Curious Case of ICICI Bank Sending New Debit Card Unnecessarily

I got an email from ICICI bank saying my debit card was due for renewal and if I had any change in address, I should update using either net banking or by visiting nearest branch. I happened to recall that my debit card was not that old, and it should not be due for renewal. Hence, I checked my debit card physically and found that its validity lied 4 years ahead in future. Why should the bank send me a new card 4 years in advance? If there was a big technological change (e.g. when chip cards were introduced) or when big regulatory changes happen, it could be justified, but not now. 

I checked my email text and it had mentioned last 4 digits of my debit card and it did not match with my existing card. 

I logged into my net banking and went to debit card tab, and it displayed by debit card and its last 4 digits matched with the number mentioned in the email! It seemed the bank had already updated new card it planned to send with my customer ID. 

Hence, I called up the customer care number. The guy said he would verify and needs a few minutes. As the call went on a while and he put it on hold since it was taking time in his system to fetch data, I thought to re-verify my debit card number in my net-banking, just in case he asks any other info. And this time, I saw that the debit card number had changed and now it displayed my existing card number! 

As predicted, the customer care executive came back online and he said now that he could see that my existing card number was still mapped, and its validity was still remaining so I should ignore the email since the bank won't be sending me a new card.

I was shocked. How could debit card number change in my net-banking record, without someone doing something to update it? 

I thanked him and went back to ignore this episode. But not without a suspicion that most likely the bank was pushing some of its "costlier" debit card to me "forcefully" and since I called customer care and demanded answer, they abandoned their plan. I shall still be watchful if the same happens again in future. And you should too. 

- Rahul 

P.S.: I got a call from bank afterwards and the executive verified my details and upon learning that my existing debit card is Mastercard, he said the reason why the bank had tried to send new debit card was because I had Mastercard while the bank was now issuing Visa. Again, this explanation looked suspicious because as per recent direction from RBI, banks are expected to give choice of card-network to the customers. Hence, ideally, the bank should ask me if I wanted Mastercard/Visa/Rupay card and hence the explanation that the bank was sending me Visa card looked not credible. Also, his acceptance that the bank was sending me a new card was contrary to the initial feedback from customer care executive who denied any such attempt to send new card to me. Hope the governance of the bank is in safe hands and they are not doing some unethical business practices. 

How my Uber Account was Hacked and Money Stolen from my Paytm Wallet

Early this year, my Uber account was hacked by someone and money was deducted from its connected Paytm wallet. I had raised this issue with Uber Customer Care, but they were hopelessly indifferent in helping me. I would describe the sequence of events that unfolded, so that you can beware and try to avoid similar situations with your Uber account. 

I use Ola Cabs as a cab hiring service frequently; but I have also installed Uber app and use it in the rare occasions when Ola cabs are not available. For convenience I had also attached my Paytm wallet with my Uber account. 

Warning-1

Once I realized that I had started getting SMS on my cellphone for a while, which came with an OTP for login into Uber app; which I had never requested. I did occur to me that may be some hacker was trying to make login attempts; but I thought that since the phone was with me, he would not be able to succeed. I was also very busy in office and did not get time to log into Uber app which I seldom used anyway; and to check if everything was okay in there. 

Warning-2

I used to receive some emails from Uber which I used to ignore; since I was not using their service frequently. After my account was hacked and when I tried to investigate; I saw that Uber had sent me email once saying that my email ID was changed in my Uber account. But I had not changed it! When I logged into my Uber account after my account was hacked, I could see that the hacker had put some other email ID (email ID still beginning with letters of my name “Rahu”…). 

Warning-3

During my investigation I also found that Uber had sent me an email telling me that my Uber account was logged into a device in Russia! I had not seen this email because of I was not using Uber those days and hence did not know about it. 

Later, using the above IP address, I could check more about it on websites and also reported it for scam on below website: 

Main Event

One evening while I was in office, I received an SMS from Paytm that an amount was deducted from my Paytm wallet. I was too busy to think about it. After returning to home, it came to my mind that on that particular day I had not really used Paytm. So I opened my Paytm app and saw that the amount was deducted as a charge for taking Uber ride (which I had not taken). So I tried to log into Uber account and when I logged into Uber app, I found that all my travel history was erased. Even there was no record of that trip which caused money deduction from my Paytm account!

Customer Care Help

Realizing there was something wrong; I called up the Uber customer care. They checked the data from backend and said that they were also not able to see any travel history and they could not understand why my Paytm wallet was charged by Uber (they were able to see that Uber had charged my wallet). But they declined to help me and asked to approach Paytm for reversal of the transaction. 

I reached out to Paytm with this request, but Paytm told me that only the App which charged my wallet would be able to revert (credit the amount) to my wallet. It is natural; just like it happens in banks. Once we withdraw an amount from our account, we can’t ask the bank to “reverse” the transaction. We shall need to make another transaction and deposit the money in the account once again. Frustrated at the illogical suggestion by Uber customer care, I called up the customer care once again. But there was a bigger surprise to come!

As I was talking to Uber Customer Care, in the meanwhile I received an SMS that another amount was deducted from my Paytm wallet. I checked and found that the hacker had taken another fake ride and charged my wallet. Uber customer care once again declined to help, saying they could not see any ride taken in my travel history and they asked me to reach out once again to Paytm! 

I searched the internet to find any clues and found that there is a practice of “Ghost Rides” that are taken by hackers using some other person’s account. So it seemed that the hacker was from Russia (that is how my account was logged into his device in Russia – as per Uber’s email) and he had taken 2 rides in Russia using my account; and money got auto-deducted from my wallet. 

In the meanwhile, I did some transactions and emptied out my Paytm wallet to make the balance amount zero. I also removed all linked wallets and cards from my Uber, Ola and all other apps I could remember. 

I sent a written complain to Uber support but every time they just called me up and told me the same – that they won’t be able to help and I had to ask Paytm to get my money back. After chasing them for several days, I decided to quit. I deleted my Uber app and resolved not to use such an unsafe and insecure app again.

The Lessons

The lessons I learnt from this episode are:

1. Keep checking all SMS and emails that you receive from such apps; even if you are not using those actively
2. Do not “save” card details or link wallets in apps which you do not use frequently. It is better to connect as and when needed 
3. Several times “cash” option is still the safest option
4. Do not assume that the Customer Care will be able to help you; sometimes they are useless and apathetic 
5. Do not keep so many apps in your phone that you forget what all you have got. Keep the minimum ones which you use regularly and for those apps which you use once in a blue moon, install when needed and uninstall after use

Hope my blog post describing my experience would have opened your eyes to this type of scams. You can also search the internet to know more about such scams and be better prepared if anything wrong happens with you.

- Rahul Tiwary