<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">ICICI Bank Archives « Aam JanataSkip to content

8

As soon as the demonetisation of Rs.500 and Rs.1000 notes was announced, I had said that it was a forced and public funded "bailout" of banks. This article examines news reports from the last year and explains how I arrived at the conclusion.

Please note: I am not an economist or banker or accountant or even particularly good with money or calculations. As a result, almost all the conclusions in this article are actually quoted from news reports and analysis. I have merely strung them together. I could still be wrong, feel free to argue in the comments.

As soon as the demonetisation of Rs.500 and Rs.1000 notes was announced, I had said that it was a forced and public funded "bailout" of banks. This is a phenomenon polite people call recapitalization unless the government literally dumps money into banks.

This view has not changed. But many are skeptical, saying that excessive money with banks is not good for them as they will have to lend it out in order to earn from it. That is true, and they will have to lower interests and give out more loans and such. However, to those following the news, I'm simply presenting various things that happened in the year before the demonetisation. Particularly with regard to the Non Performing Assets - NPAs. Too many NPAs and the banks won't be able to function. On the other hand... pay attention here: The bank with the largest number of NPAs - State Bank of India - doesn't seem to be in as much crisis as several others - say... Indian Overseas Bank - guess why? Because with that size come plenty of other performing assets as well as deposits keeping the show going.

For the record, it isn't the first time that the government has forced the country into actions that end up putting money in banks. The Jan Dhan Yojana was the first. It doesn't seem to have yielded much. Then came the DBTL, where in spite of the Supreme Court saying that citizens must not be deprived of their rights because of not having an Aadhaar, a convoluted scheme was imposed on them where the gas subsidies provided for the state would be provided as deposits into their bank accounts as opposed to people paying less for gas while buying it. Small amounts at a time, but it would end up totaling to a good amount of money belonging to citizens getting deposited into the banks by the government. People were free to withdraw it, but at least some of it would hopefully remain as deposited, just like some Jan Dhan accounts would indeed see use even if most remained empty. But these are old stories.

The NPAs of banks had increased to an alarming level by the end of the December quarter, last year. Then governor of RBI, Raghuram Rajan had been on the case of banks for NPAs for a while, and took a firm view of the matter, giving the banks until March 2017 to deal with their NPAs. Banks were to start flagging and resolving NPAs and restructured loans and by March, skeletons were tumbling out of banking closets and it was clear that the banks had been underplaying NPAs in order to show better results to investors (presumably). With the pressure on from the RBI, the banks started turning the heat on defaulters. It is no secret that it is banks with large corporate loans struggling the worst with NPAs, and I can only speculate that people who knew people who knew people had a lot of money at stake. To quote from the linked article:

RBI had conducted an asset quality review of Indian banks and found many accounts that were showing stress were required to be classified as non-performing. But since banks were not classifying those accounts as NPA, the banking regulator directed lenders to classify them as sub-standard and provide accordingly. Sub-standard assets attract 15-20 per cent provisioning as compared to five per cent provisioning requirement in standard assets.

RBI had asked the banks to complete the exercise of classifying assets as NPA in the third and fourth quarter.

As a result, many banks including the likes of Bank of Baroda, IDBI Bank, Bank of India suffered record losses in the Oct-Dec quarter. Since the remaining accounts (those which were not classified as NPA in Q3), need to be classified as NPA in Q4, losses could her mount. Bankers said this has prompted the banks to call the management of the defaulting companies and ask them to make payments, which will help the lenders avoid further losses.

Incidentally, this is around the time when Narendra Modi claims that planning for demonetisation started (although there doesn't seem to be much evidence of planning going by the manner in which it has been carried out).

