Bank and Kotak Mahindra bank.

        11.   According to opposite parties 3 & 4 who filed joint version, SIM replacement was made as per due procedure including address proof verification and verification of the identity of the subscriber. There was no procedural anomaly or lack of diligence in replacing the SIM card. Even as per the version, there was only substantial resemblance of the photograph submitted for duplicate SIM with the photograph in the archive File of the third opposite party. Opposite parties 3 & 4 examined DWs 2 & 3 to substantiate the allegation that due procedure was followed in issuing duplicate SIM which turned to be the occasion for the fraudsters to hack the accounts of the complainant. DW2 was working at the Panjagutta store of Vodafone (4th opposite party).  She seems to have claimed that the complainant went personally to the Hyderabad store for SIM replacement. That this is untrue can be seen from her own subsequent version and the version of DW3. She deposed that before SIM replacement they used to verify original proof of identity of the customer. Then they will do some security checks. The customer has to submit the photocopy of the identity proof. He will have to submit the SIM replacement form as well. These would be forwarded to the Kerala Circle (the store from where original SIM was issued) After validation of those documents by the Kerala Office, the SIM would be replaced. By using the signature validation they confirm the customer. The original document produced by the complainant is the passport. During cross examination DW2 deposed that when a new SIM issued the old SIM would be deactivated. From then onwards the customer would not get any SMS sent to him. She admitted that she saw the SIM replacement application, photo, signature and address of the applicant as these were available in their system. According to her there was resemblance of photos and signature on comparison with these in the original application and those submitted for duplicate SIM. Along with Ext.A9 seizure mahazar SIM replacement form and passport (all photocopies) are produced. Ext.A10 is the customer agreement form dated 25.05.2010. It is seen that driving licence was submitted in proof of identity at that time. Ext.A10 was filed by opposite party No.3. To a pointed question whether DW2 can see any difference in signatures in these sets of documents she admitted that there is little bit of difference. In Ext.A9 the photograph is not clear. She claimed that original passport was actually shown to her where photo was clear. To the further question that photographs in Ext.A9 and Ext.A10 are different, DW2 answered that the photographs in the subscriber application form was an old one and passport was a new one. During cross examination DW2 admitted that she had never seen the complainant.

        12.   It may be observed that the application form for Vodafone connection submitted by the complainant contains his photograph and is dated 22.05.2010. He had submitted copy of his driving licence along with the application. It is also included in Ext.A10. It is seen that the SIM was issued after verification and reverification. At the same time Ext.A9 which contains the SIM replacement form is not fully filled up. No photograph of the applicant is submitted. The application is seen submitted on 22.03.2012. It contains a signature purported to be that of the complainant. Ext.A9 also contains the photocopy of the passport allegedly of the complainant. It is seen that the photograph on Ext.A9 is that of an entirely different person than that of the complainant. No expertise is required to arrive at this conclusion. Below the photograph a signature purportedly of the complainant is seen. This signature is markedly different from that of the admitted signature of the complainant seen on the customer agreement form contained in Ext.A10. It is not mere dissimilarity. So it is quite obvious that opposite party no.4 allowed SIM replacement without verification of the identity of the applicant and in a casual way. The circumstances are such that the 4^th opposite party in all probability knowingly aided the culprits in procuring a duplicate SIM intended for fraudulent use.

