The promise of seamless international transactions for global travelers recently collided with the stark reality of sophisticated cyber fraud, shaking consumer confidence in India’s burgeoning digital forex market. In the early hours of February 24, 2026, thousands of users of co-branded multi-currency prepaid forex cards, issued by Yes Bank in partnership with BookMyForex, witnessed unauthorized debits, primarily from merchants in Brazil. This incident, which saw approximately $0.28 million approved across 5,000 customer accounts, while another $0.1 million in 688 attempts were thankfully declined, has cast a critical spotlight on the security architecture of cross-border digital payment systems and the responsiveness of financial institutions.
The modus operandi of the fraud was particularly alarming. Customers like Baid, who saw roughly ₹1,45,000 (equivalent to approximately $1,750) disappear from his card, noted that while his card was loaded with United Arab Emirates Dirham (AED), the transactions appeared in Brazilian Real. Similarly, Himanshu Raj, a Gurugram-based PR consultant, lost $370 (over ₹33,000), and Moninder Pal Singh, a retired businessman, reported losing his entire card balance of $600 (over ₹54,000), all linked to transactions in Brazil, despite their physical cards remaining secure in India. These incidents underscore a critical vulnerability: the absence of mandatory two-factor authentication (2FA) for e-commerce transactions in certain foreign jurisdictions, including Brazil, which fraudsters seemingly exploited.
The affected cards, launched in August 2019, were a collaboration between BookMyForex, an online forex marketplace owned by MakeMyTrip, Yes Bank, and fintech company M2P, operating on the Visa network. Marketed for their convenience in loading multiple foreign currencies, these cards are a popular choice for India’s rapidly growing outbound travel segment. India’s outward remittance market has seen significant growth, with the Reserve Bank of India reporting remittances under the Liberalised Remittance Scheme (LRS) consistently increasing year-on-year, highlighting the expanding user base for such forex products. This surge in digital international payments has also, unfortunately, presented a larger attack surface for cybercriminals.
Amidst the unfolding crisis, customer frustration mounted significantly due to a severe lack of accessible support. Users reported attempting to contact BookMyForex customer service, only to find it unavailable until regular business hours, a critical failing for a financial service operating in a 24/7 global economy where fraud can strike at any moment. "If they are operating in the finance sector, and there could be any fraud, there is no one to connect or call," lamented Baid. Similar challenges were faced when trying to reach Yes Bank, where customers struggled to navigate departments without specific customer IDs linked directly to the bank, leading to delays in blocking cards and reporting incidents. This systemic failure in immediate customer support amplified the financial stress and emotional distress of the victims.
Yes Bank, the issuing institution, quickly moved to address the situation, albeit after the initial wave of fraudulent activity. The bank confirmed an "unusual spike in transaction declines flagged by its fraud monitoring system" and clarified that unauthorized transaction attempts were confined to specific Bank Identification Numbers (BINs) linked to the co-branded cards. Investigations by the bank revealed that the fraudulent transactions occurred between 3:30 AM and 8:30 AM IST on February 24, 2026, targeting 15 merchants in a Latin American country. As a precautionary measure, Yes Bank promptly restricted e-commerce transactions originating from the identified country and proactively blocked cards involved in these attempted transactions. The bank also committed to initiating chargebacks with the card network to ensure that impacted customers would not suffer financial loss, a crucial step for consumer protection.
BookMyForex, while acknowledging the incident, vehemently denied any data breach involving its systems or customer data. A spokesperson stated that Yes Bank observed "unusual volumes of false transaction attempts," originating from a specific country, which led to the blocking of transactions from that source. This highlights a potential disconnect or differing interpretations between partners regarding the precise origin of the compromise, a common challenge in multi-stakeholder payment ecosystems involving fintechs, banks, and card networks. The silence from Visa and M2P, the card network and fintech partner respectively, on the source of the alleged breaches, further compounded the opaqueness of the situation for affected consumers and the wider public.
The incident underscores the growing sophistication of cybercriminal organizations, which often operate across international borders, leveraging jurisdictional differences in security protocols. Card-not-present (CNP) fraud, particularly in e-commerce, remains a significant challenge globally. According to industry reports, CNP fraud accounts for a substantial portion of all card fraud losses, estimated to be in the tens of billions of dollars annually worldwide. Regions with less stringent authentication requirements become attractive targets for fraudsters. The exploitation of non-3D Secure (or similar 2FA) environments in specific countries allows for transactions to be authorized with minimal verification, turning convenience into a critical vulnerability.
From a regulatory standpoint in India, the Reserve Bank of India’s (RBI) "Zero Liability" guidelines offer a strong safety net for consumers. Prerna Robin, a principal associate at B Shanker Advocates LLP, emphasized that under these guidelines, a customer bears no liability if the fraud stems from "contributory fraud, negligence, or deficiency" on the part of the bank or a third-party breach, provided the incident is reported within three working days. Given that these transactions bypassed OTP protocols and occurred without user intervention, legal experts suggest a compromise of the card security system or the fintech-bank interface. The onus is on the cardholder to formally dispute transactions and file necessary complaints, but the bank is generally obligated to resolve disputes and restore funds after a forensic audit. This regulatory framework is critical in maintaining consumer trust, yet the arduous process of reporting and awaiting refunds can still be daunting for individuals.
Cybersecurity experts, such as Manu Zacharia, stress that financial institutions and their fintech partners must possess robust systems capable of detecting and thwarting malicious, suspicious, or unauthorized transactions in real-time. "If you are unable to identify a malicious transaction, then you are not fit to run this business," Zacharia asserted, highlighting the fundamental expectation for advanced fraud detection capabilities. The sheer volume of digital transactions in India necessitates state-of-the-art technologies, sophisticated infrastructure, and highly skilled operational teams to ensure continuous vigilance against evolving threats. The incident serves as a stark reminder that while convenience drives adoption of digital payment methods, security remains paramount.
The economic impact of such incidents extends beyond immediate financial losses. For Yes Bank, already navigating a period of significant restructuring and rebuilding public trust after past financial challenges, this fraud event presents an additional test of its resilience and commitment to customer protection. For BookMyForex and MakeMyTrip, brand reputation and customer loyalty are at stake, particularly given the widespread complaints about customer service. The broader fintech industry must also internalize these lessons, emphasizing proactive cybersecurity investments, rigorous due diligence in partner selection, and the implementation of globally consistent, strong authentication measures.
Looking ahead, the incident calls for a comprehensive re-evaluation of security protocols across the entire digital forex card ecosystem. This includes enhancing real-time fraud detection systems with AI and machine learning capabilities, mandating robust 2FA for all e-commerce transactions irrespective of jurisdiction where feasible, and fostering better collaboration among banks, fintechs, and card networks to share threat intelligence. Improved, 24/7 customer support channels with clear escalation paths are non-negotiable for financial service providers. As India continues its digital transformation and its citizens increasingly engage with the global economy, ensuring the integrity and security of cross-border financial instruments will be crucial for sustaining growth and maintaining consumer confidence. The path to full refunds and restored trust for the affected customers will be a critical benchmark for how the industry responds to these evolving cyber threats.
