32 lakh ATM cards hacked: How, why, where (and what you should do)

Apparently, the security breach was not identified in any of SBI’s systems.

 |  7-minute read |   21-10-2016
  • ---
    Total Shares

Sparking pre-Diwali panic among consumers, 32 lakh or more debit cards of various banks are believed to have been affected by malware, following a suspected security breach, even as investigations have begun into the reasons behind the security risk, officials say.

In cyber parlance, malware creeping into a bank’s server with the possibility of the virus finding its way to multiple servers is known as lateral movement and can pose what is known as advanced persistent threat (ABT).

Over the past few years, banks have been fighting cyber strikes such as “distributed denial of service” (or DDoS) which slow down a bank’s system to frustrate customers, worms that make ATMs spew out cash, and some that can divert funds to secret destinations.

Initial investigations reveal that hackers attacked Standard Chartered Bank (SCB) ATMs in Pakistan from England.

SCB Pakistan was left stunned after transaction alerts via email and SMS revealed several withdrawals of Rs 50,000 ($500) cash from their customers’ bank accounts while no such withdrawals were made.

Most Indian banks, including institutions which are listed abroad, keep cyber ­attacks under wraps and rarely inform the regulator.

The problem has hit mainly debit cards, and several banks, including the State Bank of India (SBI). SBI has already started blocking customers' debit cards and re-issuing fresh ones free of cost.

Most of the hacked cards reportedly belong to SBI Bank, HDFC Bank, Yes Bank and ICICI Bank, as per official sources.

Recently, various SBI debit card holders were left surprised when their cards were blocked despite no apparent misconduct on their part.

Of course, their concern was justified as it was something out of the ordinary. It was later revealed that the blocking was part of the country’s biggest card blocking and reissuing spree conducted by the bank.

This involved re-issuing roughly 0.6 million debit cards, and SBI had blocked such an enormous number of cards after it got wind of a security breach caused by malware in some non-SBI ATM network(s).

The bank did inform other branches regarding blocking of the debit cards and requested they immediately re-issue new cards to customers.

According to chief technology officer at SBI, Shiv Kumar Bhasin, the security breach was not identified in any of SBI’s systems. Hence, customers who have used SBI ATMs need not be concerned.

But some ATMs have been affected by malware. When people use their card on infected switches or ATMs, there is a high probability that their data is compromised.

Bhasin stated that banks whose ATMs have been infected must come forward and declare the same. The onus is on them to stop this.

sbinew-embed_102116061018.jpg SBI hasn’t yet named the banks involved in the security breach. (Photo credit: India Today) 

SBI hasn’t yet named the banks involved in the security breach but Bhasin believes that until the situation becomes clear and the problem gets resolved, the affected banks will be considered at risk.

A month ago, an official from Axis Bank, India's third largest private sector lender, ­­ received an unexpected telephone call. The caller, an engineer at Kaspersky Lab, the well-­known Moscow-­headquartered cyber security firm, rattled off the names of several Axis computers which, he claimed, had been breached.

The Kaspersky man said his firm had stumbled on the information in the course of a separate probe. When an Axis team looked into the bank’s servers, it found there was indeed an unauthorised login by an unnamed, offshore hacker. Last week, the bank filed a preliminary report about the breach to the Reserve Bank of India.

The bank has hired EY, the audit and advisory firm, to carry out an investigation. Till now, there are no reports of fund transfers but the bank and EY are trying to figure out the extent of damage, data loss if any, and most importantly whether the virus is still crawling in the institution’s server zone, said a banker who is aware of the breach.

Axis Bank, like many other large financial institutions, often receives security threats from across the globe. The bank has strict security protocols and procedures in place and all its online properties are monitored round the clock by its in ­house team of security experts, says an official.

The bank also engages the best international and national agencies who regularly identify and neutralise threats and audit the bank's online ecosystem. The official said: “We would like to state there has been no monetary loss.”

According to ministry sources, the department of financial services has sought information on implications of such data compromise from Indian Bank Association.

We have got information from SBI that the PIN (personal identification number) related to some debit cards has been compromised and the bank is in the process of replacing old cards with new in a secured manner, sources said. The bank has taken measures to ensure safety of data, they added.

Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by the networks, SBI said in a statement.

While SBI has recalled cards, others like Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have replaced debit cards as a pre-emptive measure.

Some lenders like ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM pins. HDFC Bank also advised all customers to use its ATMs only for carrying out any transaction. The latest security breach apparently happened through malware in the systems of Hitachi Payments Services, which serves Yes Bank.

In the light of the incident, Yes Bank's managing director and chief executive Rana Kapoor underlined the need for greater vigilance on outsourced work.

“There needs to be a lot more vigilance where there are outsourcing partners to make sure they don't endanger the delivery and system risk, and there's a fair amount of policing as far as outsourcing risks are concerned,” he told reporters.

According to bankers, the breach took place in such a way that anyone using the said bank's ATMs in the region might stand to get affected.

SBI deputy managing director and chief operating officer Manju Agarwal explained that the data breach took place between May and July, but was discovered only in September and so the bank decided to proactively change the cards.

“Despite instructions to customers to change PINs, only 7 per cent did so. At that point we decided to recall cards,” she said.

Hitachi Payment Services on Thursday said its system was not compromised, quoting an interim report by an external audit agency appointed by it.

Its managing director Loney Antony said some of the banks to whom the company provides payment services had reported unauthorised transaction towards the end of July. It had then conducted an internal enquiry which did not reveal any security breach.

Post all this, here's what you should do as a debit cardholder:

1) Change debit card PIN, either at the ATM or via net banking. 

2) Stick to using your own bank’s ATM for a while. 

3) Don't ignore alerts that say your card has been used for a transaction you didn’t do, even if the amount is small. 

4) Ask your bank whether you should change your card. 

5) Remember, RBI has asked banks to send both SMS and email alerts. So register for these alerts if you haven't. 

National Payments Corporation of India (NCPI), the umbrella organization for the nation's retail IT systems, said customers at 19 banks were affected. We're told 641 people have been defrauded - approximately $200,000 has been taken, largely from cloned cards used in Chinese and US ATMs.

“Necessary corrective action has already been taken and there is no reason for bank customers to panic,” said NPCI CEO Abhaya Hota.

NPCI handles over 25 million transactions daily, including RuPay cards, of which one of the card network companies, MasterCard, said on Thursday that its own systems had not been breached.

“We are working on the investigations with regulators, issuers, acquirers, global and local law enforcement agencies and third-party payment networks to assess the current situation,” a MasterCard spokesperson said.

It has advised the consumers to review account statements and activity, and if any unusual or fraudulent transactions are suspected, they should contact the bank concerned for more assistance.

Anxious customers have started enquiring with their respective banks about the seriousness of the problem, whether their personal data has leaked out and if it could lead to financial implications, especially with the year's biggest festival at the doorstep.

Also read: 32 lakh ATM cards hacked: Why can’t we have OTP-controlled withdrawals?



K Srinivasan K Srinivasan @krishsri59

The author is a GST reader and writes on macroeconomics and indirect tax laws.

Like DailyO Facebook page to know what's trending.