Multiple banks hit: 3.2 million debit cards compromised; how it happened, what happens now?

Khushboo Narayan |, ENS, October 21, 2016: On Wednesday, India’s largest bank, State Bank of India, said it had blocked close to 6 lakh debit cards following a malware-related security breach in a non-SBI ATM network. Several other banks, such as Axis Bank, HDFC Bank and ICICI Bank, too have admitted being hit by similar cyber attacks — forcing Indian banks to either replace or request users to change the security codes of as many as 3.2 million debit cards over the last two months.

How did the crisis begin and unfold?

On September 5, some banks came across fraudulent transactions in which debit cards were used in China and the US when customers were actually in India. Cardholders also detected similar transactions — subsequently, the banks complained to the National Payments Corporation of India (NPCI), which has oversight over retail payments systems in India. The probe by NPCI found a malware-induced security breach in the systems of Hitachi Payment Services, which provides ATMs, point of sale and other services in India. The investigation alleged that the security breach occurred in the ATMs of a particular private bank. (On Thursday, Hitachi spokesperson Loney Anthony said that an interim report submitted by an independent auditor in September did not “suggest any breach/compromise” in its systems, and that the final report was expected by mid November.)

After the probe found that ATMs had been compromised as early as in May 2016, all three service providers — Visa, MasterCard and RuPay — asked banks to either tell customers who could potentially be at risk to change their PIN, or issue them new cards. Most banks asked customers to change their PIN, and in certain cases blocked the cards and decided to issue fresh ones.

How big is the problem? How many debit cards have been impacted?

This is one of the biggest data breaches in the country — about 3.2 million cards issued by Indian banks could be potentially replaced, or their holders asked to change their PINs to avoid fraud. According to NPCI, 90 ATMs have been compromised, and at least 641 customers across 19 banks have lost Rs 1.3 crore as a result of fraudulent transactions on their debit cards. Until August, Indian banks had issued a total 712.39 million debit cards, according to Reserve Bank of India data — while the number of cards affected by the breach may seem small in comparison, the potential losses could still be significant if a large number of them are exposed to this fraud.

How exactly does the malware work?

Malware is malicious software including viruses, worms, trojans, ransomware, spyware and other programmes that damages computer systems at ATMs or bank servers, and allows fraudsters to access confidential debit card data. In this case, swiping a card at an allegedly compromised ATM allowed the data on the card to be transmitted to the fraudsters, who then misused it for fraudulent transactions.

What are banks doing to protect cardholders?

Since most of the cards at risk are not chip-based, banks are planning to replace them with chip-based ones. The Maharashtra Police has begun investigations into the security breach and has written to the RBI seeking information on the fraudulent transactions. The council of Payment Card Industry Data Security Standard (PCIDSS), an international body that sets data security standards, has ordered a forensic audit of the data breach in India, which will be concluded by the end of this month.

Who is liable if a card is subject to fraud orchestrated by a third party?

According to the RBI’s draft circular on customer protection, a customer is not liable for a third-party breach, or where negligence or fraud is on the part of the bank, if the customer informs the bank of the fraud within 3 working days of receiving a communication from the bank on any unauthorised transaction.

What is RBI doing to mitigate cyber attacks on financial institutions?

In June 2016, RBI issued instructions on a cyber security framework in banks, asking them to put in place a board-approved cyber security policy, prepare a cyber crisis management plan, and make arrangement for continuous surveillance. The circular also asked banks to share unusual cyber security incidents with RBI. Apart from this, RBI has set up an expert panel on IT Examination and Cyber Security to provide assistance in banks’ cyber security initiatives, and proposes to cover, by 2017-18, all banks under a detailed IT examination programme that it launched in October 2015.

ATM FRAUD

Keypad jamming

The fraudster jams the ‘Enter’ and ‘Cancel’ buttons with glue or by inserting a pin or blade at the buttons’ edge. A customer trying to press the ‘Enter/OK’ button after entering the PIN, does not succeed, and thinks the machine is not working. An attempt to ‘Cancel’ the transaction fails as well. In many cases, the customer leaves — and is quickly replaced at the machine by the fraudster. A transaction is active for around 30 seconds (20 seconds in some cases), and he is able to remove the glue or pin from the ‘Enter’ button to go ahead with the withdrawal. The loss to the cardholder is, however, limited by the ceiling on withdrawals, and the fact that only one transaction is possible without swiping the card again and re-entering the PIN. Commonsense advice: do not seek the help of a stranger to withdraw cash, and do not leave the ATM box until the transaction has been cancelled. Banks do not take responsibility for such a fraud, which they put down to negligence on the part of the cardholder.

Card swapping

Sometimes, when a customer uses his debit card at a merchant establishment, the fraudster (who could be a fuel pump attendant or a restaurant waiter, etc.) will make a note of the PIN that is keyed in and, while returning the card, swap it with an identical dummy from a store of several cards he keeps. With both card and PIN, the fraudster can then withdraw cash until the cardholder is able to block the card. Banks advise customers to make sure their card is always in sight, to check if it is indeed theirs when an attendant hands it back, and to not ask him to punch in the PIN at the ‘point of sale’ terminal. In cases of card swapping fraud too, banks do not accept liability.

Skimming

This kind of fraud is more sophisticated. A small skimming device is planted in the ATM’s debit card slot, which is able to read the information on the card’s magnetic tape. The information, once copied, can be reproduced on any card, which can be subsequently used to withdraw cash. The customer’s PIN is captured by a small camera that the fraudster installs in the ATM kiosk. Banks generally take the liability for skimming frauds and make good the customer’s loss. However, the customer must block the card after the first instance of misuse. — ENS

While using debit card:

* Never let anyone see you entering PIN

* Always wait for ‘Welcome’ screen to be displayed after completing transaction

* Ensure bank has your current mobile number so you get alerts for transactions

* Watch out for suspicious movements of people around the ATM or strangers trying to engage you in conversation

* Check if the card given to you by the merchant after completion of the transaction is yours

* Look if there are any visible extra devices attached to the ATM

* Inform the bank immediately in case your ATM/Debit card is lost or stolen, or if you notice a transaction you didn’t do

* Check transaction alert SMSes and bank statements frequently

And do not:

* Write your PIN on the card; memorise it

* take help from strangers or hand your card to anyone else

* disclose your PIN to anyone, including bank employees and family members

* allow card to go out of your sight

* speak on the mobile while transacting; it distracts you