Soon after this began noises of Raghuram Rajan not continuing as the governor of RBI after his tenure was complete. What happened behind scenes is anyone's guess and rumors and claims out in public range from Raghuram Rajan not wanting to continue to the government not wanting him to continue. Regardless, he was succeeded by Urjit Patel, who headed GSPC in Modi's Gujarat when GSPC took loans to the tune of 20,000 crore and basically had nothing to show for them, with no gas ever being produced. His closeness to Ambani (who profited majorly from the GSPC mess) as well as Jignesh Patel is well known. So, given Modi's preference for complete incompetence in area where competence is expected being a requisite for appointments, who better than Urjit Patel to head RBI while it was overseeing banks reducing NPAs?

Unlike Raghuram Rajan's approach, where the RBI would support banks in dealing with bad loans, Urjit Patel was of the view that "bad banks" take over the debt. It is unclear what happened of that approach or whether and what efforts continued toward NPAs, but they continued to rise. Attempts by Modi (and one wonders why Modi) to get Indian state owned firms to take over floundering defaulting companies (and their debt) failed a month before demonetisation was declared by Modi. To quote from the link:

India's government is pushing state-owned steel, power and shipping firms to take over assets of private companies that have defaulted on loans, but faces resistance from them, leaving it scrambling to clear a $135 billion pile of stressed loans from banks' books.

[...]

Last month, steel ministry officials met with Modi to outline measures to revive a sector reeling under bad loans and cheap Chinese imports. Days later, in a renewed push, Finance Minister Arun Jaitley met with top lenders, including State Bank of India (SBI.NS) and ICICI Bank (ICBK.NS), steel and shipping ministry officials and some state-owned companies.

He gave the state-owned firms a list of 23 troubled steel, power and shipping companies with bad loans totaling $14.5 billion, according to government officials and minutes of the meeting seen by Reuters.

The state-owned firms were "encouraged" to buy at least one asset and take a minority stake in a company on the list.

The banks needed lots of money and fast, or many of them being Public Sector Banks with the government owning more than half of them, it would stress the government for funds. One wonders what was wrong with turning the screws on NPAs harder. The banks needed money and fast.

How could this be achieved? Well, how about if all the people in India put most of the money they had into banks and left most of it there?

What followed, with demonetisation seems to be a harebrained scheme to get most of the cash with the country into banks. This is how not only do the banks not have enough cash planned and are not even in a position to provide enough cash in the near future, we have increasing noises about "cashless" transactions being an intent behind the demonetisation. So the money gets transferred from account to account, but remains with the banks instead of returning to the people with limits withdrawn and notes available again.

Then with demonetisation with banks bloated with funds, some of the staggering NPAs were "written off" to reduce their burden and free the money the banks would have to provision for the bad loans. Any taxes the government got would be a bonus (but given the expenses and waivers of demonetisation, I doubt these were the real motive).

Added feedback from someone who knows more about money than me: While the increased deposits will allow the banks to lend more, earn more, lower interest rates, etc, the interest earned by the banks and taxes to the government will no doubt be useful toward recapitalizing the banks. As will various confiscations of deposits be.

So now the thoughtless demonetisation with it unending new rules being pulled out of hats has happened. Banks have a different problem. Too much cash. And the methods to deal with it won't necessarily result in big profits for them. What they will do to existing loans with the economy and thus borrowers stressed far worse is anyone's guess.

Finally, how do I know that this is really a bank bailout and not a coincidence? Well, now that things are going south with the demonetisation, the usual process of protecting Modi from the consequences of his own action has already begun. From being "Freedom at Midnight" - Modi's project planned meticulously and in complete and necessary secrecy for 10 months, the story now is that the RBI and Finance Ministry presented the demonetisation plan to Modi in a manner that "turning down the scheme was out of the question". And guess why (emphasis mine):

