Bank of Baroda (BoB), India's second-largest public sector bank (PSB), linked the mobile numbers of strangers to boost registrations for its app, 'bob World', thus compromising the security of the account-holders and the mobile users, says a report.
Quoting an official, who does not want to be named,
a report from Al Jazeera says, he and his colleagues were given a task on 24 March 2022 to sign up customers for the Bank's new app, 'bob World', which was launched six months earlier. The officer's branch was given a target of on-boarding at least 150 existing Bank customers.
"He and his colleagues learned of a workaround from peers in other branches: fetch the list of bank accounts not linked to mobile numbers, link these accounts to any mobile numbers they could gather – of bank staffers, sanitation and security workers and their relatives—to generate the one-time password (OTP) needed to join the app and sign up these accounts from the back end. The employees would then deregister these customers from the app and reuse the same mobile number in the same manner with other bank accounts," the report says.
According to the report, BoB employees from other states—Uttar Pradesh, Rajasthan, Gujarat and Jharkhand—also confirmed this widely prevalent modus operandi.
A retired executive from Gujarat has sent five emails to BoB’s top management highlighting these irregularities. He shared these emails with Al Jazeera on the condition of anonymity.
The email he sent in February last year, after his retirement, reads: "Activation of bob World is given so much pressure that almost a fraud-like situation is arising, and in the accounts of customers, mobile number of branch head is updated for activation … A very big fraud is in the offing."
In a tweet, We Bankers Association shared screenshots highlighting messages and emails sent by management to branches to organise an activation drive for the bob World app.
According to the Al Jazeera report, internal emails from BoB acknowledged that the safety of tens of thousands of Bank accounts was at risk since they were linked with strangers' mobile numbers.
Emails shared by the Bank official show that branches were asked, in January 2022, to conduct a discreet inquiry about mobile numbers linked to multiple accounts and, in light of those inquiries, to recommend whether the mobile numbers should be withdrawn.
"The clean-up was to take place in stages. First, the phone numbers that were illegally linked to a maximum number of accounts – 100 or more – had to be de-linked. This was followed by mobile numbers linked with 50-plus accounts and later those with 30 or more accounts," the report says.
Al Jazeera also shared screenshots of these emails. One email shows that in the Bhopal zone, close to 1,300 mobile numbers were tied to anywhere from 30 to 100 Bank accounts, putting nearly 62,000 Bank accounts at risk. "That is, on average, 47 bank accounts linked to a single mobile number. The bank's policy states that one mobile number cannot be linked with more than eight accounts, and only if all these accounts are of the same family."
Another official, whose name has also been withheld by the news portal to protect him from retaliation from the Bank, executed such a clean-up drive last year and told Al Jazeera that most of the duplicate numbers turned out to belong to Bank staff.
Even as higher offices were removing bogus mobile numbers, branches were allegedly adding bogus numbers in bulk to meet their bob World targets, the report says.
While the first official told Al Jazeera that many frauds on the bob World app are due to linking bank accounts with the staff's mobile numbers, the second official says, when someone without a mobile number opens a bank account the staff enters their own or other officials’ mobile numbers as the customer's mobile number to complete the mandated procedure.
The second official, who was nodal officer for BoB's campaign for bob World enrolment, says, the practice of linking staff's number to a customer's account for the app is an open secret and came in handy during the campaign.
BoB launched bob World in September 2021 as a part of its ambitious push to go digital. The Bank claims the app now has five million users.
However, aggressive enrolment goals spurred bad behaviour. Al Jazeera says, the internal chatter about what allegedly transpired during the 24th March sign-up campaign, spilled out on social media the next day, and Bank employees openly called out the bank's management.
The outrage died in Twitter's echo chamber of a few Bank employees and was not reported in the media, the report says, adding the first official says his regional office stopped harassing branches for bob World enrolment thereafter, but he heard from a colleague in the Bank's branch in rural Uttar Pradesh later last year that they still faced pressure for bob World sign-ups and were resorting to deceptive solutions.
When asked, a spokesperson of BoB told Al Jazeera that “The bank has a robust system with the necessary controls in place. The bob World mobile banking app cannot be linked to the same mobile number more than once. Further, to register or update a mobile number in a bank account, customers need to visit the bank branch in person and follow a two-factor authentication process, post which the mobile number is activated after 24 hours. With regard to your question on the linking of bank accounts to one mobile number, the bank has restricted the seeding of one mobile number to eight customer IDs, provided that the registered [postal] address is the same. This facility offers convenience to customers belonging to the same family.”
In BOB world app,Payees details created with netbanking app on desktop,does not get automatically ported to BOB world app.
BOB HO directed me to my Mumbai Shimpoli Borivali west home branch.
ALL senior officials of BOB home branch are clueless about BOB world app and its options.
MOST PATHETIC PUBLIC SECTOR BANK-UN PROFESSIONAL,UN ACCOUNTABLE ,IN EFFICIENT EMPLOYEES AND MAY BE FRAUELENT WAY OF OUT SOURCING WORK OF BANK ACCOUNT HOLDERS APPS.