KERALA STATE CONSUMER DISPUTES REDRESSAL COMMISSION SISUVIHARLANE

VAZHUTHACADU THIRUVANANTHAPURAM

CC.NO.47/12

JUDGMENT DATED : 09.11.2016

PRESENT
| Printed using casemine.com by licensee : National Law University Jodhpur

SRI.K.CHANDRADAS NADAR : JUDICIAL MEMBER

SMT.A.RADHA : MEMBER

COMPLAINANT

Dr.Shabbir Khan Rajan Rawther,

S/o.Ahmed Khan Rajan,

Residing at “Rafee Mahal”,

311, Prasanth Nagar,

Medical College.P.O

Thiruvananthapuram

(By Adv.Sri.P.K.Mani)

Vs

OPPOSITE PARTIES

1. Axis Bank Ltd,

-1-
 Rep.by its Managing Director,

Chief Executive Officer,

Corporate Office,

Bombay Dying Mills Compound,

Panduranga, Bhudhkara Marg,

| Printed using casemine.com by licensee : National Law University Jodhpur

Worli, Mumbai

2. The Branch Head Axis Bank Ltd,

41/419, Ground Floor,

Chicago Plaza, Rajaji Road,

Ernakulam – 682035

3. The Vodafone Cellular Ltd,

Rep.by its Circle Head,

Vodafone Circle Head Office,

Angels Arcade, South Kalamassery,

Cochin – 682022

4. The Manager,

Circle Head Vodafone Cellular Ltd,

Vodafone Store,

Ground Floor, Ravi Chambers,

Nagarjuna Circle,

Panjagutta, Hyderabad – 50082

(Ops 1 & 2 by Adv.Sri.S.Reghukumar)

-2-
 (Ops 3 & 4 by Adv.Sri.G.S.Kalkura)

JUDGMENT

SRI.K.CHANDRADAS NADAR : JUDICIAL MEMBER

This is a complaint filed Under Section 17 of the Consumer Protection Act. The
allegations in the complaint in brief are the following. Complainant is having Vodafone mobile
| Printed using casemine.com by licensee : National Law University Jodhpur

connection with No.9846289101. While working as a Medical Officer, at the Lakeshore Hospital,
Cochin, complainant opened two accounts with the second opposite party a branch of the first
opposite party banking company. At the time of opening the accounts complainant has availed net
banking facility from opposite parties 1 & 2 on their specific assurance that net banking is highly
secure. Opposite parties 1 & 2 never conveyed the complainant that net banking facility involves
risk of any kind. For operating net banking, there are three levels of passwords. After entering the
customer ID and password the account holder can operate the account. In order to transfer funds to
another account or bank a transaction password must be entered. On entering the transaction
password immediately message will be received in the mobile phone of the customer registered
with the net banking containing an eight digit one time system generated password called net
secure password. On entering the above one time password the transaction will be processed or
completed. Thereafter, the details of the transaction will be received as S.M.S to the mobile
number of the customer from the system of the bank.

2. On 30.03.2012 between 4.p.m and 6.p.m the mobile phone of the complainant went
dead. He contacted the Vodafone customer care from another phone. But he was asked to contact
the store for details. Since the store closes by 7.30.p.m. he was not able to go to the store on time.
Therefore on the next day around 2.30 p.m. complainant visited the vodafone store at Kadavantra
(Cochin) to know the details. Complainant was informed that his SIM was replaced with a
duplicate SIM on a request submitted before the 4 th opposite party. The store manager Kadavantra
showed the complainant, the request in their system made for replacement with a new SIM in the
mobile number of the complainant, the request came to the Vodafone on 24.03.2012 and on the
basis of such request new SIM was issued on 30.03.2012. The 4 th opposite party deactivated the
SIM of the complainant when duplicate SIM was issued to some unknown persons without the
knowledge of the complainant and without intimating the complainant. Even the genuineness of
the request was not confirmed. Normally, when there is request to replace SIM the same would be
intimated to the customer by sending SMS or by contacting over phone. But the complainant was
not given any such intimation. It is understood that duplicate SIM was issued to unknown persons
on the basis of forged ID proof that is a forged photocopy of the password which bears the photo
of some unknown person and forged signature. The fourth opposite party failed to verify the
genuineness of the request and ID proof submitted which is clear negligence and irresponsibly on
the part of the fourth opposite party. The SIM used by the complainant was issued from Kerala.
But the duplicate SIM was issued at Hyderabad even without verifying the genuineness of the
request for replacement of the SIM and the ID proof submitted. The details of ID proof and photo
of the complainant could have been easily cross checked by opposite parties 3 & 4 in their system.
The complainant questioned the illegal action of the fourth opposite party. But they could not give
a satisfactory explanation. On realising that the mobile number of the complainant was misused
opposite parties 3 & 4 immediately cancelled the SIM issued to unknown persons and issued a new
SIM to the complainant from the Vodafone store at Kadavantra.