        13.   The further question is whether the evidence of DW3, in any way improves the defence of opposite parties 3 & 4. He is the customer service manager with opposite party no.3 for the past 4 ½ years. According to him, SIM replacement would be allowed when there is loss of the original SIM, or when the original SIM does not work or for the purpose of converting a nano SIM to a micro SIM and vice versa. In the SIM replacement application the full address of the applicant is not mentioned. As referred to already only the name of the applicant is mentioned in Ext.A9. In the SIM replacement application other details are left blank. As opposed to the endorsement in the customer agreement form in which there is endorsement that the SIM was issued after verification and reverification, absolutely no endorsement is seen on the SIM replacement application DW2 claimed that the Punjagutta store claimed over telephone that they had seen the original of the documents submitted as his identity proof. He also claimed just like DW2 that there is similarity between the photos in Exts.A9 & A10 and explained that two photographs taken at different point of time need not be similar. But as already observed this claim of DW3 cannot in any way be sustained and indicates that even now DWs 2 & 3 want to support the culprits and not the truth. When confronted with the question whether there is dissimilarity between these signatures, the answer was that there are similarities. So DW3 also does not want to speak the truth in this regard. He admitted that the original application for SIM, photo and identity proof could be scanned and saved in their system. The scanned image can be seen only in the respective State but for verification the photocopy of ID proof would be scanned and sent to the original stage when there is application for duplicate SIM. To the question whether without verifying the forged identity proof duplicate SIM was issued DW3 admitted that only the address was verified. This is a poor precaution to avoid issue of SIM to fraudsters. It may be further mentioned that in the SIM replacement application the reason is mentioned as loss of the original SIM. It may be reminded that the definite allegation in the complaint is that the original SIM was active till about 4.p.m on 30.03.2012. The application for SIM replacement was submitted on 22.03.2012.So a prompt verification of the truth of the allegation would have been sufficient to refuse the application. Opposite parties 3 & 4 never verified whether the original SIM issued by them was active or not before issuing the duplicate SIM. So the circumstances available in evidence overwhelmingly show that in issuing duplicate SIM in a casual manner and thereby facilitating hackers to gain access to the accounts of the complainant opposite parties 3 & 4 have committed grave deficiency in service.

        14.   Complainant has alleged that opposite parties 1 & 2 have committed deficiency in service as well. Admittedly, the complainant held to accounts in the second opposite party branch of the Axis Bank. The disputed transactions happened on 30.03.2012 and 31.03.2012. 20 transfers were effected from the two accounts of the complainant 18 of which were two various branches of the first opposite party bank itself but outside Kerala. The remaining two transfers were to accounts held in a branch of the ICICI Bank and Kodak Mahindra. Those transfers were also made to accounts outside the State of Kerala. According to the complainant in effecting these transfers opposite parties 1 & 2 committed deficiency in service. Complainant has a case that the internet banking system of opposite parties 1 & 2 is such that the system can be easily hacked. Further opposite parties 1 &2 have violated the Reserve Bank of India guidelines in maintaining the internet banking system. They also violated the KYC (know your customer) norms. There was inaction on the part of the bank in recovering the amounts transferred to various accounts in the branches of the bank after they came to know of the illicit transfers. The bank failed to exercise due care and caution in effecting the internet transfers. The complainant has a further case that the customer id and password were actually leaked from the bank.

