3.2 million debit cards in India were compromised due to a major security breach, termed as India’s biggest ATM security breach. The banks denied responsibility for the huge mishap in the Indian banking sector. Banks floated out SMSes to their customers to change their ATM PINs (Personal Identification Number) and even blocked ATM cards, to avoid further damage. This episode came to light when banking customers raised complaints about unauthorized usage of their money from locations of China and US. The victims received OTPs, SMSes to pay the vendors while some received payment notifications using debit cards.
All the ATM card platforms were adversely affected. About 2.6 million cards on Visa and Mastercard platform while 6 lakhs on RuPay, asper the reports. Of all the banks that suffered a hit, SBI, HDFC Bank, ICICI Bank, YES Bank and Axis Bank had the worst.
How ATM security breach Happened?
Hitachi provides ATM, POS (point of sale) and other services to white collar banks. The initial reports suggest that the breach was caused by malicious software -malware- introduced in systems of Hitachi Payment Services. This enabled fraudsters to steal card data and eventually steal funds. About 3.2 million cards were used between 25 May to 10 July from Yes Bank LTD ATM network, managed by Hitachi. It was in September that the tremors of this malware attack were felt.
The controlling authority, NPCI (National Payments Corporation of India), confirmed that there was a possible compromise at the payments switch provider’s system. The customers using their cards on the infected switches have a high probability that their data will be compromised.
What Analysis and Investigation Reports say?
The Yes bank spokesperson said that they have proactively done a comprehensive audit of their ATM and POS networks and found no evidence of a breach or compromise.
Loney Antony, Managing Director, Hitachi Payment Services declared that the interim report published by an audit agency suggests no compromise or breaching in the systems.
National Payments Corporation of India (NPCI) proclaims, a preliminary number, about 641 customers across 19 banks have been cheated of Rs 1.3 CR due to these fraudulent transactions.
The debit card payment platforms like Visa, Mastercard and Rupay confirmed their own networks were not infected, but they would be helping Indian agencies and authorities in investigation.
SISA, a certified agency carried out a detailed audit of Hitachi systems. The report of which does not demonstrate any system-level breach of Payment Systems.
What steps should be taken to avoid such incidents?
Since the breach happened directly at the banking system end, a customer can’t do much to mitigate the effects. This is an alarming situation for the financial sector in India. Banks should safeguard their systems with the latest technology. The recommended steps would be regular utilization of website scanner to periodically scan websites and use of WAF on mission critical applications. Though SBI has already floated SMSs to change the PIN, will reissue/replace new ATM/Debit cards to 6lakh customers. The incident has no doubtedly deteriorated the trust of Indian consumers on plastic money, making them feel unsafe.
Banks and other financial organizations should now, once again, embed trust in minds of Indian customers by investing more on cyber security infrastructure. Hosted Core Banking Solution, turnkey banking solutions and well chalked-out DR plans are the need of BFSI sector.
Moreover, to avoid similar instances, a trusted ATM switch provider and payment service provider is vital for banks.
The Indian Finance Ministry seeks information from Indian Banks Association. The Finance Ministry have asked various investigation agencies and RBI to submit a report on one of largest banking security breach, within 8-10 days.