Prime Minister Narendra Modi is working “more than ten hours a day” just on ensuring that the 8 November money measures announced by him ensure a smooth landing for the economy rather than turbulence. This despite the fact that the plan actually owed its origin to the Reserve Bank of India and the Ministry of Finance, who persuaded the PM to go forward with an idea which will affect (and has affected) over a billion citizens of this country. Prime Minister Modi showed moral courage in coming forward and accepting ownership of the currency swap scheme announced on 8 November, and has since then publicly backed every twist and turn in that policy by the monetary and fiscal authorities. Senior officials say “Prime Minister Modi was presented with the issue in such a way that turning down the scheme was out of the question”. Through the plan, concerned officials wished to “shield those in high positions in banks across the country from the consequences of the crony-oriented lending that they had been doing, specially since 2006”, the year when Narasimha Rao’s liberalisation policy was fully substituted by the UPA into a faux Nehruvian economic policy that combined Fabian socialism with Wall Street ways. “Officials argued that a windfall of up to Rs 550,000 crore would flow to the banks through the enforced extinguishing of currency notes issued by the RBI, and that this would recapitalise several banks that were in effect bankrupt, thereby allowing them to lend again”. The Prime Minister was assured that “steps would be taken to ensure that the common man suffered minimal discomfort” and that “the informal economy would accelerate its absorption into the formal without jobs being affected”. It needs to be mentioned that it is the formal sector that is responsible for not repaying bank loans of a value crossing Rs 750,000 crore, which will be several times the value of tax evasion by the informal sector. NPAs are being written off by banks at an accelerating pace over the past six years, with still more businesses declaring themselves unviable by the month.

I rest my case.

HDFC Bank: Pawn your wife's gold now -- No documents needed!

 9th October, 2016: A lot of HDFC Bank customers are having a bad experience. Some are even having nightmarish experiences... and it's all thanks to the fine art of glibly selling them financial instruments and other stuff they don't need. One friend who wrote to me after reading my recent article about how HDFC Bank routinely abuses it's customer's trust and fiduciary relationship, saying, "Krish, your gripe about HDFC Bank exceeding the limits of fiduciary relationship is absolutely correct. But why pick on HDFC alone? I get similar spam mails from ICICI, Kotak, etc. Upon complaining, I was told to read the last line of these mails and unsubscribe if I did not want to receive such mails."
My reply to his query: "I picked HDFC because I have experience of its activities at first hand. But I also wrote about SBI Mutual and ICICI Bank in that article."
And then my friend wrote: "Here's a promo mail from AXIS Bank."
What we can see is, Axis Bank, while promoting its own credit card business, simultaneously markets multiple third-party brands. Such marketing emails violate Section 8 of the Banking Regulation Act, 1949 (Amended in 2013), which says: "Prohibition of trading... No banking company shall directly or indirectly deal in the buying or selling or bartering of goods... or engage in any trade, or buy, sell or barter goods for others..." Section 6 of the Act lists what kind of businesses banks may engage in. Promoting apparels, malls, superstores etc. is not permissible.
Axis Bank's promotional email is followed by a lengthy disclaimer that threatens you and denies everything. But enough about product sales. Selling insurance products is not a legitimate banking business either, but see this email from HDFC Bank:

The bank's customer feels helpless to click "Unsubscribe" or mark such emails as spam, as they are bundled with emailed accounts statements. Saying no to spam means saying no to email statements.
HDFC Bank branches are sales points for a lot of stuff. They surround you with posters, standees, pamphlets and young relationship managers chasing monthly targets. Ask anyone for your account balance --- and you lay yourself wide open to HDFC's hardsell. Give someone your customer id and you give him access to find out how much money you have in fixed deposits, and when they mature.
HDFC Bank markets Gold Loans as an impulse purchase. "45 minutes, no paperwork" is HDFC Bank's promise. So if you are a market speculator with an itch to invest in some hot scrip, you need a few lakhs to fund this impulse purchase, and you need it now. HDFC Bank says, "Psst, psst. Raid your wife's jewelry cupboard and pawn her gold. WE WON'T ASK YOU ANY QUESTIONS! DO IT NOW.
Or, you are a housewife who has the urge to splurge without consulting her family. To her, HDFC Bank is saying, "Just go ahead, honey, pledge your gold. DON'T THINK, JUST DO IT NOW! Live for the moment!"
Having pawned off their gold, HDFC Bank's customers find that the bank personnel can armtwist or blackmail. Read this complaint from an aggrieved customer in Mumbai: "I the undersigned holding Gold Loan A/c. No. 21114 with your esteemed HDFC Bank, Yogi Nagar Branch for Rs. 130,200/-. Last week I visited your Yogi Nagar Branch for renewal of my Gold Loan. I meet Lady Officer (name unknown) and informed her to renew the same and asked about details for the same. She refused to provide any details and filled one cash deposit slip with account number details and amount and told me to pay Rs.11680/- to the Teller. I paid the same at the Teller and given the Counterslip to that lady. She cross/cutted the account number mentioned on it and given it to me back. The said renewal charges are not accounted to my loan account but deposited in her personal account... She has also not given the Renewal documents for Gold Loan and refused to provide the same."
Since documentation is minimized, so are safeguards against abuse. Relationship managers and other para-banking employees can play mischief. There are sad stories unfolding all over the country in the name of gold loans.
ISSUED IN PUBLIC INTEREST BY
Krishnaraj Rao
9821588114
krish.kkphoto@gmail.com
POSTED IN PUBLIC INTEREST BY
Sulaiman Bhimani
9323642081
sulaimanbhimani11@gmail.com
Note: Next article is about the nightmare of an HDFC Bank customer from whose accout thousands of rupees are being deducted every month against his will through Electronic Clearing System (ECS), thanks to HDFC Bank's ability to toss documentation to the winds. Dekhiye iss dharavahik ki "ugly" kadee 🙂

4

 October, 2016: Imagine you are having a gynaec examination. With his rubber-gloved fingers inside you, the gynaec starts a casual chat about why you should buy his home-grown brand of condoms and intimate products. Creepy? Yeah, well, but that's how HDFC Bank and other private-sector banks work. Actually, HDFC Bank is like if your gynaec collects real-time information about when and with whom you have sex, what kind of sex you are habituated to, exactly when you menstruate, what kind of lingerie and sanitary pads you are currently wearing, etc. and then this gynaec goes and hires a bunch of MBAs and college freshers, calls them "Relationship Managers", lets them hang around his clinic pretending to be gynaecologists themselves till you start feeling comfortable enough to tell them about your intimate problems.

Then your gynaec goes and gives these relationship managers access to your information on their computer screens, with monthly targets for selling you condoms, sanitary pads and other intimate products. They call you and make you feel important by calling you a preferred customer, and giving you a platinum card. So, if your periods are four weeks late, you get a call that goes like: "Good morning, ma'am, I am Nikhil, your personal banker. May I interest you in visiting our abortion clinic? Oh, you don't want to abort? My apologies, madam. May I take this opportunity to gift you an early booking in a maternity home with whom we have a tie-up? We also have a tie-up with Amazon for incredible discounts on maternity gowns and chocolate-flavoured condoms this Diwali. When can I come and meet you to book your orders?"

Bankers are routinely privy to salary details, annual income, etc. that it is their business to know. However, the salesmen and women who hang around your bank have no business to know your financial details. HDFC Bank branches have a bunch of glib young men and women who are very approachable and go out of their way to fill up account-opening forms, etc. for you. Just because they sit inside the bank, you think they are "bankers" and you never hesitate to ask them to access your account on their computers. So these sales people get to know private things such as a huge cash-flow into your accounts when your life insurance policy matures, or you take VRS, or sell your house, or book profits in the share market.

If you are flush with funds, your "personal banker" says, "Sir, can I interest you in our tax planning products to reduce your income-tax and capital-gains tax liability?" Alternatively, if you are struggling to pay credit-card bills, frequently overdrawing your current-account, breaking fixed deposits prematurely, etc., your relationship manager nudges you to take a personal loan or gold loan which he knows you are unlikely to repay in time. Loan disbursal lets him meet his monthly targets and earn commissions, and when you default on repayments, heavy penalties and foreclosure of your gold loan helps the bank reap handsome profits. Predatory lenders used to be called loan sharks and pawn-brokers! How the times have changed!

