RBI summons Yes Bank officials over Rs 2.54 crore forex card breach
The Reserve Bank of India (RBI) has taken a stern view of the recent cybersecurity lapse at Yes Bank summoning senior executives to Mumbai to provide a granular “chain of events” report. The breach, which targeted the Yes Bank-BookMyForex prepaid card, highlights a growing vulnerability in international travel cards where local security protocols—like India’s mandatory Two-Factor […] The post RBI summons Yes Bank officials over Rs 2.54 crore forex card breach first appeared on Business League.
The Reserve Bank of India (RBI) has taken a stern view of the recent cybersecurity lapse at Yes Bank summoning senior executives to Mumbai to provide a granular “chain of events” report. The breach, which targeted the Yes Bank-BookMyForex prepaid card, highlights a growing vulnerability in international travel cards where local security protocols—like India’s mandatory Two-Factor Authentication (2FA)—are often bypassed by foreign merchants.
While the bank has moved to protect customers through the “chargeback” process, the regulator is reportedly concerned about how sensitive data, including CVV numbers, was harvested in the first place.
Also Read |Tamil Nadu Voter List Purge: 97 Lakh Names Deleted in SIR Phase 1
The Anatomy of the Breach: How it Happened
The incident occurred in a high-intensity five-hour window on February 24, 2026.
-
Targeted Attack: The fraudsters focused on specific Bank Identification Numbers (BINs), allowing them to target a specific class of cards.
-
Volume: Transactions were pushed through for 5,000 individual customers.
-
Detection: The bank’s internal fraud monitoring triggered an alert after an “unusual increase in transaction declines,” leading to the eventual blocking of nearly ₹90 lakh in further attempts.
The Latin American Connection & 2FA Gaps
The fraudulent transactions were processed by merchants in a country believed to be Brazil.
-
The Security Loophole: Unlike India, several Latin American nations do not mandate 2FA (OTP-based verification) for e-commerce. This allowed hackers who had obtained card numbers and CVVs to execute “card-not-present” transactions without the customer ever receiving a notification.
-
Immediate Action: Yes Bank has now placed a blanket restriction on e-commerce transactions originating from the affected country.
Also Read |Tamil Nadu Voter List Purge: 97 Lakh Names Deleted in SIR Phase 1
Yes Bank vs. IDFC First: A Week of Banking Fraud
This summons comes during a particularly turbulent week for Indian private banking.
-
IDFC First Scandal: Earlier this week, IDFC First Bank admitted to a massive ₹583 crore fraud involving its own employees siphoning government deposits from Haryana.
-
Regulatory Heat: The back-to-back incidents at Yes Bank and IDFC First have put the RBI on high alert, with many expecting a nationwide cybersecurity audit of all private lenders by the end of Q1 2026.
Reality Check
Yes Bank claims no customers will face financial loss due to “chargebacks.” Still, the chargeback process can take anywhere from 45 to 90 days to reflect in a customer’s account. Therefore, travelers currently using these cards might find their immediate funds frozen or unavailable during their trips. In fact, while BookMyForex claims their systems weren’t breached, the data had to come from somewhere—suggesting a compromise either at the card manufacturing stage or within the bank’s own switch servers.
The Loopholes
The bank restricted e-commerce in the specific country after the breach. In fact, this is a “Reactive Security Loophole”—international cards are often left “wide open” for global use by default to ensure traveler convenience. Therefore, the very feature that makes the card useful (global acceptance) is what made it a target. Still, the “CVV Loophole”—where the CVV was reportedly stolen—points to a deeper database compromise, as CVVs are generally not supposed to be stored by merchants or processors under PCI-DSS standards.
Also Read |Tamil Nadu Voter List Purge: 97 Lakh Names Deleted in SIR Phase 1
What This Means for You
If you possess a Yes Bank-BookMyForex card, log into your portal immediately and freeze international e-commerce. First, realize that even if you haven’t traveled recently, your data might have been part of the 5,000-person leak. Then, if you see an unauthorized transaction, file a formal dispute (Chargeback) with Yes Bank via their official email within 48 hours to ensure your “Zero Liability” protection.
Finally, understand that forex cards are more vulnerable than standard bank cards because they often lack the “per-transaction” limits that modern apps allow. You should switch to a card that allows you to toggle “International E-com” on/off via a mobile app in real-time. Before your next trip, check if your bank provides “Virtual Forex Cards” which are significantly harder to clone or misuse in bulk.
What’s Next
Yes Bank is expected to submit its Cybersecurity Architecture Review to the RBI by Monday. Then, look for a potential penalty or restriction on new card issuances if the regulator finds “procedural negligence.” Finally, the NPCI and RBI are expected to issue a new circular by March 2026, mandating a “Global 2FA Standard” for all Indian-issued cards, regardless of where the merchant is based.
Also Read |Tamil Nadu Voter List Purge: 97 Lakh Names Deleted in SIR Phase 1
End…
The post RBI summons Yes Bank officials over Rs 2.54 crore forex card breach first appeared on Business League.
What's Your Reaction?