        15.   On the contrary opposite parties 1 & 2 contend that the user id security password and other details of the complainant were compromised by the complainant himself. Opposite parties 1 & 2 have a technically sound system of internet banking. Immediately on coming to know of the involvement of the fraudsters steps were taken to block the beneficiary accounts. The bank has very well co-operated with the investigation by the police officers. That was why fraudsters were arrested and police filed charge sheet against them.Ext.A11 is the copy of the charge sheet filed by the Ernakulam Central Police before the Chief Judicial Magistrate Court, Ernakulam. Charge sheet is filed against 11 accused for having committed various offences in connection with the fraudulent transfers of money from the account of the complainant. All the accused hail from outside the State of Kerala and scattered all over India. It is in the above background opposite parties 1 & 2 contend that the user id security password and other details were comprised by the complainant himself. This contention is not a serious one taken in the version of opposite parties 1 & 2. DW1, who was the Manager of the Kochi Branch of the Axis Bank insisted that phishing attack generally happens when user id and password are compromised by the customer himself. But in the version of opposite parties 1 & 2 it is admitted that on getting message on 31.03.2012 about the credit of Rs.50,000/- in the account of the complainant, he directly logged into the net banking. However he could not operate the same as the fraudsters changed the password user name etc. Further phishing attacks are very common these days by which the miscreants obtain the customer’s credentials through social engineering. It will be pertinent to mention here that malicious ‘ Trojans’ are also cause for serious threat these days. These ‘Trojans’ are malicious programs which automatically enter the computers of users through use of the internet and keep running in the background without the knowledge of the users and their identification credentials including passwords are liable to be stolen by these ‘ Trojans’. Simple Trojans are called keystroke – loggers’. There are crime syndicates which control the ‘Trojan’ drop boxes and use these credentials to dupe the customers. There fore it is possible that the customer may be innocent and credentials were compromised through Trojan (Paragraph 7 of the version). In paragraph 9 of the version the contention taken is that in the instant case fraudsters logged into complainant’s account using log in id. Log in password and transaction password and other details which he has compromised knowing or unknowingly and further using the duplicate SIM card procured in the name of the complainant and not that bank’s system was hacked. It is further contended that the complainant is an innocent victim of internet fraudsters and bank had no role directly or indirectly in the fraudulent phishing attack that happened in the account of the complainant. As rightly pointed out merely because complainant’s accounts were hacked the employees of the bank cannot be held responsible There is no evidence regarding their role brought out even in the criminal investigation. The nature of the transactions and available evidence show that only the complainant’s accounts were hacked on that day. There is also no evidence to show that complainant knowingly compromised his user id password etc. As admitted in the version he was an innocent victim of the internet fraudsters who hacked his accounts and secured vital details such as login id password etc. Once that was done the careless issue of duplicate SIM made the task of the fraudsters easier. By using the duplicate SIM the fraudsters could easily get the one time password from the bank and effectively execute the transfers from the accounts of the complainant. From the stage from which fraudsters used the duplicate SIM no deficiency in service can be attributed on the part of the bank.

        16. Coming to the contention that by not recovering the money from the various branches of the bank to which 18 transfers were affected, the bank has committed deficiency in service it appears that as soon as the fraudulent transfers were brought to the notice of the bank those accounts were blocked. But by that time the fraudsters had withdrawn the money after leaving meagre amount in the accounts, using ATM facility. What is lacking is specific proof to establish this contention. The fact also remains that opposite parties 1 & 2 have easily permitted the fraudsters to exceed the limit of transfer of money permissible in a single day’s transaction. Regarding the allegation that the RBI guidelines as well as KYC norms were violated it may be mentioned that these are for guiding the bank itself and there is nothing to indicate that the RBI had found the bank responsible for such lapses. The complainant has a further contention that the bank should have insured his accounts but this is a policy matter and cannot be extended to a single individual.

        17.   In short, from the available evidence it can only be concluded that the complainant is in no way responsible for the fraudulent transfers effected from his accounts. Equally the bank was not directly responsible. It cannot also be stated that the bank had not co-operated with the investigation. Regarding the attempt to block the money already transferred, there is no convincing evidence to show that prompt action was taken. There is also laxity on the part of the bank in allowing to exceed the limit of transactions for a single day.

        18. There is yet another aspect to be emphasised in fixing the liability of opposite parties 1& 2. As held already the complainant is an innocent victim of the fraudsters. In such a situation when money is lost while lying in the account of the opposite parties it is only just and proper that they reimburse the loss of the complainant. The bank held the money in trust for the customer. So it is unjust to ask the customer to bear the burden. The fact remains that opposite parties 3 & 4 provided the opportunity for hacking and made the task easier by casually issuing duplicate SIM. Hence if so advised, opposite parties 1 & 2 can opt to proceed against opposite parties 3 & 4 for reimbursement or contribution of the money ordered to be paid by this commission. But in view of the clear deficiency in service committed by opposite parties 3 & 4 and the legal position as explained with regard to opposite parties 1& 2 the complaint is liable to be allowed against all the opposite parties.