HDFC Bank is like if your gynaec collects real-time information about when and with whom you have sex, what kind of sex you are habituated to, exactly when you menstruate, what kind of lingerie and sanitary pads you are currently wearing, etc. and then this gynaec goes and hires a bunch of MBAs and college freshers, calls them "Relationship Managers", lets them hang around his clinic pretending to be gynaecologists themselves till you start feeling comfortable enough to tell them about your intimate problems.
Customers are set up for systematic long-term exploitation by HDFC's bankers and non-bankers acting in concert.

Here's a real-life anecdote: An elderly couple walked into an SBI Bank branch to fill up their 15H form, so that TDS would not be deducted on their interest income. A friendly-looking lady sat them down at her desk, filled up their forms for them, and persuaded them to invest Rs 3 lakhs in SBI Mutual within 15 minutes. The only reason that the elderly folks trusted this woman is that they thought she was a full-time bank staffer, whereas she was actually a freelance sales agent! .

Another anecdote: ICICI Bank organized free Aadhar Card camps in the foyers of a residential building in a posh Borivali neighbourhood. While one solitary minion sat in in the foyer taking fingerprints, mugshots, etc., half-a-dozen bank officials hung around persuading the waiting people to open accounts with ICICI Bank, and visited their homes on various pretexts. And they were pushy – it was very difficult to say no to them! Why are banks so keen on opening lots of accounts? Because it "provides customer base for ongoing cross-sell through branches". In other words, every account holder is a potential customer for credit cards, loans, etc.

And now, back to HDFC Bank. Let's look at their online behaviour.
As a customer, I have given my email address to HDFC Bank to enable them to keep me informed of my account balance, etc. Here's an example of an acceptable email from HDFC Bank:
But then HDFC Bank doesn't stop at that. Here's an example of a salesman-like email, which is tolerable only because debit cards are an intrinsic part of modern banking:
But HDFC Bank doesn't stop at selling their own products either, they try selling you other companies' offerings, earning advertisement revenues like a newspaper company. Here's an example:
Surely, advertising Amazon's festival sale is beyond the boundaries of the client-banker relationship. Advertising cannot be considered a part of a bank's regular activities. Is this why we give the bank our email address? Using the bank's customer base as a captive market for selling the products of other companies is abuse of trust and misuse of the client's information!
HDFC Bank earns a large proportion of its revenues from third party product sales, fees and commissions. See this slide from HDFC's investor presentation:

Bottomline: In their mad race for year-on-year growth, retail bankers are crossing over some boundaries of the client-banker relationship. HDFC Bank is abundant in examples of this unwholesome trend.

These may not necessarily be adequate grounds for filing complaints to RBI or the banking ombudsman, or for going to consumer court. But this distasteful behaviour shows a tendency to exploit the customers' ignorance, dependency and blind trust in their banks.

[Please share your experiences. Email or call me.]
ISSUED IN PUBLIC INTEREST BY
Krishnaraj Rao
9821588114
krish.kkphoto@gmail.com


POSTED IN PUBLIC INTEREST BY
Suliman Bhimani
9323642081
sulaimanbhimani11@gmail.com

8

Below is an email by one Rajeev Bajwa to Arvind Kejriwal and Pankaj Gupta (dated March 30, 2015) complaining of irregularities in donated funds. Aam Aadmi Party should act on this person's request and take appropriate action. This email has been leaked by a dissenting volunteer of AAP.

Hello Arvind ji & Pankaj ji,

My name is Rajeev Bajwa and I am AAP supporter from day one and one of the leading Donors from New Zealand and also one of three POC's of New Zealand.

I am writing in regards to the CASH DONATIONS (Rs. 49000.00) deposited on dated 06/05/2014 into the personal account of Ms. Preety Mehra's ICICI Noida Branch (Receipt attached)

BACKGROUND / OVERVIEW :

During Lok Sabha (PUNJAB) Elections May 2014 - S. Kaharg Sing Sidhu ji's took initiative and made an efforts to do a fund raiser night for AAP and we raised 10 lac of Donations on that night.

