Standard Chartered Bank seems to have a major security issue at the moment. People have allegedly lost more than Rs. 50,000 – 70,000 due to a simple security flaw that verifies online transactions without requiring a One Time Password (OTP).
The issue was reported on Twitter by the cofounder of RAPTR games Habibullah Khan.
1/n There is a serious security issue at Standard Chartered Pakistan @StanChartMENAP – If you are a Standard Chartered Customer or know a Standard Chartered customer please read this.
In a matter of minutes people have lost 54,000 to 72,000 rupees pic.twitter.com/8R5bM0Vnma
— Habibullah Khan (@Huk06) July 26, 2022
Habibullah says that multiple transactions have happened automatically through his Standard Chartered debit card and money was withdrawn from his account without any OTP verification. He says the transactions sometimes happen with Apple Store or Uber and he loses money every time.
He accompanies his claim with a screenshot that shows several online payments made to Apple without submitting an OTP.
What’s worse is that Standard Chartered has not admitted to having this problem, nor have they addressed it. They have only said that they are investigating the problem and it may take up to 4 months “as per Visa International association guidelines for closure”. Take a look at the screenshot below.
It is worth mentioning that Habibullah is not the only victim of this issue as dozens of others have reported it on social media.
Happened with me. Woke up to 75,600 gone from the credit card. Checked with other people and happened the same with them over the course of months. @StanChartMENAP couldn’t care less to fix this security issue. https://t.co/ZkR2wWMFDz
— S. (@Shahkaarr) July 26, 2022
Standard Chartered’s Statement
Standard Chartered, on the other hand, has said that there are no problems on their end and their systems remain unaffected. The bank claims that it only happens with non-compliant merchants or if a card is used on an infected device.
Here is the official statement from Standard Chartered:
For reasons of client confidentiality we cannot share any details. Rest assured, we have robust processes and procedures in place and our systems have not been affected.
It in no doubt that bank truly lack professionalism. Not just because of this incident but i personally had several issues and reported to bank but they never bother to take it seriously, especially the staff behaviour.
This is not a flaw on the bank’s end. This is how the debit/credit card works. Bank provides only the support for OTP. It is up to the vendor or their payment processor to implement the mechanism. If the vendor does not implement this system, the transaction is approved without OTP. Why do vendors avoid it? Because they need to pay extra for implementation of OTP. For example, Stripe charges 3¢ for OTP verification in case of custom pricing. Similarly, Amazon.com, Amazon AWS, and PrimeVideo.com are world’s leading e-commerce retailers, and they will never ask you for OTP. So, the conclusion is that you cannot blame SCB for this so-called flaw. It is responsibility of the cardholder to keep their card details secure and use only on websites with OTP verification (aka 3d secure authentication).
How much research was done before publishing this clickbait? OTP generation is dependent on the vendor, most big vendors only require otp once, bank can’t control this.
When a customer have never visited a site and all of a sudden s/he come to know that his/her SCB card has been charged there, whose responsibility is that? I have shared my details with SCB; that my newly issued card was only used once from SCB credit to SCB current account and no where else. How could that fraudulent person come to know about my card number, last date and CVV? Its a serious security breach on the part of SCB. I would suggest, if SCB wants to continue this business without having appropriate security measures, they should atleast buy international insurance coverage for frauds to safeguard their customers, rather than blaming their customers on media like here.
Its good to know that people are sharing this. I am also a customer of SCB and faced exactly same issue and lost Rs.69,000 in almost 5 consecutive transactions on the same site as mentioned above ‘Apple.com/bill’. I did immediately called SCB and blocked the card. SCB has said the similar story that they will investigate in 6 months period as per their policy. Its good to note that they have told u about 4 months -Suprised. I am from Islamabad and mentioning my email below to remain in contact. I am seriously thinking of closing my relation with SCB but i m sure they will ask me to pay that amount before closing. Why shoud we pay for a security breach on their part.
Standard Chartered recently also had a major IT outage on 22nd and 23rd of July. It seems no media outlet including ProPakistani reported it. For nearly 24 hours internet banking transactions had issues and their resolution took up to 4~5 days. With shrinking brick and mortar branches of SC, it was a real hassle in doing any financial transactions with SCB..