-3-
 3. On 31.03.2012 around 8.30.p.m.complainant received an SMS in his mobile phone
stating that an amount of Rs.50,000/- had been credited in his account. Since it was unexpected he
checked his account through on line. But he was not able to access his account, but it was
displayed in valid user name or password. The repeated attempts to trace out his account failed.
Hence he suspected that something wrong had happened and he rushed to an ATM machine near
his hospital and took a mini statement from his accounts. He found that an amount of Rs.9,42,000/-
was transferred to some other accounts by that time without his knowledge from one of his account
and another Rs.1,72,500/- was transferred from the other account. Thus, complainant lost total
amount of Rs.11,14,500/- from his accounts. Complainant immediately contacted the customer
care of the first opposite party and got both these accounts blocked. But the bank was not able to
| Printed using casemine.com by licensee : National Law University Jodhpur

give any proper explanation. Hence complainant lodged a complaint with the Central Police
Station, Cochin. On the basis of the complainant police registered FIR No.840/12 on 01.04.2012.
Nine persons were arrested in connection with the crime and the investigation is continuing.
Complainant came to understand that the amounts were transferred to 20 different accounts during
the night on 30 th and morning on 31 st April 2012.Amounts were transferred to 18 other accounts
of the first opposite party bank all over the country. ICICI Bank, Calcutta branch and Kodak
Mahendra , Secundrabad branch are the two other banks to which amounts were transferred. The
SMS received by the complainant that an amount of Rs.50,000/- was credited to his account was
actually the amount returned to his account due to some problem when fraudulent attempt was
made to transfer amount to HDFC bank. After the fraudulent transactions only negligible balance
remained in the accounts of the complainant. Complainant sought explanation from the bank but
the reply given was casual. The bank is primarily responsible to keep the amounts deposited with
them in utmost security. If something happens to the amounts deposited with the bank they are
bound to return the amounts to the customer. The fact that amounts were transferred to 18 other
accounts of the first opposite party bank itself proves that it could not have been done without the
help of the first opposite party. They are bound to recover all the above amounts from the culprits
and reimburse the loss sustained by the complainant. The amounts transferred to the ICICI and
Kodak Mahendra banks are also liable to be recovered from the persons concerned. The bank has
not initiated any legal proceedings before the police or any other appropriate forum to recover the
amount lost by the complainant. This inaction points to the culpability of the bank. Opposite
parties 1 & 2 have also failed to follow the guidelines of the Reserve Bank of India regarding net
banking. They failed to take sufficient protective measures to avoid hacking of the accounts of its
customers. The ID and password of the complainant could have been leaked from the bank itself.
All this amounts to deficiency in service on the part of opposite parties 1 & 2. The complainant is
also liable to be compensated for the mental agony and mental trauma suffered by him.
Complainant issued notice through lawyer to the Axis Bank on 09.04.2012 calling upon them to
pay the amounts lost by the complainant in addition to compensation for the mental trauma and
agony suffered by him. But the first opposite party denied their liability raising untenable
contentions. The complainant had not leaked his ID or password to any third party. But the bank
failed to provide sufficient security to prevent fraudulent transactions in banking. The first opposite
party uses 128 bit encription which is easy to hack. First opposite party does not provide virtual
key pad in internet banking to prevent key loggers attack. All the banks provide virtual key pad, so
that hackers do not get hold of the key strokes by sending key logger virus to the personal
computers. The bank has also failed to comply with the provisions of the Prevention of Money
Laundering Act of 2002. Such a huge amount was allowed to be withdrawn on a single day when
sealing limit for a single day transaction through net banking used to be Rs.50,000/- only. The
relationship manager of the bank was aware of the fact that the amount was deposited by the
complainant for the purpose of higher studies in London.

