ICICI Bank gets a Rs 12.85 lakh lesson in e-security
Decision in the first case under Information Technology Act
PTI | New Delhi | April 13 2010
An adjudicator under the Information Technology Act has directed ICICI Bank to pay Rs 12.85 lakh in compensation to an NRI customer who lost Rs 6.46 lakh due to fraudulent access to his bank account.
"The bank failed to put in place a foolproof internet banking system with adequate levels of authentication and validation," PWC Davidar, Tamil Nadu IT secretary and adjudicator under IT Act for the state, said in his ruling.
The order came on a complaint filed by Umashankar Sivasubramaniam who claimed he received in September 2007 what appeared to be an e-mail from ICICI Bank, asking him to reply with his ICICI Internet banking username and password.
Sivasubramaniam replied as asked and found subsequently that Rs 6.46 were withdrawn from his ICICI bank account.
It transpired then that the sender of email had used a false ICICI bank identity to get Sivasubramaniam to reveal his username and password in order to defraud him. Such an email fraud is known as ‘phishing’ in technical parlance.
Davidar found ICICI Bank guilty of failing to ensure that fraudsters were not able to fake bank’s identity in sending emails to customers and not authenticating the identity of the person who accessed Sivasubramaniam’s bank account.
There was no way by which customers could identify an e-mail as not being from the respondent bank (ICICI); the bank could have obtained a digital signature for the officer responsible for communicating with customers, thereby providing a layer in authentication of such mails, Davidar observed.
There appeared to be no effort of that nature by ICICI, he said, adding that access to the petitioner’s account details "reflects very poorly on ICICI’s systems and procedures in the event of a customer facing this situation."
It happened to be the first case filed in the country under Information Technology Act.
ICICI Bank has sought to reassure customers that their internet banking is fully secure and said they will appeal the ruling as the fraud was the result of the callousness of the customer (See the comment posted below on behlaf of ICICI Bank. Though GovernanceNow cannot be sure that it is from a bonafide, authorised officer of ICICI, we are publishing it in good faith.)
Bank is a financial that accepts deposits and channels those deposits into lending activities. The essential role of a bank is to connect those who have capital (such as investors or depositors), with those who seek capital (such as individuals wanting a loan, or businesses wanting to grow).Banking tips at 10bomb.com
Instead of saying customer is irresponsibile, why can’t bank retain CCTV clippings of person drew the money from the counter and hand over the images to police instead of saying that memory of pictures were gone away with wind. Very Interesting manipulated stories.
The judgment copy can be found at www.naavi.org and I would like every critic to go through the same. In India the law expects that passwords are not used for authentication of legal documents and only digital signatures are to be used whether it is for e-mail from the Bank or for the customer withdrawing money through Internet banking account.
For the last decade Banks are sleeping over these legal provisions and pushing ahead with insecure Banking practices.
This judgement is in tune with German Courts and Denmark regulations as well as RBI's guidelines.
The adjudicator is to be appreciated for having taken a very bold decision and the judgement itself is contains elaborate reasoning.
ICICI Bank should focus on how to be law compliant rather than justifying their negligence.
This is an absolute joke. The bank should NOT be liable for the stupidity and ignorance of the customers. At best, it should pay back the money that the customer lost (I think even that shouldn't happen) - but paying extra for the ignorance of a customer? That's an absolute joke.
The plaintiff is clearly an idiot and deserves no compensation.
I just hate the precedent that this sets - whereby people are basically awarded for being stupid?
I hope ICICI win their appeal.
Hi,
We are from ICICI and we'd like to clarify that ICICI Bank will appeal as the complainant has negligently disclosed the confidential information such as password and thereby fallen prey to a phishing fraud by responding to a phishing email. The customers are fully apprised on security aspects of Internet banking through channels such as monthly/quarterly statements, posters located at ATM and branches, information through the website of the bank to safeguard their own interest. We reassure that our security systems are continuously audited and neither the security nor our processes have been breached.
ICICI Bank endeavors to offer world-class service to its customers. Today, we have hundreds of types of transactions, which can be completed on line without having to walk into a branch. We strive for convenience and safety of our customers and uninterrupted availability of our services through self-service channels. We also continuously upgrade our systems and technology to ensure that our customers get the best experience and a safe environment while transacting on line.
Regards,
ICICI Bank Team.
fyi
Post new comment