Some 3.2 million debit cards issued by India’s biggest banks may be exposed to a malware-induced security breakdown, the Economic Times newspaper reported on Oct. 20. Most of these cards belong to State Bank of India (SBI), HDFC Bank, Yes Bank and ICICI Bank.
Malware—malicious software that damage computer systems—at ATMs or bank servers can allow unauthorised persons to access the data on debit cards. Most of the cards at risk use the Visa, Mastercard and RuPay platforms. As of July, Indian banks had issued 697 million debit cards, according to data (pdf) from the Reserve Bank of India (RBI).
Some banks have announced that they will replace the cards that are said to have been compromised, while others such as, HDFC Bank, have urged customers to change their PINs—the personal identification numbers—that enable transactions on automated teller machines (ATMs).
SBI, the country’s biggest lender, will re-issue over 6,00,000 debit cards, The Times of India reported on Oct.19. “It’s a security breach, but not in our bank’s systems. Many other banks also have this breach—right now and since a long time,” Shiv Kumar Bhasin, SBI’s chief technology officer (CTO), told The Times of India. “A few ATMs have been affected by a malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised.”
In a statement on Oct. 20, SBI said that its “robust systems are absolutely secure and no security breach has happened.” “Customers can continue to use their debit cards securely. This is a cards industry incident (not only SBI),” it added,s saying that it will reissue cards at no cost.
Mastercard, too, denied that its systems were breached.
“We are aware of the data compromise event. To be clear, Mastercard’s own systems have not been breached. At Mastercard, safety and security of payments is a top priority for us and we are working on the investigations with the regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation,” the company said in a statement on Oct. 20.
Last month, Axis Bank reported one such breach to the RBI after its server was found to have been attacked by an offshore hacker. Although there were no reports of any customer being affected, the bank is investigating if the malware still remains in its system.
Experts say the extent of damage also depends on what type of cards customers are using.
“If you’re using magstripe (magnetic strip) cards then any compromise of such data makes it possible to forge cards. If on the other hand banks are using EMV (chip) cards then it’s a lot harder,” said Ross Anderson, professor of security engineering at Cambridge University.
Many of the banks’ complaints to the National Payments Council of India (NPCI), an umbrella organisation facilitating retail payments, indicated that unauthorised transactions were being generated from China.
“We have received complaints from banks about debit cards being used in China, which aroused suspicion,” AP Hota, NPCI managing director, told the Economic Times. NPCI has initiated a forensic audit on bank servers.
Meanwhile, Anderson also said that the central bank needs to put in place strict policies vis-a-vis security breaches. Currently, there are no rules issued by the RBI that require banks to report security issues to the public.
“If the banks can cover up security breaches then their customers are at risk of being left liable for the costs of fraud, and that is quite wrong,” Anderson said. “It not only lets rich bankers charge poor customers for their negligence but blunts the incentive for the banks to do better.”
This post has been updated with Mastercard’s comments.