-4-
 4. There was also attempt on the part of the culprits to get a prepaid connection in the name
of the complainant which was issued by the fourth opposite party but when they failed to operate
with duplicate SIM and transfer money, they applied for post paid connection in the name of the
complainant which was also issued by the 4 th opposite party. The third opposite party also did not
take any step to lodge complaint with the police. They are also equally liable to compensate the
complainant. Notice was issued to the Vodafone Company also through the lawyer of the
complainant claiming compensation. But in the reply notice they could not meet the allegations
levelled against them. Since the complainant lost his money, he could not remit amount for his
higher studies and he lost admission for higher studies. Opposite parties are also liable to
compensate the complainant under section 43 A of the Information Technology Act 2000.
| Printed using casemine.com by licensee : National Law University Jodhpur

Complainant seeks direction to the opposite parties to pay an amount of Rs.11,14,500/- with
interest at the rate 18 % per annum from 30.03.2012. Further complainant seeks compensation of
Rs.75,00,000/- for the mental trauma agony and loss suffered by him.

5. Opposite parties 1 & 2 filed joint version and opposite parties 3 & 4 filed separate joint
version. The contentions raised by opposite parties 1 & 2 are that the mobile phone number
mentioned in the complaint is the one registered by the complainant with the bank. The
complainant opened the second account with the bank as he was fully satisfied with the services
provided by the bank. To the enquiries made by the complainant about net banking the officials of
the bank explained the procedure involved in internet banking and also the advantages and
disadvantages of the same. Opposite parties 1 & 2 categorically explained to the complainant that
at any cost the security password and other details should not be compromised with a third party
unknowingly or as answer to phishing messages received from unknown persons. The bank has
categorically informed all its internet banking customers that they should not divulge the
confidential credentials to any person including the bank or its officials. The banking systems
including the internet banking system of opposite parties 1 & 2 is technically sound and is in
accordance with the provisions of the Information Technology Act and Rules as well as the
guidelines and regulations of the Reserve Bank of India. The details of procedure involved in
internet banking are as narrated in the version. The transactions are carried out online. In the
internet banking scenario, the customer is faceless. The customer is provided with user ID and
password printed in a PIN MAILER and is passed on to the customer duly sealed. The password in
internet banking is stored in the system in a hashed form which is better than encrypted form. The
internet system administrators or any other user do not have access to customer’s internet banking
account. Internet banking security cheque is conducted regularly and the software is free from
security vulnerabilities as per audit reports.

6. On getting message on 31 st March about the credit of Rs.50,000/- in the account of the
complainant he directly logged into the net banking. However, he could not operate the same as
the fraudsters changed the password / user name etc. Phishing attacks are very common these days
by which the miscreants obtain customers credentials through social engineering. Malicious
programmes like Trojans are also serious threat these days. It is possible that the customer may be
innocent. But the credentials were compromised through Trojan. The bank has taken all possible
measures to help the complainant. The allegations to the contrary are incorrect. When the
complainant’s father contacted the RM of the second opposite party and informed about the
unauthorised debits, he was advised to immediately contact the customer care. The beneficiary
accounts were checked and steps were taken to block the said accounts. But the amounts
unauthosedly transferred to those accounts had already been withdrawn on 30 th and 31 st itself
through ATMS and only nominal balances were available in the said accounts. On 02.04.2012 the
second opposite party received written complaint and blocked the debit cards and deactivated the

-5-
 i-connect ids of all the beneficiary accounts. Mails were also sent to all concerned branches and
branch heads of respective branches were personally contacted over phone and apprised of the
situation. Later, the local branches of ICICI Bank and Kodak Mahindra Bank were apprised of the
situation directly in person. The accounts were frozen by the respective banks. The second
opposite party submitted statement of accounts of all the beneficiaries to the investigation team and
readily co-operated with the investigation. The money deposited by the complainant is not lost on
account of the negligence of opposite parties 1 & 2. It is incorrect to say that the employees of the
bank or the branch will be in a position to know the details of complainant’s password transactions
etc. The server is located at Mumbai and all the data is stored in computer language. In the instant
case the fraudsters logged into complainants’ account using login id. Login password and
| Printed using casemine.com by licensee : National Law University Jodhpur

