The Central Bureau of Investigation (CBI) on Monday registered a case of alleged hacking of a foreign travel card database and 374 unauthorised online transactions involving $1.41 million through three prepaid cards issued by the State Bank of India (SBI).
The FIR names one Sandeep Kumar Poojary, to whom the prepaid cards were issued. The primary card had an upper limit of only $200. The accused is an on-site resource of Yalamanchili Software operations team, which provides the prepaid card application.
More persons are suspected to be involved in the case registered under various provisions of the IPC and the IT Act.
The SBI, in its complaint, said manpower resources for handling the system operations was also provided by Yalamanchili Software, while database support resources were extended by IT services company MPhasis.
Wake-up call
On February 28 last year, Yalamanchili Software’s COO reported the incident to the bank, stating that the balance in the prepaid card system had been altered fraudulently for authorisation of three foreign travel cards belonging to a single user.
The authorisation had mainly happened over e-commerce websites of four merchants: Neteller.com, Entropay, Swiftvoucher and Skrill.com. These transactions were carried out from November 8, 2016, to February 12, 2017.
The primary card was issued by the bank’s NRI Seawoods branch in Navi Mumbai on November 7, 2016. Two more add-ons were issued to the user on November 29 and December 7, 2016, by the same branch.
All the merchant transactions came via VISA with the merchant country code as Great Britain, and the transaction and billing currency as U.S. dollars, according to the FIR.
Yalamanchili Software Exports told the bank that while the transactions happened on the prepaid card system, the balance appeared to have been altered manually via the Oracle Database access. Post authorisation, settlement transactions and authorisation were deleted, and also the general ledger entry.
Therefore, the balance sheet generated on the prepaid card system did not show any difference.
After the cheating was detected, SBI blocked the three cards, barred users from transacting on the four merchant sites, and revoked the privilege of application user for executing database package, said the bank.
