An adjudicator under the Information Technology Act has directed ICICI Bank to pay Rs 12.85 lakh in compensation to an NRI customer who lost Rs 6.46 lakh due to fraudulent access to his bank account.
"The bank failed to put in place a foolproof internet banking system with adequate levels of authentication and validation," PWC Davidar, Tamil Nadu IT secretary and adjudicator under IT Act for the state, said in his ruling.
The order came on a complaint filed by Umashankar Sivasubramaniam who claimed he received in September 2007 what appeared to be an e-mail from ICICI Bank, asking him to reply with his ICICI Internet banking username and password.
Sivasubramaniam replied as asked and found subsequently that Rs 6.46 were withdrawn from his ICICI bank account.
It transpired then that the sender of email had used a false ICICI bank identity to get Sivasubramaniam to reveal his username and password in order to defraud him. Such an email fraud is known as ‘phishing’ in technical parlance.
Davidar found ICICI Bank guilty of failing to ensure that fraudsters were not able to fake bank’s identity in sending emails to customers and not authenticating the identity of the person who accessed Sivasubramaniam’s bank account.
There was no way by which customers could identify an e-mail as not being from the respondent bank (ICICI); the bank could have obtained a digital signature for the officer responsible for communicating with customers, thereby providing a layer in authentication of such mails, Davidar observed.
There appeared to be no effort of that nature by ICICI, he said, adding that access to the petitioner’s account details "reflects very poorly on ICICI’s systems and procedures in the event of a customer facing this situation."
It happened to be the first case filed in the country under Information Technology Act.
ICICI Bank has sought to reassure customers that their internet banking is fully secure and said they will appeal the ruling as the fraud was the result of the callousness of the customer (See the comment posted below on behlaf of ICICI Bank. Though GovernanceNow cannot be sure that it is from a bonafide, authorised officer of ICICI, we are publishing it in good faith.)