Out of these collected Donations;

8 Lac out of 10 lacs raised by sidhu ji was transferred via Girish Mailar's Indian passport - this caused us some trouble - We received many complaints from other volunteers that Girish has accepted all thanks and credits on his individual name and projected him self as he has donated this from his own pocket where as donations were collected in a fund raiser dinner - Resultant marked "?" on Girish's integrity amongst all other volunteers in NZ.

2 Lacs were transferred via my own Indian Passport - I declared every single rupee of that on social media giving all the due credit to all volunteers & donors especially Sidhu ji.

Couple of days before Varanasi elections Girish contacted me and asked to arrange an urgent funds transfer of Rs.100,000.00 into Preety Mehra's PERSONAL account held at ICICI Noida Branch.

When I asked reason that why we can not donate directly into AAP official account then Girish insisted me not to transfer into official AAP account because volunteers are not getting any funds in Varanasi and they are desperate for financial support and Girish assured & confirmed that it is coming from reliable source which includes Shalini Gupta, Prayas Chaudhary, Vijay Sirohi.

Girish further assured me & Sidhu ji that a proper official AAP donation receipt will be provided.

I discussed this matter with S. Kharag Singh Sidhu (2nd AAP POC of NZ in Auckland)

Considering the critical situation and as explained by Girish that the request is coming from reliable AAP volunteers we decided to go ahead however I decided to ring Pankaj Gupta ji for clarification on this.

I called Pankaj Gupta ji's personal mobile - Pankaj ji was very busy and asked me to call one his assistant.

I spoke to Pankaj ji's assistant and I was told that it is NOT allowed to donate in ANY of the volunteers personal accounts and I was asked to provide names of those volunteers if someone is asking to transfer funds into their personal accounts.

I further raised this feedback with Girish & Sidhu ji that it is NOT officially recommended and is a BIG NO NO.

Girish then contacted these volunteers and provided their phone numbers in India, I spoke to Anurag, he said he is in Varanasi with Varun Gupta and they are 20 -30 people and they ran out of funds and do not have any support from AAP at that stage and they desperately need cash to arrange food for volunteers.

He also promised to send us photos of current location and scenario once they get a chance.

After considering all this and thinking we need to take risk, we (Sidhu ji, Myself) agreed to Girish's request to send them money. Girish further insisted that they need money immediately so I had to call my Father in India (Hoshiarpur) to deposit Rs. 100,000.00 into the personal account of Preety Mehra (wife of Varun Gupta - Seattle USA) held at ICICI Noida branch.

My father was very busy so he had to send one of his employee (Manjit Singh) to deposit cash in Preety's a/c -

To ensure that money has been received by correct person, I tried to contact Anurag & Varun repeatedly on their mobiles but they did not pick up my phone at all. Luckily it was only first installment of Rs.49000.00 out of one lac was deposited. As you can not deposit more that Rs49000.00 cash in one particular day otherwise banks ask for further details of income etc, etc..

Later after raising this matter further with Girish, I was given an online meeting details on fuse so that I can clarify if I want to clarify this matter further but I never received any official donation receipt or any photos from Varanasi as promised by Varun Gupta & Anurag over the phone.

After two days of chase I received a wahts up message that Rs. 49000.00 were received into Preety's account.

Till date Varun Gupta failed to make ANY effort to clarify this unaccounted donation received by him rather it seems to me that he is avoiding this matter including me personally on all fronts i.e. social media etc.

I may be wrong and my observations may be wrong - I am not trying to judge any ONE person here. All I want to REQUEST you is that please chase this tail so that we can find out if there are any MORE similar anomalies in FUNDS transferred to personal accounts.

