Thirty-eight-year-old Anisur Rahman had decided to send his sister BDT 10,000 through a bKash outlet on his way home from work. Eid was nearby and his sister needed some extra cash. Upon reaching the outlet, Anisur discovered that he was not the only one who urgently needed to transfer money. He was asked to write down his sister Jakia Sultana's account number and wait. A few minutes later, the agent informed Anisur that his money had been transferred and asked him to call Sultana to confirm.
When Sultana was called, she told her brother that she had received a text from bKash but was yet to check it. Barely seconds later, Sultana received a call from an unknown number. The person at the other end told her that he had mistakenly sent her BDT 15,000 instead of BDT 10,000 and then asked her to send BDT 5000 back immediately.
The stranger asked Sultana to hurry up since her brother, Anisur, was waiting at the bKash outlet, adding that he couldn't call her since he did not have any balance on his phone. Sultana immediately returned BDT 5000 to the number that called her. However, moments later, Sultana got an SMS which showed that she had only BDT 5000 left in her account.
A shocked Sultana rang the caller back, only to find the number unreachable. When she narrated the entire incident to her brother, Anisur went back to the bKash outlet and confronted the agent. The agent claimed to know nothing about the incident and showed Anisur his call list and the messages that he had dealt with in order to prove that he had no involvement.
The case of Anisur and Sultana is not an isolated one. According the Dhaka Metropolitan Police (DMP), incidents like these spike right before Eid. Detectives arrested 14 members of a gang in and around the capital on August 29 involved with swindling BDT 13.50 lakh from hacking a bKash account.
Azharul Islam, Senior Assistant Police Commissioner, Cybercrime Investigation Centre (CIC), explains the process that these swindlers follow.
“There are a number of people who sit around at popular mobile banking outlets, waiting to take a picture of the register (which contains details of the transactions, such as the date, time, mobile number, transaction amount, etc.) and send it to their fellow gang members via Facebook Messenger, Viber or Whatsapp.
“They then start calling the numbers from different SIMs. Since the calls come almost immediately after a normal transaction, people tend to believe the story and send the money back without checking their account,” says Azharul.
Aside from this kind of incidents, the police have also recorded cases where victims get fake calls from people who claim to belong to well-known banks and telecom companies and state that they have won first prize in a lottery and that the winner needs to send a minimal amount of money to complete the formalities.
“On an average, we receive 30–40 complaints per month from people being cheated through various mobile banking outlets,” says Azharul.
Speaking to Star Weekend, Shamsuddin Haider Dalim, bKash's Head of Corporate Communications, explains that there is no way that the bKash server can be hacked.
“If the muggers want to withdraw or transfer money using a cloned or different SIM, the bKash account will be automatically closed,” says Dalim.
Dalim believes that if agents and account holders are more aware of the dubious activities that take place at times, the number of fraudulent activities can be decreased significantly. “We continuously train our agents and provide them with manuals on how to be safe while transacting money. Additionally, there are awareness building campaigns through mass and social media, like TVCs or newspaper advertisements so that the account holders can act wisely,” he says.
Mahbubur Rahman Alam, Assistant Professor of the Bangladesh Institute of Bank Management (BIBM) and a cyber security expert, however, is of the opinion that there just aren't enough awareness programmes to make the major stakeholders of the service conscious.
“It is said that there are trainings for the agents, but are those sufficient? We are happy that we have over five crore mobile banking account holders and seven lakh agents in the country, but do the authorities monitor these accounts properly? How can we get the necessary information from these accounts that are being misused?” he asks.
However, Dalim assures that bKash does monitor the activities of agents as well as customers through records of the transaction histories maintained by the data centre and the control room. bKash also preserves the hardcopy of the 'Know Your Customer (KYC)' forms that contain the personal information of the customers including photos and NID numbers.
Transactions through mobile banks have crossed the 1000-crore-per-day average June this year. Currently, 17 mobile financial service licence holders are in operation and two operators— bKash and Rocket—dominate 99 percent of the market share. These numbers are likely to increase in the near future and that means the sector needs to take mobile banking security to the next level.