Team-BHP (https://www.team-bhp.com/forum/)

-   Shifting gears (https://www.team-bhp.com/forum/shifting-gears/)

-   -   The Credit Card Thread (https://www.team-bhp.com/forum/shifting-gears/92603-credit-card-thread-150.html)

Was it your credit card or his that was compromised?

Could you also shed some light on how this scam happened - if only to educate the rest of us? It seems like some social engineering attack.

As noopster has said, the two-factor authentication provided by the OTP will indicate that there is no credit card fraud (i.e. not an unauthorized charge), since it is the card holder who has willingly paid for some goods/service; but that turned out to be fraudulent.

Unlike countries like the US, we don't have credit card protection where if you're dissatisfied with the goods/service, you can "hold" the credit card payment. So the bank issuing the credit card is totally out of the loop once your friend authorized the transaction with the OTP.

Coming to the bank into which PayTM credited the funds: first, check with someone who knows these things better (e.g. auditor, tax lawyer), and see if you have grounds to raise a complaint with the RBI's Banking Ombudsman. Their FAQs are here and their online complaint form is here.

Realistically, I think its best to accept this as a harsh and expensive lesson, and move on. If any good comes of it in terms of funds recovered, treat it as a bonus.

You can do that, if you want to throw another 2-3 lakhs beyond the 2 lakhs that you already lost. To prove that they are culprits, you need to prove their culpability. Best of luck doing that in this case.

Btw, this page on PayTM's website lists several phone numbers for contacting PayTM.

This is not accurate. Banks have fairly stringent KYC norms to follow. At the very least, the OP can make some things quite unpleasant for some officer of the bank in this case.

I see SBI and associate banks advertising on TV about these scams. My other banks have been emailing and snail-mailing stuff too. It is not as if there aren't any awareness campaigns run by banks; it is just that the customers are, not to put too fine a point on it, idiots.

Well, not fool-proof as we have seen already. :-) To quote Douglas Adams, "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools".

Btw, these OTP-based systems don't exactly match the 2-factor model; many of them are of a category "Wish it was Two-Factor" as exemplified in this case.

Edit: One more thing - banks could put a stop, or greatly reduce this sort of thing if they put their mind to it and not worry about the cost all the time. Instead they lobby for these sort of misguided two-factor implementations so that the cost of any misuse can be completely dumped on the customer.

With HDFC severely devaluing all their cards, I've decided to use my Superia card less often and signed up for a new IndusInd Platinum card. The offers on the card looks really good and much better than the HDFC card I'm holding. The fact that it's a lifetime free and no minimum spend limit card, made it a no-brainer for me. Waiting to get my hands on it.

They tell a story that reward points are there on your card and they will convert it to statement credit, also another offer through cashback will be earned on future transactions, but for that they need to reduce credit limit.
They tell you will receive some transaction messages as they will reduce credit card limit. Also they need the OTP to authenticate the transactions. Once you give OTP they tell it didn't go through, share again and like that...

The thing is, they sound very professional and also they have some details already that you were sent a new credit card recently as older one expired (this information is sourced via courier companies I guess) and approx credit limit and reward point balance ( i guess they could be making a wild guess).

You are right, and as others said the OTP system is kind of fool proof, however there are people who aren't that aware or can be persuaded easily. This scam is fairly common, police told that there are large call centers in Delhi/NCR involved in same practice and all of them use PayTM or some digital wallet as intermediate :( , since its easy way to charge a card. See below link, its getting more and more common:

http://www.business-standard.com/art...0400746_1.html


These story vary, sometimes they tell you will get personal loan at reduced rate (sourced from bankbazar or policy bazar or others), or sometimes even worse they tell people you will get a job through there special services for unemployed (which information can be easily sourced from job portals).

If it is getting so out of hand, paytm should take some steps to reduce it, like if they just put a hold of some days that when you charge a card, you can't withdraw for like 3 or 5 days to bank, the scam will reduce.
Otherwise they can just beef up customer support for security cases like provide a live person for that (duh).

Ah, I see the problem. When an OTP is used on the Internet, the payment is routed through a standard page to verify the OTP (for my IndusInd card, it goes through Arcot, I presume its the same or similar for other banks). All payment gateways based in India have implemented this, so it just works transparently and seamlessly.

However, on the phone, OTPs are meant to be entered via an IVR system where you have to type the OTP on the keypad for the touch tone to be recognized by the IVR system. Unfortunately, this doesn't appear to be common knowledge for customers, so they think its safe to provide an OTP over the phone.

lol that quote is too funny

We did not see that page, all we saw was paytm IVR helpline number in customer care which just tells to send email :Frustrati

It's not bank KYC, its paytm KYC which has dhodu.com stamp (online dhobi website :Frustrati). But none the less, we have told same information to police, hope they follow up with them (although not expecting much from them, judging by their attitude), don't know what are our options to follow it up on my own for this ?

