A fraudulent syndicate has embezzled Tk 2.7 million from 54 Standard Chartered Bank (SCB) Bangladesh credit card holders using a sophisticated method. Even though these customers did not make any transactions with their cards, Tk 50,000 from each account was transferred to various mobile financial services (MFS) providers’ accounts. The criminals then withdrew the money from the MFS accounts.
Incident Details
- The incident occurred in the last week of August, when the syndicate successfully transferred Tk 2.7 million from 54 customers’ cards.
- Following the incident, SCB suspended the facility to transfer funds from credit cards to Bkash and Nagad MFS accounts.
- The bank notified customers via SMS that the “Add Money” option on MFS apps is temporarily suspended for secure transactions.
- SCB has reported the matter to Bangladesh Bank and law enforcement agencies. Bangladesh Bank has already initiated an investigation.
Card Types and Security Concerns
- All 27 affected customers held Visa-branded cards.
- Attempts to withdraw money from other accounts were successfully prevented.
- Bangladesh Bank’s inspection team is reviewing the system to determine at which stage the vulnerability occurred.
Ongoing Investigation and Oversight
- The inspection team has already examined SCB, Bkash, and Nagad.
- On Thursday, the team is scheduled to visit the payment system operator, SSL Commerce.
- Bangladesh Bank spokesperson and Executive Director Arif Hossain Khan confirmed that the investigation is ongoing.
- Another official noted that within seconds of receiving the One-Time Password (OTP) on customers’ phones, Tk 50,000 was deducted from their bank accounts. Transactions are executed in multiple stages, making it difficult to pinpoint the exact weakness until the investigation concludes.
Expert Analysis
- IT expert and International Crimes Tribunal prosecutor Tanvir Hasan Zoha highlighted the issue on his Facebook page on 11 September, revealing that several SCB cardholders, including Hasin Haider, Sadia Sharmin Brishti, and Mehedi Hasan, lost Tk 50,000 each.
- He noted that OTP alone is no longer fully secure. Fraudsters can use SIM swap or cloning techniques, or extract OTPs through malware or spyware on phones.
- Zoha recommended that banks implement more secure authentication systems, such as app-based tokens or biometric verification, instead of relying solely on OTPs.
Bank Response
- Lutful Habib, Managing Director of SCB Bangladesh, told the media that the incident has been reported to law enforcement and Bangladesh Bank.
- He confirmed that no technical weakness was found in the bank’s systems; the breach occurred via the MFS “Add Money” option.
- As a precaution, SCB has temporarily suspended credit card to MFS transfers.
Comments