transaction password and other details which he has compromised knowingly or unknowingly and
further using the duplicate SIM card procured in the name of the complainant and not that the
banks system was hacked. The bank has also implemented strong authentication system through
two factor authentication in their retail internet banking for fund transfers above Rs.5,000/- which
binds the customer to the transactions through a onetime password token. The complainant is a
innocent victim of internet fraudsters and the bank had no role directly or indirectly in the
fraudulent phishing attack that happened in the account of the complainant. If a person comes to
open an account and if it talleys with all necessary KYC documents and directions of RBI and is in
terms of banking Law and practice the bank cannot refuse to open such an account on mere
apprehensions. The co-operation of opposite parties 1 & 2 paved the way for the arrest of two
culprits by police. The investigating officers also came to the conclusion after investigation that
fraud was played by outsiders and not by any of the employees of opposite parties 1 & 2. The fact
is that due to some coincidence the complainant knowingly or unknowingly might have
compromised the personal details known only to him. So someone was able to hack into
complainant’s account and do a phishing attack. It was complainants system that was hacked using
his duplicate SIM card and information including the password only known to him. Opposite
parties 1 & 2 have denied all the allegations in the legal notice issued to them. Hackers cannot
hack the bank’s server as banks systems are free from vulnerability as per security tests Moreover
a fraudulent transaction cannot be made as there are many security parameters required for making
a transaction successful. The RBI Team which conducted Annual Audit of the first opposite party
bank has not reported that the system and procedure followed by the first opposite party does not
conform to the RBI norms and stipulations. Hacking of the complainant’s system did not happen
due to any deficiency in service on the part of opposite parties 1 & 2. The bank had issued machine
generated messages to the mobile phone of the complainant after each transfer of money.
Unfortunately, the fraudsters were operating his accounts with the duplicate SIM card, they
obtained clandestinely, There is no permanent ceiling on the financial transactions a user wants to
do through internet, though the default ceiling of transaction limit is Rs.50,000/-. If a user wants to
increase the limit he can do so through internet banking up to Rs.5 lakhs. It is admitted in the
version that the loss to the complainant due to the fraud committed by unknown persons is
Rs.11,14,500/-.Opposite parties 1 & 2 have denied the allegation that they have disclosed details of
the complainants accounts to third parties. Opposite parties 1 & 2 have no control or authority over
the affairs of opposite parties 3 & 4. Opposite parties 1 & 2 are not liable to make good the loss
sustained by the complainant.

7. Opposite parties 3 & 4 have contended that the complaint is not sustainable against them
as there is no direct nexus between the alleged transaction and opposite parties 3 & 4. Opposite
parties 3 & 4 are providing tele communication services and extends normal acceptable standard of
service to his subscribers. 4 th opposite party is wrongly named in the complaint. Complainant is a
subscriber of the third opposite party. Opposite parties 3 & 4 are separate and independent entities.

-6-
 If any subscriber effects banking transaction the same is at the sole option of that subscriber. The
allegation that the mobile of the complainant went dead etc are not correct. SIM replacement was
made within the realm of the 4 th opposite party, after due verification of identity. There were no
procedural anomalies or non compliance of any legal formality. The third opposite party after
confirming the details as per the intimation of the executive granted consent for SIM replacement.
Due diligence was shown while replacing the SIM card of the complainant. The required document
copies were collected along with due request for SIM replacement. In the case of SIM loss or SIM
damage it will not be practical to contact the subscriber before SIM replacement. Opposite parties
3 & 4 filed police complaint in the matter. Only subsequently opposite parties 3 & 4 came to know
that forged ID proof was produced. Reasonable variation of identity in the photograph could also
| Printed using casemine.com by licensee : National Law University Jodhpur

be appreciated. The forged ID proof brought by the person to the office of the fourth opposite party
showed substantial resemblances to the photograph in the archive file of the third opposite party.
The allegations to the contrary are not correct. Opposite parties 3 & 4 cannot be held accountable
for any of the actions of opposite parties 1& 2. The allegations pertaining to what transpired
during the transactions in the bank are not known to opposite parties 3 & 4. It is incorrect to say
that opposite parties 3 & 4 issued duplicate SIM card in an irrepsonabile and callous manner.
Police investigation revealed that the ID proof originally submitted was also forged. It is incorrect
to say that there was no verification of genuineness of ID proof. Opposite parties 3 & 4 never
helped the alleged transfer of money. There was no deficiency in service on the part of opposite
parties 3 & 4 and the complaint is liable to be dismissed.

8. On the allegations in the complaint and the contentions raised the following points arise
for determination.

1. Whether the opposite parties or any of them have committed deficiency in service as alleged in
the complaint?

2. What are the reliefs if any the complainant is entitled to?

9. The evidence consists of the deposition of the complainant as PW1. Exts. A1 to A11
marked on his side, the oral evidence of three witnesses on the side of the opposite parties as DWs
1 to 3 and Exts. B1 to B9 marked on their side.

After recording evidence arguments were heard.