It's friends. If it had been goods/services it might have been recovered as it takes time to deliver. However through these digital wallets, it has given any person the power to charge a card and transfer it to bank immediately, it is too risky.

Thank's for RBI's link, i'll try if something comes out of there.

I've got a regalia and am looking at other options too after points get devalued. My main issue with Regalia redemptions of points is that it doesn't allow postpaid payments for mobile a d their travel portal is priced higher than most other travel websites for hotel bookings.
All other vouchers and redemption options are overpriced.
Any further devaluation from present rates will not be good.

Exactly. Their rewards redemption is not that great. I am redeeming all my points before November deadline. Already redeemed a 1TB WD Hard-disc. Still another 2000 odd points to redeem. After November, the value is being almost halved.

May have been posted before, but still :

When any bank's agency / rep calls offering a specific card, you can always ask for any other card of that bank. Something where the benefits are more in line with your usage.

My HDFC card expires in next couple of months. They sent me an automated email mentioning the same. Since I don't want to continue it, I simply asked them to not renew. Turns out, one can't simply do that :D.

I have to either reject delivery or send them the cut card to cancel it. Don't know why would they want to bear the renewal and shipping cost when I am informing them in advance that I don't want it.

Secret questions aren't 2-factor authentication :D. But isn't OTP 2 factor?
1st factor: One which user knows (bank username & password)
2nd factor: One which user has (his/her phone, number registered with bank)

Golden rule of online security: Never accept anything, unless you specifically went for it. This applies (but not limited) to,
1) Somebody you never knew wanting to transfer money into your account
2) Some web popup wanting to install some application
3) Somebody, you don't know, trying to sell you something, without any offline interaction.

My card tips:

1) Between using debit & credit for shopping, always use a credit card. Credit card usage improves your credit score, which will benefit when getting a loan. Some cards come with fraud protection, which can be reported to the bank and they will mostly reverse it, and insurance cover for outstanding amount if case someone cannot pay for valid reasons. Note that never buy items on your credit card that you can't afford to buy with your debit card.

2) Between using debit & credit for withdrawing cash, always use debit card. This is the only purpose of debit card :). In case you had to withdraw cash on your credit card, transfer that amount to credit card ASAP.

3) Get a credit card where you can easily make the monthly payment. Usually, it is easier to make payment if the card is linked to your savings bank. You might be tempted to get a card with attractive offers (like movie ticket free & so forth). Note that these offers are for a limited period and when they expire you will be left with a useless card, which you to run pillars to get it canceled.

4) Some organizations require your card number for auto debiting periodically (like magazines, insurance payment, etc). You can share the card number with caution, but never ever share the CVV number.

The second factor, "that which the user has", is technically supposed to be the SIM card (not phone). Two problems make it wish-it-was-two-factor:

1. Due to lax issuance procedures, possession of the SIM card does not signify authentication (crooks can obtain SIM cards in my name).
2. Due to the relative long lifetime of the OTP (15 mins minimum), possession of the SIM card at the time of authentication cannot be guaranteed.

#2 is what happened in this case, but #1 is also amply documented in the press (see, for example: http://timesofindia.indiatimes.com/a...w/55022507.cms).

These two lacunae in the OTP model followed by our banks severely compromise the 2-factor authentication they want to practise.

I like TOTP-based authentication with a mobile client as "poor man's 2FA", because it adequately addresses both the issues above. To mitigate #1, it depends on the mobile device and not the SIM card, and #2, it has OTP lifetime of only about 1 minute. It has a somewhat cumbersome enrollment procedure, though - which could fail at scale. Yet, in my view banks make a lot of money off us; so they need to fix these issues or invest in true 2FA systems (like Yubikey or some such).

HDFC now claims to give 5x reward points on all BP fuel transactions with HDFC POS terminals till March 2017. I am yet to try this.

I had stopped using my HDFC credit card for fuel. I use Citi if at Indian Oil and HDFC debit card everywhere else. Recently used Amex at HP because of 3% cash back, so that's a good option now for HP.

Any recommendations for a good cashback card? I used to have a HDFC one, which reduced the cashback drastically, so I did not renew it post expiry. Major uses for me are automated utility bill payments, fuel occasionally and some shopping once in a while.

PS: Closing the card was another experience in itself, the customer care is almost illiterate!! They don't understand a word of what is written in emails, and what the customer is requesting :)

Recently I shopped at one of the In and Out outlets and paid using my credit card. To my utter surprise, there was a petrol surcharge of 16 rupees on my credit card in the next statement. When I went and asked the store manager he coolly says that I should have used HDFC credit card. I told him its his work to not take a separate line of cards for the shop! :deadhorse