READ ALSO:

Card fraud in Mumbai more than triple this year

READ ALSO:

Foreign banks make online fraud easy

READ ALSO: ​

Use voice analysis technology to check fraud, CBI tells banks

How the fraud came to light

What is BIN range?

How such fraud occurs

What banks can do to prevent such fraud

IPC & IT sections applied

MUMBAI: The Kotak Mahindra Bank recently detected a massive fraud in which 1,730 transactions worth Rs 2.84 crore were carried out using credit cards it had never issued. The cards, 580 in all, were fabricated by the fraudsters and used for online shopping and making payments in seven countries -- Canada, USA, UK, Germany, Brazil, France and India – between July 2 and September 10.An internal probe by the bank revealed that the cards were created by stealing data from a newly created series of unissued cards , all within the BIN (Bank Identification Number) range.A complaint was lodged with the Bandra-Kurla Complex (BKC) cyber police station on October 2 by the bank’s credit card division chief manager Tanmay Sawant. Investigators probing the case suspect that the bank’s BIN range card numbers may have been compromised. They said the names of customers used on the cards were all fake.The complaint stated, “The new card series order was raised by the bank’s product team and an order was given to DZ Card India Ltd at Gurgaon that has acquired the contract to create our bank’s cards. We has generated and registered three BIN Range (numbers) of the new cards (Visa and MasterCard)… Unknown persons forged and fabricated (the) cards and used the same as genuine.”On September 8, the bank noticed the suspicious transactions, and suspicion was further raised when no settlement was made for the transactions after payments were made through the cards, investigators said.The FIR stated, “The settlement amount of the said transactions were (sic) usually high, which was brought to the notice of the Internal Risk Management (department). On investigation further (sic) it appeared that between July 2 and September 10, there were approximately 1,730 fraudulent transactions of Rs2.84 crores which were transacted through the MasterCard network through various cards having the bank’s new BIN series which was not issued.”Investigators said the bank mentioned that depending on customers’ demands for cards, it prints and creates cards from a new series that is being registered with MasterCard. The bank has alerted the MasterCard division headquarters at New York and has blocked all the 580 cards used in the fraudulent transactions.Joint commissioner of police (crime) Atul Kulkarni is supervising the probe team of additional commissioner of police (crime) KMM Prasanna, and the BKC cyber cops have sought details from MasterCard and details of transactions made across India using the cards to track down the fraudsters.Prasanna confirmed to TOI that they have registered a complaint in the matter but refused to divulge further details.*The bank after learning of fraudulent transactions on September 8 asked MasterCard to stop processing of further transactions*Probe conducted by bank indicated it was a case of fraud committed by unknown persons who had forged and used the BIN number series and fabricated and created cards within the series between July 2 to September 10The first 6 digits of a credit card number are known as the Issuer Identification Number (IIN), previously known as Bank Identification Number (BIN). These identify the institution that issued the card to the card holder. The rest of the number is allocated by the card issuer. The card number’s length is its number of digits. Many card issuers print the entire IIN and account number on their card*Mail and the Internet are major routes for fraud against merchants. If the card is not physically present (called CNP, card not present), the merchant must rely on the holder (or someone purporting to be so) presenting the information indirectly, whether by mail, telephone or over the Internet*It is difficult for a merchant to verify that the actual cardholder is authorizing the purchase. A common recent preventive measure is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information*Small transactions generally undergo less scrutiny and are less likely to be investigated by the card issuer or the merchant*Format-preserving encryption: In which account number is replaced with a strongly encrypted version which retains format of card data including non-sensitive parts of the field such as first six and last four digits*PAN truncation: In which only some digits on a card are printed on receipts*Tokenization: In which an artificial account number (token) is printed, stored or transmitted in place of the true account numberIPC:465 | Forgery (imprisonment may extend to two years, or fine, or both)467 | Forgery of valuable security (imprisonment may extend to ten years, and fine)468 | Forgery for purpose of cheating (imprisonment may extend to seven years, and fine)471 | Using as genuine a forged document or electronic record (shall be punished in the same manner as if he had forged)IT Act:66 | Computer-related offences (punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or both)