Case : Credit Card Fraud

State : Tamil Nadu, India

City : Chennai, India

Sections of Law Section of Law 66 of Information Technology Act 2000 & 120(B),

420, 467, 468, 471 IPC.

Background The assistant manager (the complainant) with the fraud control unit of a large business process outsourcing (BPO) organization filed a complaint alleging that two of its employees had conspired with a card holder to manipulate the credit limit and as a result cheated the company of INR 0.72 million. The BPO facility had about 350 employees. Their primary function was to issue the bank’s credit cards as well as attend to customer and merchant queries. Each employee was assigned to a specific task and was only allowed to access the computer system for that specific task. The employees were not allowed to make any changes in the credit-card holder’s account unless they received specific approvals. Each of the employees was given a unique individual password. In case they entered an incorrect password three consecutive times then their password would get blocked and they would be issued a temporary password. The company suspected that its employees conspired with the son (holding an add-on card) of one of the credit card holders. The modus operandi suspected by the client is as follows. The BPO employee deliberately keyed in the wrong password three consecutive times (so that his password would get blocked) and obtained a temporary password to access the computer system. He manually reversed the transactions of the card so that it appeared that payment for the transaction has taken place. The suspect also changed the credit card holder’s address so that the statement of account would never be delivered to the primary card holder. Investigation: The investigation team visited the premises of the BPO and conducted detailed examination of various persons to understand the computer system used. They learnt that in certain situations the system allowed the user to increase the financial limits placed on a credit card. The system also allowed the user to change the customer’s address, blocking and unblocking of the address, authorizations for cash transactions etc. The team analyzed the attendance register which showed that the accused was present at all the times when the fraudulent entries had been entered in the system. They also analyzed the system logs that showed the accuser’s ID had been used to make the changes in the system. The team also visited the merchant establishments from where some of the transactions had taken place. The owners of these establishments identified the holder of the add-on card.

Current status: The BPO was informed of the security lapse in the software utilized. Armed with this evidence the investigating team arrested all the accused and recovered, on their confession, six mobile phones, costly imported wrist watches, jewels, electronic items,. Leather accessories, credit cards, all worth INR 0.3 million and cash INR 25000. The investigating team informed the company of the security lapses in their software so that instances like this could be avoided in the future.