Point No.1

10. Complainant admittedly held two accounts in the second opposite party branch of the
first opposite party Axis Bank Ltd. He was also admittedly a subscriber of mobile phone
connection issued by the third opposite party Vodafone circle head, south kalamassery, Cochin.
The fourth opposite party is the Manager, Circle Head, Vodafone Store, Panjagutta, Hyderabad.
The grievance of the complainant is that on 30.03.2012 between 4.p.m and 6.p.m. his mobile
phone went dead. His attempt to contact the Vodafone store succeeded only around 2.30.p.m on
31.03.2012. Then he was informed that his SIM was replaced with a duplicate one on a request
submitted before the 4 th opposite party at Hyderabad. It turned out that complainant’s SIM was
deactivated and duplicate SIM was issued to unknown persons without due care and proper
enquiry thereby facilitating fraudulent withdrawal of amounts from his two accounts. Admittedly,
the complainant had availed net banking facility from opposite parties 1 & 2. Using the duplicate
SIM unknown persons operated the accounts of the complainant on 30.03.2012 and 31.03.2012

-7-
 and effected 20 transfers whereby amounts from the two accounts maintained by the complainant
were transferred to other accounts. Of these transfers 18 transfers were to other accounts of the
Axis Bank itself but outside the State of Kerala. The beneficiary accounts of the first opposite
party bank were maintained in various branches of the Axis Bank at places like Hyderabad,
Mumbai, West Bengal, New Delhi etc. The remaining two beneficiary accounts were maintained
by the branches of ICICI Bank and Kotak Mahindra bank.

11. According to opposite parties 3 & 4 who filed joint version, SIM replacement was made
as per due procedure including address proof verification and verification of the identity of the
subscriber. There was no procedural anomaly or lack of diligence in replacing the SIM card. Even
| Printed using casemine.com by licensee : National Law University Jodhpur

as per the version, there was only substantial resemblance of the photograph submitted for
duplicate SIM with the photograph in the archive File of the third opposite party. Opposite parties
3 & 4 examined DWs 2 & 3 to substantiate the allegation that due procedure was followed in
issuing duplicate SIM which turned to be the occasion for the fraudsters to hack the accounts of the
complainant. DW2 was working at the Panjagutta store of Vodafone (4th opposite party). She
seems to have claimed that the complainant went personally to the Hyderabad store for SIM
replacement. That this is untrue can be seen from her own subsequent version and the version of
DW3. She deposed that before SIM replacement they used to verify original proof of identity of
the customer. Then they will do some security checks. The customer has to submit the photocopy
of the identity proof. He will have to submit the SIM replacement form as well. These would be
forwarded to the Kerala Circle (the store from where original SIM was issued) After validation of
those documents by the Kerala Office, the SIM would be replaced. By using the signature
validation they confirm the customer. The original document produced by the complainant is the
passport. During cross examination DW2 deposed that when a new SIM issued the old SIM would
be deactivated. From then onwards the customer would not get any SMS sent to him. She admitted
that she saw the SIM replacement application, photo, signature and address of the applicant as
these were available in their system. According to her there was resemblance of photos and
signature on comparison with these in the original application and those submitted for duplicate
SIM. Along with Ext.A9 seizure mahazar SIM replacement form and passport (all photocopies) are
produced. Ext.A10 is the customer agreement form dated 25.05.2010. It is seen that driving licence
was submitted in proof of identity at that time. Ext.A10 was filed by opposite party No.3. To a
pointed question whether DW2 can see any difference in signatures in these sets of documents she
admitted that there is little bit of difference. In Ext.A9 the photograph is not clear. She claimed that
original passport was actually shown to her where photo was clear. To the further question that
photographs in Ext.A9 and Ext.A10 are different, DW2 answered that the photographs in the
subscriber application form was an old one and passport was a new one. During cross examination
DW2 admitted that she had never seen the complainant.

12. It may be observed that the application form for Vodafone connection submitted by the
complainant contains his photograph and is dated 22.05.2010. He had submitted copy of his
driving licence along with the application. It is also included in Ext.A10. It is seen that the SIM
was issued after verification and reverification. At the same time Ext.A9 which contains the SIM
replacement form is not fully filled up. No photograph of the applicant is submitted. The
application is seen submitted on 22.03.2012. It contains a signature purported to be that of the
complainant. Ext.A9 also contains the photocopy of the passport allegedly of the complainant. It is
seen that the photograph on Ext.A9 is that of an entirely different person than that of the
complainant. No expertise is required to arrive at this conclusion. Below the photograph a
signature purportedly of the complainant is seen. This signature is markedly different from that of
the admitted signature of the complainant seen on the customer agreement form contained in
Ext.A10. It is not mere dissimilarity. So it is quite obvious that opposite party no.4 allowed SIM

-8-
 replacement without verification of the identity of the applicant and in a casual way. The
circumstances are such that the 4 th opposite party in all probability knowingly aided the culprits in
procuring a duplicate SIM intended for fraudulent use.

