Yes Bank has initiated stringent corrective measures after detecting a cluster of unauthorised e-commerce transaction attempts on its multi-currency prepaid forex cards issued in partnership with BookMyForex.
According to the bank, its fraud monitoring systems flagged an unusual spike in transaction declines linked to specific Bank Identification Numbers (BINs) in the early hours of February 24, 2026. The attempted transactions, carried out between 3:30 AM and 8:30 AM (IST), were traced to 15 merchants based in a Latin American country where two-factor authentication (2FA) is not mandated for online purchases.
Early Detection, Immediate Controls
The anomaly was detected through Yes Bank’s real-time fraud monitoring framework, which identified irregular patterns in cross-border e-commerce usage. As a precautionary step, the bank has restricted e-commerce transactions originating from the identified country to prevent further exposure.
Internal investigations revealed that during the incident window, transactions amounting to approximately $0.28 million were approved across around 5,000 customers. However, the bank’s automated controls declined 688 unauthorised transaction attempts, effectively safeguarding nearly $0.1 million.
The bank is now coordinating with the relevant card network partners to initiate chargeback processes to ensure that impacted customers do not incur any financial loss.
Cross-Border Risk Spotlight
The episode underlines heightened risks associated with international e-commerce transactions in jurisdictions where regulatory requirements, such as mandatory 2FA, differ from Indian norms. India’s payments ecosystem is built around strong authentication protocols, making cards issued domestically relatively secure in local transactions. However, when used globally, they may be exposed to weaker compliance standards in certain markets.
Industry observers note that prepaid forex cards, widely used by students, business travellers and tourists, can be particularly vulnerable if compromised card data is tested on overseas merchant platforms with lower authentication thresholds.
Customer Protection at the Core
Yes Bank emphasised that it remains committed to the highest standards of data security and customer protection. The lender continues to monitor the situation closely and is engaging with all relevant stakeholders, including network partners and merchant acquirers, to contain risk and prevent recurrence.
The swift detection, transaction blocking and initiation of chargebacks highlight the growing sophistication of fraud monitoring tools within India’s banking system. At the same time, the incident serves as a reminder of the evolving threat landscape in cross-border digital payments, where vigilance, analytics and rapid response remain critical to safeguarding customer trust.