Regulator blames bKash for mobile money theft

The recent mobile money theft in Chittagong would not have been possible unless some bKash officials had been involved, the telecom regulator alleged yesterday.

Explaining the incident, in which Robi SIMs were used by two individuals to withdraw money from several bKash accounts, an official from the regulator said there was no loophole in the biometric registration system.

"The victims' SIMs were not re-registered with biometrics and the criminals took advantage of this," said Brig Gen Md Emdadul Bari, director general of the systems and services division at Bangladesh Telecommunication Regulatory Commission.

It appears that the crooks withdrew 157 SIMs from the telecom operator re-registering them in their own names under the biometric system.  Later, the wrongdoing was discovered thanks to the biometric system, Bari said. "This shows that biometric verification is a tool for the law enforcement agencies to track the real criminals," he said at a press conference at BTRC office.

The bKash transactions also require personal identification numbers (PINs), which the criminals obtained somehow, he added.

On Sunday, Chittagong police arrested two men on charges of stealing money from the bKash accounts of some people by fraudulently collecting their Robi SIM cards registered with biometric details.

The telecom regulator also asked Robi on Tuesday to explain how the fraudulent activities took place through the use of its re-registered SIMs.

Zahedul Islam, spokesperson for bKash, said, it is assumed that the victim might have disclosed his/her PIN unwittingly or the criminals have tricked the person to know the PIN which was subsequently used to draw money from the victim's bKash account.

Deposit in bKash account is protected by individual's PIN, which a customer creates when he/she registers for a bKash account, he said. 

"Only the accountholder has knowledge of his/her PIN. Each transaction a customer makes is authenticated by entering the PIN by respective accountholder. In case of a SIM replacement, the bKash account is automatically deactivated for a period of 24 hours to 36 hours as per agreed arrangement with all mobile network operators." 

However, after the incident, fear and confusion spread over whether the SIM re-registration process was safe and secure.

BTRC said there is no glitch in their process; as all the mobile users are now coming under the biometric re-registration process, some fraudulent activities will surface in the next few days.

"The same thing could have happened earlier. But there was no system in place that could detect the criminals," said Bari.

Ekram Kabir, vice president for communications and corporate responsibility of Robi, said they have checked all the numbers to make sure that those were re-registered following all the regulations. "So there is no problem from our part."

In a statement, Robi also said if a subscriber has a mobile money wallet and if that SIM is replaced, then the mobile banking account or the wallet is automatically made inactive or frozen.

In that case, the subscriber needs to re-activate that account by contacting the respective mobile money provider; in addition, the use of mobile money services requires a password or PIN, the statement said.

"In the reported incident, unless all above controls have failed and the PIN has been compromised, it is not possible to access the mobile money account of a subscriber by a third party," Robi said.

Analysts from the industry said if re-registered SIMs are replaced without authentic subscriber verification, then any re-registered SIMs can be used in any crime and the first user will fall in trouble.

Robi said the biometric verification of SIMs of all subscribers is in progress and biometric re-verification is mandatory when it comes to SIM replacement as well.

At the press meet, BTRC also said 9.7 crore SIMs were re-registered as of May 22, while the number of active mobile connections in the country is 13.19 crore.

BTRC Chairman Shahjahan Mahmood said the last date for re-registration for the existing SIMs is May 31 and there is no chance of an extension.

In response to a query, Bari said, "After May 31, we will reconcile the data from the operators and the Election Commission. It will then be open for subscribers and anyone can know how many SIMs were registered with his/her national ID card."

BTRC Vice Chairman Ahsan Habib Khan and Secretary Md Sarwar Alam were also present.