13. The further question is whether the evidence of DW3, in any way improves the defence
of opposite parties 3 & 4. He is the customer service manager with opposite party no.3 for the past
4 ½ years. According to him, SIM replacement would be allowed when there is loss of the original
SIM, or when the original SIM does not work or for the purpose of converting a nano SIM to a
micro SIM and vice versa. In the SIM replacement application the full address of the applicant is
not mentioned. As referred to already only the name of the applicant is mentioned in Ext.A9. In the
| Printed using casemine.com by licensee : National Law University Jodhpur

SIM replacement application other details are left blank. As opposed to the endorsement in the
customer agreement form in which there is endorsement that the SIM was issued after verification
and reverification, absolutely no endorsement is seen on the SIM replacement application DW2
claimed that the Punjagutta store claimed over telephone that they had seen the original of the
documents submitted as his identity proof. He also claimed just like DW2 that there is similarity
between the photos in Exts.A9 & A10 and explained that two photographs taken at different point
of time need not be similar. But as already observed this claim of DW3 cannot in any way be
sustained and indicates that even now DWs 2 & 3 want to support the culprits and not the truth.
When confronted with the question whether there is dissimilarity between these signatures, the
answer was that there are similarities. So DW3 also does not want to speak the truth in this regard.
He admitted that the original application for SIM, photo and identity proof could be scanned and
saved in their system. The scanned image can be seen only in the respective State but for
verification the photocopy of ID proof would be scanned and sent to the original stage when there
is application for duplicate SIM. To the question whether without verifying the forged identity
proof duplicate SIM was issued DW3 admitted that only the address was verified. This is a poor
precaution to avoid issue of SIM to fraudsters. It may be further mentioned that in the SIM
replacement application the reason is mentioned as loss of the original SIM. It may be reminded
that the definite allegation in the complaint is that the original SIM was active till about 4.p.m on
30.03.2012. The application for SIM replacement was submitted on 22.03.2012.So a prompt
verification of the truth of the allegation would have been sufficient to refuse the application.
Opposite parties 3 & 4 never verified whether the original SIM issued by them was active or not
before issuing the duplicate SIM. So the circumstances available in evidence overwhelmingly
show that in issuing duplicate SIM in a casual manner and thereby facilitating hackers to gain
access to the accounts of the complainant opposite parties 3 & 4 have committed grave deficiency
in service.

14. Complainant has alleged that opposite parties 1 & 2 have committed deficiency in
service as well. Admittedly, the complainant held to accounts in the second opposite party branch
of the Axis Bank. The disputed transactions happened on 30.03.2012 and 31.03.2012. 20 transfers
were effected from the two accounts of the complainant 18 of which were two various branches of
the first opposite party bank itself but outside Kerala. The remaining two transfers were to
accounts held in a branch of the ICICI Bank and Kodak Mahindra. Those transfers were also made
to accounts outside the State of Kerala. According to the complainant in effecting these transfers
opposite parties 1 & 2 committed deficiency in service. Complainant has a case that the internet
banking system of opposite parties 1 & 2 is such that the system can be easily hacked. Further
opposite parties 1 &2 have violated the Reserve Bank of India guidelines in maintaining the
internet banking system. They also violated the KYC (know your customer) norms. There was
inaction on the part of the bank in recovering the amounts transferred to various accounts in the
branches of the bank after they came to know of the illicit transfers. The bank failed to exercise

-9-
 due care and caution in effecting the internet transfers. The complainant has a further case that the
customer id and password were actually leaked from the bank.