Regards,

Rajeev Bajwa

[Note: This email describes a donation clearly made against the advice of AAP leaders. It is also written after the current crisis in AAP emerged and as such, I see this more as a complaint of misdeeds by rogue volunteers/workers than an allegation on the party itself.]

2

Yash K S is a software developer. In the last year or so, his interest in identification methods led to him discovering a vulnerability in online banking that can allow a malicious attacker to use attacks like Man in the Middle or Man in the Browser to steal money from bank accounts.

He published his findings on his website. Here is my interview with him. [Note: It has been edited from the original informal chat for coherence, but the content is unaltered in meaning.] Italics are my questions.

Can you explain briefly your background, so that my readers can understand the work you do?

I have diploma in CS after 10th, after that I joined Anti-virus company as C programmer. I am into building system products like Anti-virus, e-learning, Backup & Recover. Last 15 years I have built a lot of systems products for corporates.

How did you become interested in banking transactions?

Since I worked in anti-virus for couple of years, I continued to learn about security even though I was involved in building other products. I always knew banks are breakable. Zeus trojan, for example. The important trojan existed last 5 years for western banks, but not Indian banks,  and Indian banks continued to say online banking is secure compared with banks in the West. Around 4 years ago, I was trying to build a product which solves a problem of identitifying on the internet and I did extensive study on how banks work, as I built the product. Around 2 years ago, I developed a personal interest in seeing how secure Indian banks are and started analyzing Indian banks for security.

What is the basis of that claim by Indian banks - that online banking is secure compared with banks in the West?

Indian banks thought online banking is secure, since they are using Mobile device as additional factor to add Payee before transactions. Indian banks believe mobile is secure and they are trying to use that as second secure channel. When users adds a payee on a PC, they send this information to Mobile with OTP (One Time Password). Citibank, ICICI Bank - both of them use this method. In the case of ICICI Bank, they even have an additional transaction password and grid numbers, which the user needs to enter by looking at back side of the debit card. In HSBC bank, they dont use the same methods of ICICI and Citibank, they distribute hardware OTP (One Time Password) device, where it generates random number for every one minute. They assume this will not allow fraud transactions to happen without user knowledge. I believe they are not providing enough security for consumers in our country.

Who would be liable if someone stole money using the vulnerability you discovered?

If anybody looses money in online, end users are liable for that loss not banks, unless user proves to the bank, this fraud has not happend because of negligence. Negligence means, user system does not have any malicious programs which stole credentials or user did not give out uder credentials via phishing mail or user has not logged in some system which is not secure. This is very difficult to prove. Almost impossible, even for technical users. It becomes a user problem, bank does not take responsibility.

Screenshot from Yash's video for man in the browser attack for ICICI

So, the bank simply washes its hands off the loss instead of fixing it? Not their problem?

In my video what I have showed is - If a person is transferring money to Account 100, they see in their browser that the money is going to Account 100 and some X amount, but in back end malware changes data completly to Account 200 and some other amount. In this case, it is a Man in the Browser attack. The user is co-ordinating with malware without his own knowledge and the bank server fails to identify what is really happening in backend. Once the transfer of money is complete, if user sees the transaction via online, he still sees the same fake info, since the malware also knows to modify transaction statements.

Malwares are sophosticated and can fool both users and banks. Zeus trojan alone has costed 1 billion $ + loss in multiple banks in West. This trojan is still alive in wild and still causing losses. 5 years.

I built a similar trojan from scratch for Indian banks. Based on it, I have posted videos. I have not shared source code with anyone, keeping security in mind. I showed a few banks, in closed door meetings, this vulnerability. They were shocked to see it, but they have not fixed anything. One bank told, "Others banks might be insecure, but our bank is not". After a month or so, I went back with trojan modified for this specific bank and showed them. They are back again in denial mode.

How is it that the same vulnerability works for all banks? Don't all banks have their own systems - and methods?