        19.   Regarding the compensation claimed since we propose to award reasonable interest for the amount of Rs.11,14,500/- admittedly transferred from the accounts of the complainant only  reasonable compensation need be allowed towards the mental agony and incidental loss suffered by the complainant which we fix at Rs.5,00,000/-.

Point No.2

        See the order below.

        In the result, the complaint is allowed directing the opposite parties to pay jointly and severally an amount of Rs.11,14,500/- with interest at the rate of 9% per annum from 31.03.2012 till date of payment, Rs.5,00,000/- as compensation and Rs.10,000/- as costs. The order shall be complied with within two months from the date of receipt of copy of the order.

 

K.CHANDRADAS NADAR : JUDICIALMEMBER

 

A.RADHA : MEMBER

 

APPENDIX

List of witness for the complainant

PW1         - Dr.Shabbir Khan Rajan Rawther

List of exhibits for the complainant

Ext.A1      - The statement of accounts of Account

                  No.910010019342222 from 02.11.2011 to 02.04.2012 of

                  the Axis Bank.

 

Ext.A2      - Statement of Accounts of Account No.911010056711558

                   from 02.11.2011 to 02.04.2012 of the Axis Bank.

 

Ext.A3      - The F.I.R and F.I.S of Crime No.840/12 dated

                  01.04.2012 of the Central Police Station, Ernakulam

 

Ext.A4      - Copy of the lawyer notice issued by the Babu.S.Nair,

                  Advocate, dtd : 09.04.2012

 

Ext.A5      - Copy of the lawyer notice issued by Babu.S.Nair,

                  Advocate dtd : 10.04.2012.

 

Ext.A6      - Copy of the reply notice sent by D.G.M. Legal, Vodafone

                  Cellular Ltd, dtd : 02.05.2012

 

Ext.A7      - Copy of the reply notice sent by President and head

                  (Law), Axis Bank Ltd, Mumbai dtd : 23.04.2012

 

Ext.A8      - Post graduation study offer letter

 

Ext.A9      - Copy of customer agreement with the copy of ID proof

 

Ext.A10   – Copy of the forged ID proof

 

Ext.A11    - Copy of the charge sheet filed by the Ernakulam Central

                  Police before the Chief Judicial Magistrate Court,

                  Ernakulam

 

List of witnesses for the opposite parties

DW1         - Vancheswaran G

DW2         - V.C.YYashoda

DW3         - Gishin J Jacob

 

List of exhibits for the opposite parties

Ext.B1     - The original of the authorisation letter issued by

                   opposite parties 1 & 2 to the deponent dated

                   30.04.2014.

 

Ext.B2     - The true extract of the online fund transfer facility

                  Details downloaded from the online web portal of the

                  opposite Party no.1

 

Ext.B3     - The notarized copy of the acknowledgment dated

                  11.04.2012 given by the office of the Circle Inspector of

                  Police, Ernakulam Central.

 

Ext.B4     - The true copy of the Master Circular on know Your

                  Customer (KYC) norms notified by the Reserve Bank of

                  India (44 pages)

 

Ext.B5     - The true copy of the circular issued by M/s.Axis Bank

                  on KYC norms dated 03.02.2010

 

Ext.B6     - The true copy of the circular issued by M/s.Axis Bank

                   on KYC norms dated 13.08.2010.

 

Ext.B7     - Copy of Republic of India

 

Ext.B8     - Copy of seizure mahazar

 

Ext.B9     - Copy of e-mail letter dated 30.03.2012.

 

 

K.CHANDRADAS NADAR : JUDICIALMEMBER

 

A.RADHA : MEMBER

 

 

Be/

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

KERALA STATE

CONSUMER DISPUTES

 REDRESSAL COMMISSION

SISUVIHARLANE

 VAZHUTHACADU

 THIRUVANANTHAPURAM

 

CC.NO.47/12

JUDGMENT DTD : 09.11.2016

 

 

                                                                          Be/