15. On the contrary opposite parties 1 & 2 contend that the user id security password and
other details of the complainant were compromised by the complainant himself. Opposite parties 1
& 2 have a technically sound system of internet banking. Immediately on coming to know of the
involvement of the fraudsters steps were taken to block the beneficiary accounts. The bank has
very well co-operated with the investigation by the police officers. That was why fraudsters were
arrested and police filed charge sheet against them.Ext.A11 is the copy of the charge sheet filed by
the Ernakulam Central Police before the Chief Judicial Magistrate Court, Ernakulam. Charge sheet
| Printed using casemine.com by licensee : National Law University Jodhpur

is filed against 11 accused for having committed various offences in connection with the fraudulent
transfers of money from the account of the complainant. All the accused hail from outside the State
of Kerala and scattered all over India. It is in the above background opposite parties 1 & 2 contend
that the user id security password and other details were comprised by the complainant himself.
This contention is not a serious one taken in the version of opposite parties 1 & 2. DW1, who was
the Manager of the Kochi Branch of the Axis Bank insisted that phishing attack generally happens
when user id and password are compromised by the customer himself. But in the version of
opposite parties 1 & 2 it is admitted that on getting message on 31.03.2012 about the credit of
Rs.50,000/- in the account of the complainant, he directly logged into the net banking. However he
could not operate the same as the fraudsters changed the password user name etc. Further phishing
attacks are very common these days by which the miscreants obtain the customer’s credentials
through social engineering. It will be pertinent to mention here that malicious ‘ Trojans’ are also
cause for serious threat these days. These ‘Trojans’ are malicious programs which automatically
enter the computers of users through use of the internet and keep running in the background
without the knowledge of the users and their identification credentials including passwords are
liable to be stolen by these ‘ Trojans’. Simple Trojans are called keystroke – loggers’. There are
crime syndicates which control the ‘Trojan’ drop boxes and use these credentials to dupe the
customers. There fore it is possible that the customer may be innocent and credentials were
compromised through Trojan (Paragraph 7 of the version). In paragraph 9 of the version the
contention taken is that in the instant case fraudsters logged into complainant’s account using log
in id. Log in password and transaction password and other details which he has compromised
knowing or unknowingly and further using the duplicate SIM card procured in the name of the
complainant and not that bank’s system was hacked. It is further contended that the complainant is
an innocent victim of internet fraudsters and bank had no role directly or indirectly in the
fraudulent phishing attack that happened in the account of the complainant. As rightly pointed out
merely because complainant’s accounts were hacked the employees of the bank cannot be held
responsible There is no evidence regarding their role brought out even in the criminal
investigation. The nature of the transactions and available evidence show that only the
complainant’s accounts were hacked on that day. There is also no evidence to show that
complainant knowingly compromised his user id password etc. As admitted in the version he was
an innocent victim of the internet fraudsters who hacked his accounts and secured vital details such
as login id password etc. Once that was done the careless issue of duplicate SIM made the task of
the fraudsters easier. By using the duplicate SIM the fraudsters could easily get the one time
password from the bank and effectively execute the transfers from the accounts of the complainant.
From the stage from which fraudsters used the duplicate SIM no deficiency in service can be
attributed on the part of the bank.

16. Coming to the contention that by not recovering the money from the various branches of
the bank to which 18 transfers were affected, the bank has committed deficiency in service it
appears that as soon as the fraudulent transfers were brought to the notice of the bank those

-10-
 accounts were blocked. But by that time the fraudsters had withdrawn the money after leaving
meagre amount in the accounts, using ATM facility. What is lacking is specific proof to establish
this contention. The fact also remains that opposite parties 1 & 2 have easily permitted the
fraudsters to exceed the limit of transfer of money permissible in a single day’s transaction.
Regarding the allegation that the RBI guidelines as well as KYC norms were violated it may be
mentioned that these are for guiding the bank itself and there is nothing to indicate that the RBI
had found the bank responsible for such lapses. The complainant has a further contention that the
bank should have insured his accounts but this is a policy matter and cannot be extended to a
single individual.
| Printed using casemine.com by licensee : National Law University Jodhpur

17. In short, from the available evidence it can only be concluded that the complainant is in
no way responsible for the fraudulent transfers effected from his accounts. Equally the bank was
not directly responsible. It cannot also be stated that the bank had not co-operated with the
investigation. Regarding the attempt to block the money already transferred, there is no convincing
evidence to show that prompt action was taken. There is also laxity on the part of the bank in
allowing to exceed the limit of transactions for a single day.

