India is closer to complete financial inclusion with every Indian having at least one account, after the Narendra Modi Government making a huge success of its Jan Dhan Yojna. But what has rung alarm bells is that our banking system is neither fully safe nor foolproof.
Recently, India underwent the biggest data breach to date with as many as 3.2 million debit card details stolen from multiple banks and financial platforms.
Being a former banker, I can understand how the massive breach hit the whole gamut of banking system. I can recall when as a Chief Manager with the public sector Oriental Bank of Commerce from where I sought VRS, we used to tell account holders to never let anyone the PIN, wait for welcome message after completion of every transaction, provide bank your mobile number for alerts, keep changing PIN frequently and watch out for suspicious movements of people around the ATM or strangers trying to engage you in conversation. The bank customers are also told to never write PIN on card but just to memorise the same and never hand over cards to strangers or seek their help while using ATMs.
However, what happened this time was beyond even bankers’ anticipation. There is now little doubt that big banks including the State Bank of India, HDFC Bank, Yes Bank, ICICI Bank and Axis Bank have been hit by this cyber hacking. Hackers allegedly used malware to compromise the Hitachi Payment Services platform. This platform is used to power the country’s ATM, point-of-sale machines and other financial transactions. Of 3.2 million debit cards, 2.6 million are powered by Visa or Mastercard and rest 600,000 work on top of India’s own RuPay platform.
Though cyber experts have yet not detected the source as to from where it originated and the whole episode is being kept under wraps, information suggests that a many customers hit by the lapse had noticed transactions made on their cards in China. Banks came across unauthorised transactions in which debit cards were used in China while customers were in India. The banks brought this information in the notice of National Payments Corporation of India, which found that security breach took place in the systems of Hitachi Payment Services that provides related sales and services in India.
The NPCI termed this one of the biggest data breaches in the country. According to NPCI investigations, 90 ATMs have been compromised and at least 641 customers across 19 banks have lost 1.3 crore as a result of fraudulent transactions on their debit cards.
Since most of the cards at risk are not chip-based, banks are planning to replace them with chip-based ones. According to the RBI, a customer is not liable for a third-party breach or where negligence or fraud is on the part of the bank. The banking customer must inform the bank of the fraud within three working days of unauthorised transaction. The RBI has also asked banks to put in place a cyber crisis management plan and to share unusual cyber security incidents with RBI. The RBIhas also set up an expert panel on Cyber Security.
According to RBI cyber experts, a fraudster jams the ‘Enter’ and ‘Cancel’ buttons with glue and the customer trying to press the enter key after entering the PIN is lured into a trap. The customer, on not getting any response from the machine, presumes that the system is not working. The harried customer leaves the ATM machine in a huff, little knowing that the transaction remains active for around 30 seconds, thus giving enough time to the hacker.
The extent of damage due to cyber security breach depends on the type of cards bank customers use. According to banking experts, cards that use magnetic strips transmit the account number and secret PIN to merchants in a way that could make it easy for fraudsters to hack them. This makes cloning easier for fraudsters. Banks that use EMV (Europay, MasterCard, and Visa) chip-equipped cards store data in encrypted form and only transmit a unique code or one- time password (OTP) for every transaction — that too on the mobile numbers of banking customers registered with the banks. That makes these cards more secure and lot harder to clone.
According to banking experts, cards that use magnetic strips send the account number and PIN to merchants in a way that makes it easy for fraudsters to hack them. This makes cloning easier
It is learnt that the Payments Council of India has ordered a forensic audit on l the bank servers in India to measure the damage and investigate the origin of the cyber attack. Bengaluru-based payment and security specialist SISA will conduct the forensic audit.
As per the norms, the cyber security requires regular communication among service providers and the customers. Why the whole thing is being kept a secret and under wraps raises a question mark over the banking system. Making public all the details of the lapse would actually create awareness amongst bank customers and all stakeholders.
Ironically, however, none has an inkling as to when exactly did the Payments Council of India discover the breach. The customers should also know if the banks are following the cyber crisis management plan mandated by the Reserve Bank of India.
The RBI and the Payments Council owe the country’s 60 crore debit card holders an explanation and an assurance for a safe future. This becomes all the more important in view of the fact that hackers of cyberspace now have access to latest hacking techniques. We must know that all cyber breaches may not be for financial gain only but motivated attacks could shut power, derail metros and vast railway system and drinking water supplies and spread disinformation campaign against the country.
There is a consolation that the Indian debit card holders were fortunate because the malware used to infect the ATMs obviously did not have the rapidly replicating properties of Stuxnet, the virus that crippled the Iranian nuclear programme. Despite suffering such a big data breach, the damage was just Rs 1.3 crore. The government has set in motion all formalities, including Union Finance Minister Arun Jaitley asking or a report and the various regulators setting up their own probes. But bank customers would want to know why the information about a virus having affected a few ATMs was kept under wraps.