Customer Did Not Share OTP But SBI's "Most Hyped" 2-Factor Authentication Failed, Resulting In Cyber Fraud: Delhi HC Orders Compensation

Sanjana Dadmi

29 Nov 2024 1:15 PM IST

  • Customer Did Not Share OTP But SBIs Most Hyped 2-Factor Authentication Failed, Resulting In Cyber Fraud: Delhi HC Orders Compensation

    In a case of cyber fraud where a man lost money from his State Bank of India (SBI) account after clicking a link in an SMS, the Delhi High Court directed the SBI to compensate the customer for the lost amount, noting a “glaring service deficiency” on the part of the bank.The Court noted that the unauthorized transactions occurred without the customer sharing any OTPs, implying a breach in...

    In a case of cyber fraud where a man lost money from his State Bank of India (SBI) account after clicking a link in an SMS, the Delhi High Court directed the SBI to compensate the customer for the lost amount, noting a “glaring service deficiency” on the part of the bank.

    The Court noted that the unauthorized transactions occurred without the customer sharing any OTPs, implying a breach in the bank's security systems. Terming the SBI's security protocols the "most hyped 2-Factor Authentication [2FA]," the Court said that the SBI was responsible for deficiency in service. 

    In the present case, the petitioner had taken care not to share the OTPs, in fact he had no occasion do so, and if that is the case, it would imply that even the most hyped 2 Factor Authentication [“2FA”] was breached as the same was not secure, which is directly attributable to deficiency in service provided by the respondent no. 2 & 3 SBI” Justice Dharmesh Sharma noted.

    Background

    The petitioner, aged 55 years, received an SMS containing a link on 18.04.2021. He then received a call from an unknown caller asking him click on the said link to keep his SMS services operational. Upon clicking the link, a total sum of Rs. 2,60,000 was withdrawn from his SBI savings bank account in two transactions.

    The petitioner immediately called the SBI's Customer Care to register a complaint and seek a hold on the two transactions. However, it was unsuccessful as the transactions had already been processed.

    He then filed a complaint before Branch Manager, SBI, Greater Noida, in addition to filing a cyber complaint and police complaint. As the SBI did not resolve petitioner's grievance, he filed a complaint before the Banking Ombudsman (BO) against SBI on 26.04.2021.

    During the pendency of the complaint, the Chief Manager of SBI sent a letter to petitioner stating that his complaint is rejected on the grounds that the transaction took place through internet banking where the OTPs were received by him and that he clicked a link sent by an unknown person.

    Subsequently, the BO ordered that the SBI deposit a sum of one-third of the disputed amount i.e., Rs. 33,334 to the petitioner's account. The SBI deposited the said amount and the complaint was closed.

    The petitioner approached the Court to seeking SBI to restore the entire amount lost due to the cyber fraud.

    Liability Of Customers For Unauthorized Transactions

    The Court noted that the petitioner denied sharing OTPs with the unknown callers. The Court referenced SBI's written submission, which indicated that, according to the documentary evidence provided by the bank, the BO observed the petitioner was logged into internet banking and that OTPs were received on his mobile number for approval. However, the Court noted that the documentary evidence was not submitted on record by SBI, stating that it had been “deliberately kept away”.

    The SBI relied on a RBI Circular “Customer Protection– Limiting Liability of Customers in Unauthorized Electronic Banking Transactions” dated 06.07.2017. Clause 7 of the Circular states that a customer shall be liable for the loss occurring due to unauthorized transactions in cases where the loss is due to negligence of the customer.

    Here, the Court was of the view that there was no 'negligence' on part of the petitioner. It observed that the petitioner did not share any payment credentials or OTPs. It noted that the unauthorized transactions took place only upon clicking the link received through SMS. 

    “The record shows that he had never shared the payment credentials, which fact is fortified from the written submissions filed by the respondents that the OTPs were not shared by the petitioner as such. It is merely upon clicking on a link received on his mobile phone after he was duped into believing that his SMS services would be blocked, that the said unauthorized transactions took place.” 

    The Court opined that the petitioner was a “victim of cyber fraud” and not 'negligent' in any manner under the context of civil or criminal law, 

    It stated that negligence implies duty of care that would be expected from a person of ordinary prudence. Negligence of customer should be such which is “gross, utterly reckless and unconscionable”, it added. 

    The Court noted that SBI failed to provide a satisfactory explanation for their inability to initiate a chargeback or block the amount despite the petitioner's complaint to the customer care within a few minutes from the unauthorized transaction. 

    Deficiency In Services By SBI

    The Court referred to the RBI's Circular “Master Direction on Digital Payment Security Controls” dated 18.02.2021, which lays down guidelines for governance and management of security risks. Regulation 4 provides that 'Regulated Entities' (RE), which include scheduled commercial banks should formulate policies for efficient dispute resolution mechanism and handling of customer grievance. Further, Regulation 50 provides that the REs should endeavour to build instant reporting of fraudulent transactions to the corresponding beneficiary/counterparty's RE. 

    Referring to the Master Circular, the Court remarked “In the light of the aforesaid regulations, it is evident that the security protocols such as '2FA' or OTP verification had been breached by a simple 'malware' deployed by the cyber fraudsters.” 

    It stated that the security apparatus of the SBI failed to detect any unusual logging activity from a different IP address used by the fraudsters. It added, “It has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, that the petitioner suffered monetary losses.”

    It noted that SBI failed to take immediate measures to take up the issue with the other REs to whom the online payment had been remitted.

    Noting that the SBI' response waslukewarm, defective, and not prompt”, the Court held that there was patent deficiency in services on part of SBI. 

    It observed that the unauthorized transaction fell within “zero liability” of the RBI Circular dated 06.07.2017, meaning the petitioner is entitled to entitlement to zero liability due to the deficiency on the part of the bank.

    The Court found the SBI liable for providing compensation to the petitioner for the losses incurred. It thus directed the SBI to pay Rs. 2,60,000 with interest @ 9% p.a. to the petitioner and a further cost of Rs. 25,000 for costs of legal proceedings. 

    Case title: Hare Ram Singh vs. Reserve Bank Of India & Ors. (W.P.(C) 13497/2022)

     Click Here To Read/Download Order 


    Next Story