18. There is yet another aspect to be emphasised in fixing the liability of opposite parties 1&
2. As held already the complainant is an innocent victim of the fraudsters. In such a situation when
money is lost while lying in the account of the opposite parties it is only just and proper that they
reimburse the loss of the complainant. The bank held the money in trust for the customer. So it is
unjust to ask the customer to bear the burden. The fact remains that opposite parties 3 & 4
provided the opportunity for hacking and made the task easier by casually issuing duplicate SIM.
Hence if so advised, opposite parties 1 & 2 can opt to proceed against opposite parties 3 & 4 for
reimbursement or contribution of the money ordered to be paid by this commission. But in view of
the clear deficiency in service committed by opposite parties 3 & 4 and the legal position as
explained with regard to opposite parties 1& 2 the complaint is liable to be allowed against all the
opposite parties.

19. Regarding the compensation claimed since we propose to award reasonable interest for
the amount of Rs.11,14,500/- admittedly transferred from the accounts of the complainant only
reasonable compensation need be allowed towards the mental agony and incidental loss suffered
by the complainant which we fix at Rs.5,00,000/-.

Point No.2

See the order below.

In the result, the complaint is allowed directing the opposite parties to pay jointly and
severally an amount of Rs.11,14,500/- with interest at the rate of 9% per annum from 31.03.2012
till date of payment, Rs.5,00,000/- as compensation and Rs.10,000/- as costs. The order shall be
complied with within two months from the date of receipt of copy of the order.

K.CHANDRADAS NADAR : JUDICIALMEMBER

-11-
 A.RADHA : MEMBER

APPENDIX

List of witness for the complainant

PW1 - Dr.Shabbir Khan Rajan Rawther

| Printed using casemine.com by licensee : National Law University Jodhpur

List of exhibits for the complainant

Ext.A1 - The statement of accounts of Account

No.910010019342222 from 02.11.2011 to 02.04.2012 of

the Axis Bank.

Ext.A2 - Statement of Accounts of Account No.911010056711558

from 02.11.2011 to 02.04.2012 of the Axis Bank.

Ext.A3 - The F.I.R and F.I.S of Crime No.840/12 dated

01.04.2012 of the Central Police Station, Ernakulam

Ext.A4 - Copy of the lawyer notice issued by the Babu.S.Nair,

Advocate, dtd : 09.04.2012

Ext.A5 - Copy of the lawyer notice issued by Babu.S.Nair,

Advocate dtd : 10.04.2012.

Ext.A6 - Copy of the reply notice sent by D.G.M. Legal, Vodafone

Cellular Ltd, dtd : 02.05.2012

-12-
 Ext.A7 - Copy of the reply notice sent by President and head

(Law), Axis Bank Ltd, Mumbai dtd : 23.04.2012

Ext.A8 - Post graduation study offer letter

| Printed using casemine.com by licensee : National Law University Jodhpur

Ext.A9 - Copy of customer agreement with the copy of ID proof

Ext.A10 – Copy of the forged ID proof

Ext.A11 - Copy of the charge sheet filed by the Ernakulam Central

Police before the Chief Judicial Magistrate Court,

Ernakulam

List of witnesses for the opposite parties

DW1 - Vancheswaran G

DW2 - V.C.YYashoda

DW3 - Gishin J Jacob

List of exhibits for the opposite parties

Ext.B1 - The original of the authorisation letter issued by

opposite parties 1 & 2 to the deponent dated

30.04.2014.

Ext.B2 - The true extract of the online fund transfer facility

Details downloaded from the online web portal of the

-13-
 opposite Party no.1

Ext.B3 - The notarized copy of the acknowledgment dated

11.04.2012 given by the office of the Circle Inspector of

Police, Ernakulam Central.

| Printed using casemine.com by licensee : National Law University Jodhpur

Ext.B4 - The true copy of the Master Circular on know Your

Customer (KYC) norms notified by the Reserve Bank of

India (44 pages)

Ext.B5 - The true copy of the circular issued by M/s.Axis Bank

on KYC norms dated 03.02.2010

Ext.B6 - The true copy of the circular issued by M/s.Axis Bank

on KYC norms dated 13.08.2010.

Ext.B7 - Copy of Republic of India

Ext.B8 - Copy of seizure mahazar

Ext.B9 - Copy of e-mail letter dated 30.03.2012.

K.CHANDRADAS NADAR : JUDICIALMEMBER

-14-
 A.RADHA : MEMBER

Be/
| Printed using casemine.com by licensee : National Law University Jodhpur

KERALA STATE

CONSUMER DISPUTES

REDRESSAL COMMISSION

SISUVIHARLANE

VAZHUTHACADU

-15-
 | Printed using casemine.com by licensee : National Law University Jodhpur

Be/

-16-
JUDGMENT DTD : 09.11.2016
THIRUVANANTHAPURAM

CC.NO.47/12