The same trojan does not work for all banks. All banks have seperate systems, but if hacker companies writes the trojan using the concept of Man in browser and Man in middle, they can write specific malwares for each bank. Like I showed from my videos....  If I identified a security bug, banks can just fix the bug in the existing system. But, these problems are a system flaw, there is no way to fix it just by adding some stuffs. They need to replace the system itself by rethinking online banking security from the ground up.

So, you are saying, any bank account can be hacked? But can't this misuse be traced?

Today hackers are not indivisuals, they operate as underground companies. They outsource work to each other based on the skill sets like we do in normal companies. It becomes very difficult to track it. In a chain, each are specialized in specific work, they complete the work, sell it and go.

What is the most important thing here?

There are important questions..... Who is responsible if users looses money via online due to trojans? Users keeps money in bank after a solid efforts, traditional method of banking have ensured always to make sure verify the person and dispatch the money. But, moment bank exposes money via internet for anyone who authenticates using username, password + additional stuffs, if a trojan can fool these factors, who becomes responsible? How can a user be responsibile? He likes convinenace, but he definitely does not want to loose money.

Do banks explain to all end users about the online threats and make them understand, before giving them an online account? Nope. It is the responsibility of the bank to provide a safe mechanism. An insecure web facility cannot be a user's responsbility. When banks cannot give security for a specific types of attacks, they need to reduce the limit per day. They need to give insurance if they cannot solve the problem. They cannot make customer liable, since there is no way, anyone can expect a customer to know all about such threats.

Also make risks explicit, immediate transaction alerts, phone verifications?

Immediate transaction alerts exist today, due to RBI guidlines, there is no use. If a mobile has a malware which is co-ordinating with mobile trojan, then it will not even show an SMS for you.

How did banks respond to your information?

After the Citibank demo, within 2 weeks they changed system to add some information when they sent to mobile while adding payee. This mitigates a little. I appreciate Citibank for their quick reaction. But, if the same malware is expanded to mobile, complete online banking in india fails for all banks. Trojans (Zeus varients) already exists to peform co-ordinated attack by hijacking both PC and mobile of a user. There are many ways to infect both PC and Mobile, all smartphones connect to the internet or many smartphone users synch with PC. These two methods are enough to get a trojan into a mobile. Many more methods exist too. Android has more malwares compare to any other today.

ICICI Bank did not make any changes to security. Instead, they are posting on the internet saying what I am saying is wrong. After a month, they have sent a defamation case notice by asking me to pull down the content from my website. They have asked me to close my ICICI personal account too in a month.

HSBC, instead of solving problems, on 2nd Feb, people came to my house, after failed attempts to bring down content with the help of service providers. I was not present at that time; they asked my family members rude questions. I have registered an FIR. They were saying I am teaching how to hack HSBC! This is wrong! In my video, it only shows the consequences and how it is going to effect online banking customers.

Banks succeeded in removing my account from Vimeo.com. Vimeo deleted my account without informing me. After 5 months, instead of fixing problem. They are still trying to kill my content.

How many sites did your content get taken off from?

lol. Youtube, Bluthost.com, Dropbox, Vimdeo.com In ICDThost.com current hosting provided wanted me to remove direct links to video, although they were polite enough asking me, After that my site still survives there.

My intension of not pulling down the content is - This problem is not in one bank, ICICI bank thought I was targetting them alone, that was not true. But, all banks have the same issue, does not matter private or public banks today in india. I have showed this demo to RBI - Bangalore. They got a glimpse of what can happen to online transactions in country and they wanted me to proceed further to make more people within RBI aware of it, although we could not reach the executive chariman who handles payment settlements online.

So there are positive responses too.

Yes. there is a positive response too.

We had a discussion in national law school in Bangalore along with few experts, bankers, professor in that college itself. We have recorded that video. This DVD has given by professor of law school to cert-in personally. See this : Reserve Bank of India (RBI) : Man-in-browser attack - Top 100 banks of the world are reported to have experienced similar incidents - even RBI is saying last year itself. Banks are not lisetning to RBI either

Basically, we need to get support from RBI, Customers and pressure Banks for better security. That is the key.