Serious Security Breach at HDFC Credit Cards & IT Systems – Advisory

Issues With HDFC CardsIn the month of May 2014, there was an Unauthorized Transaction on my HDFC Bank Credit Card that happened in New York, USA while the card and myself are present in India. It was not an online transaction as my card is secured by Verified by Visa / MasterCard Secure Code. I raised a complaint with the HDFC Banks Card Division filling out their Dispute form and the bank duly refunded the disputed charge but not without several correspondences including to the one with ombudsman.

I duly blocked the card and asked for new plastic. To my surprise, I found that another transaction has happened at the same merchant within 3 days of receiving the new card. This is just impossible as I have not used the card online so chances of breach happening from my end is ZERO. Also I had blocked the Credit Card for International Transactions and this transaction shouldn’t have gone through in the first place. However, when confronted with the Customer Care executive he said that I had set a Limit of Rs 10,000 on International Transaction and thus it went through.

HDFC International Card EnableFrom the screen-shot above it is evident that there are 2 features provided by the Bank – Enable / Disable & Set Limit. I raised the following question to the Customer Care and they don’t have an answer.

1. When the Card is Disabled for international Transactions where does the question arise of limit of the transaction ?
2. When it is an Online Transaction why No SMS Alert was received for this transaction ? Prove me from your SMS Systems Log that it was sent.
3. If I had indeed conducted the transaction, give me the Date, Time and IP Address when it was authenticated by MasterCard SecureCode.

After CardBhai Advisory raised these issues with the Senior Management of HDFC Bank and their Investigation Department, the bank has taken Security issue seriously and hope to resolve the same. But one thing I still don’t understand how come the fraud happened for the second consecutive time on my Card within 3 days of activation. Where was the breach or did HDFC led the transaction on old Credit Card Number go through to the new one despite old one being blocked ?

Leave a Comment