Mumbai Crime: Did app loophole help phishers hit Bank of Baroda customers?

A major loophole in the mobile banking application of Bank of Baroda BoB through which cyber criminals attacked accounts across India and are believed to have siphoned off crores was rectified after the Mumbai police pointed it out to one of their branch managers The police learnt about the technical loophole while interrogating an accused Gunilal Bindeshwari Mandal who was arrested from Bihar when he was making phishing callsFrom left PSI Pradeep Patil senior PI Suryakant Bangar and PSI Rakesh Shinde who arrested the main accusedMandal was arrested within 24 hours after a 30yearold complainant Kaiwalya Modha registered a First Information Report at DB Marg police station on November 2Modus operandiMandal told his interrogators that there is a loophole in the mobile banking application of BoB The conmen had installed the BoB MConnect app on their smartphones where they would randomly type a mobile number and if it was registered with BoB the application would generate a One Time Password OTP The OTP was a clear indication for the cyber criminals to target the mobile number said a police officerThe officer further told midday that the gang would work in the night to segregate mobile numbers to approach the bank account holders next day Just before calling his target Mandal would again type the mobile number in the app and when the OTP was generated he would call the mobile number immediately In a bid to win trust Mandal would tell his target that he was calling from BoB and did not need an OTP or the CVV number written on the back side of plastic money etc said the officerBiswas on BoB brokenDuring the conversation Mandal would tell the target that his eKYC needs to be updated and the details of his banking transactions are on his computer screen He would ask the target to punch the OTP number in the application after which a fourdigit MPIN is generated Here too Mandal would not ask the MPIN from his target instead he would give a random fourdigit number and ask him to add the same to the MPIN and then give that number to him said the officerTo get the MPIN then Mandal would then subtract the fourdigit number which he had given to his target to add to the MPIN Once the MPIN was typed on the mobile banking application he would siphon off money from the account the officer saidPhishing cases stopThe officer further added Every day we at DB Marg police station used to get at least two phishing cases related to BoB But now it has stopped as we apprised BoB officials about the loophole Their IT cell team visited our police station and rectified the issue Now there is no phishing case related to BoBBank of Baroda in its statement to midday said Bank of Barodas Mobile Banking Application is highly secured with zero reported incident of unauthorised access Customers are falling prey to social engineering attacks of trickstersfraudsters and sharing personal credentials like PIN OTP Passwords Debit Card details etc which are essential banking details to perform a transaction Our bank is continuously running campaigns to create awareness among the customers about these social engineering attacks and not to share their personal banking details with anyoneInspector crime Raja Bidkar told midday Mandal was trained by a man from Kolkata who is yet to be arrested We are trying to find how they came to know about the loophole in the banking application Our team including subinspectors Pradeep Patil and Rakesh Shinde and constable Suraj Dhaygude arrested Mandal02Day in November when the accused Gunilal Bindeshwari Mandal was arrested