When not travelling, lock the forex card, keep only a small balance, and switch on alerts
)
Listen to This Article
The recent breach involving Yes Bank–BookMyForex multi-currency forex cards has raised fresh concerns over the safety of cross-border digital payments and customer data security. Even as banks and forex card providers tighten safety protocols, here’s a guide on how cardholders should respond after a breach and the preventive steps they can take to minimise losses.
What happened
A coordinated attempt was made targeting multi-currency prepaid forex cards issued by Yes Bank in partnership with BookMyForex. Transactions were executed at about 15 merchants in a Latin American country.
Yes Bank’s monitoring systems detected an unusual spike in transactions. “While many attempts were blocked, about $280,000 (around ₹2.5 crore) was debited across 5,000 cards before containment,” says Rahul Sheth, vice-president, BUSINESSNEXT.
Modus operandi
The exact vulnerability — whether it was a data leak or a third-party compromise — is being investigated by the bank and the Reserve Bank of India (RBI).
“Criminals obtain card details via phishing, malware, or data breaches, then execute card-not-present transactions in overseas markets with weaker authentication,” says Jyoti Prakash Gadia, managing director, Resurgent India. Fraudsters often start with small “test” transactions to verify that the card is active. “After test transactions, fraudsters make larger overseas purchases in foreign currencies,” says Alay Razvi, managing partner, Accord Juris.
Transactions are often routed through international merchants or regions where two-factor verification/OTP (one-time password) is not mandatory, enabling debits even if the cardholder is elsewhere.
“Varying global authentication norms give fraudsters time to siphon funds before detection,” says Gadia.
How to respond to a debit alert
On receiving an unauthorised debit message, check transaction details in the banking or forex card app to confirm it was not done by you.
“Block the card right away using the issuer’s mobile app, customer care number, or the emergency card-blocking option mentioned in the alert message. Prompt blocking helps prevent further unauthorised transactions,” says Pavan Kavad, managing director, Prithvi Exchange. Obtain confirmation that the card has been blocked. The key is speed as fraud losses can escalate in minutes. After blocking the card, register a complaint with the cybercrime authorities. “Call the cybercrime helpline 1930 or report via national or state portals,” says Gadia. Kavad suggests checking card statements for other (follow-up) suspicious activities.
How to minimise liability
If the cardholder did not contribute to the fraud through negligence, liability is typically limited or nil. The extent of liability also depends on how quickly the cardholder reports the fraud after receiving the transaction alert. Customers can minimise liability by enabling real-time alerts, reporting suspicious debits immediately, blocking the card without delay, and not sharing card details or OTPs. Under RBI rules, faster reporting reduces the customer’s liability. “Reporting an unauthorised debit within three working days of receiving the alert results in zero liability,” says Sheth. Reporting between 4–7 working days may limit liability to statutory caps (₹10,000-₹25,000 depending on account type). Beyond 7 days, liability is determined by the bank’s board-approved policy. Final resolution must be completed within 90 days.
Refund procedure
To seek a refund, after reporting the unauthorised transaction, raise a formal dispute with the issuer. Send a written complaint (via email or official app) as proof of reporting and seek a written acknowledgement. Submit details such as amount, date and merchant name, and generate a case ID with a timestamp in the app where possible.
“You may need to submit a dispute form with transaction details and confirm it was unauthorised,” says Razvi.
After reporting, the issuer initiates a chargeback or investigation with the card network and the merchant. Refund timelines may vary depending on the nature of the transaction and cross-border rules. Prompt reporting and document submission usually speed up the process. Preserve evidence. “Keep screenshots and copies of all alerts and emails,” says Razvi. Keep a record of all communications, and follow up on the dispute or chargeback process.
RBI guidelines require shadow-credit within 10 working days of notification if the claim is valid. After investigation, the bank finalises the refund and communicates the outcome. Where the customer is not at fault due to negligence, regulatory norms favour restitution.
If bank’s response is unsatisfactory
Follow up with the bank and first escalate your complaint through its grievance mechanism. “If the bank fails to resolve or unjustly denies liability, you can escalate to the RBI banking ombudsman,” says Sheth. Documentation and timing are crucial in determining outcomes.
Precautions when not travelling
When not travelling, lock the forex card using the app. “Disable international and online use when not needed,” says Kavad. Also, use card controls to disallow ATM withdrawals. Use spend limits, geo-restrictions and blocking of unused currencies to reduce exposure. Users can also request the issuer to restrict usage in high-risk countries to reduce the risk of misuse.
Enable international and large transactions only before a trip. You should also maintain a small balance while you are in India. Also, ensure that alerts (via SMS and email), two-factor authentication, and biometric access are active on the app.
Users should keep card details such as the card number and CVV inaccessible to others and avoid storing them in unsecured apps or emails. Check statements regularly. Avoid public WiFi while accessing banking apps. Dormant cards can be more vulnerable because customers neglect regular monitoring.
Forex card safety tips when abroad
- Use card only at trusted merchants and reputed establishments
- Use only at official ATMs, inside banks or well-lit areas
- Avoid public WiFi for payments
- Carry only required balances, set daily spend limits
- Keep real-time notifications enabled, check alerts, card balance at end of day
- Block instantly if lost or if suspicious activity is detected
The writer is a Mumbai-based independent journalist
aniltikotekar4sme.com 