Saturday, May 7, 2011

Is your Bank Account safe with ICICI bank?

ICICI Bank is one of the biggest bank in India.  Its renowned for having most number of ATM (after SBI) in the country.  I always though that, ICICI Bank has a good security model to prevent online thefts.

No, this post is not an advertisement of ICICI bank, I wanted to share a weird experience that I had with ICICI Bank.  This experience will expose the security model of ICICI Bank.  Over and above it, I wanted to help them correct their mistake, but they didn't do anything as yet.

So what was the incident, how did I try to help and what was their response?

The Incident

One fine Monday morning, I got 4 SMS'es from ICICI Bank, informing me that for a certain account XXXXXXX12345

  • Address has been updated
  • ATM pin number has changed to 1234
  • Land line number has been changed to 020-30212345
  • Mobile number has been changed to 9912345678

When I got those SMS'es, I was a little surprised.  I was holding an account with ICICI Bank but I never requested them to change all this information for my account.  I had not called them for any such requests, then, who call them for changing all this information?  Was my Bank Account hacked?

After some initial anxiety, I calmed down and rechecked those SMS'es.  When I reread the messages, this time a little carefully, I realized that, my bank account number does not end with "12345".  Analyzing further I realized, I do not have a land line whose number is 020-30212345.  Surprising thing was, the mobile number was indeed correct.  9912345678 was indeed my mobile number.  Rest of the details (except the mobile number) were no way related to me.

The Response

By now it was clear to me that there has been a mistake.  I decided to call up the ICICI Bank call center to find out what was wrong.  I cleared the IVR authentication, got my call transferred to the Customer Service Executive.  First, I wanted to confirm that my Bank Account was not hacked.  I asked them if there were any requests made for changing the address, phone number, atm pin of  my account.  Thankfully, there were no such requests made for my account.  

Now the question that was bothering me was, who holds the account that ends with "12345" and why was it associated with my mobile number?  I asked the Customer Service Executive about which accounts are associated with my mobile number?

She said, there was indeed one account associated with my mobile number that ends with "12345".  Bingo! 

Being a decent man, I told her that, the account that ends with "12345" is not my account.  There seems to be a mistake, because of which my mobile number was associated with incorrect account.  She told me, she can see that the account is held by some "Mr. Pathak".  She also told me that the account was newly opened in the "Bhandarkar Road Branch - Pune".  I requested her to kindly delink my mobile number from his account.  She agreed and said this will be done in 2 days.  I was relieved.

By now I was thinking, this is such a big problem.  If someone gave an incorrect mobile number, or the bank's customer service executive made a mistake noting down the mobile number, All vital information will be SMS'ed to the incorrect mobile number.  I knew the other guys ATM pin number, I knew his account number, I knew his address, his land line number.  If this information falls in wrong hands, anything is possible.

By now you must be thinking that the issue must have been resolved.  But unfortunately, the issue does not end here.  After about 5 days I got an SMS informing that 25000 Rs. were credited into the account ending with "12345"

My first reaction to this was, WTF!

I called up the ICICI Bank call center again, to find out why my mobile number was not delinked.  This time they informed me that they cannot delink my mobile number from "Mr. Pathak's" account on my request.  I need to prove that, the mobile number under question is actually my mobile  number.  I asked them, what should I do to prove it.  They said visit any nearest ICICI Bank branch with and ID proof and the post paid Bill of my mobile number.

My reply to that was, I have no motivation to go to the bank to prove this.  Its a clear case of human error, they should have delinked my mobile number from Mr. Pathak's bank account.  

I wanted to help them rectify their mistake, but they will not let me do so.  Why the hell should I waste my time?  I definitely have better things to do!

The conversation ended there.  I was frustrated, why do people stop using their brains?  Why are processes so rigorously implemented that people stop using common sense?  

A few days passed, I got two more SMS informing that 25000 Rs were withdrawn from the account ending with "12345" and the account balance was 0.0 Rs.  The other message informed that, the balance of bank account ending with "12345" had fallen below the allowed limit of 10000 Rs.

This was the limit, I decide to actually visit the ICICI Bank branch and once and for all get my mobile number delinked from Mr Pathak's bank account.  I carried a photo identification proof (my PAN Card) and the post paid bill of my mobile number.  I went to the "Shivaji Nagar - Pune Branch"

The response that I got from the branch was unbelievable.  The lady at the bank said she cannot delink Mr. Pathak's account from my mobile number.  I showed the bank lady, my pan card, even the post paid mobile bill for my mobile number with my name written all over it!

Unfortunately nothing helped, she said she cannot do it.  She said it was against the processes of ICICI Bank!

I urged her that, there has to be a way to do it.  Inform Mr. Pathak about the mistake, get him to rectify this problem.  She assured me that something will be done.  But till date nothing has been done.  Till now I get SMS'es about Mr. Pathak's bank details on my mobile number!

How did I try to help
  • Called up the call center twice to inform them about the mistake
  • Went to the bank and proved that the mobile number indeed belonged to me but still they didn't delink it from Mr. Pathak's bank account.
  • Wasted 5 hrs of my life fixing a problem that didn't impact me much.

What should we learn from this incident

Software is meant to reduce human effort.  Processes are meant to reduce human mistakes.  This incident is a perfect example of what happens when people follow processes and use software without using their brains!

PS: All events and conversations mentioned in the post are real.  However, all Names and Numbers have been changed to preserve the privacy of a certain person.
Have some Fun!