One of the biggest security breaches in the history of India’s banks was uncovered last week, placing millions of debit card users at risk.
Customers of India’s biggest lenders, including the State Bank of India (SBI), HDFC Bank, ICICI Bank, and Yes Bank, were affected, with an estimated Rs1.3 crore already whisked off by hackers. Caught squarely with their pants down, banks are now taking evasive actions: SBI, for instance, is re-issuing over 600,000 debit cards, while others like HDFC Bank have urged customers to change passwords and ATM PINs (personal identification numbers).
Yet, despite the possible size and scale of the crisis, there are plenty of questions and no comprehensive answers for how something like this could go undetected for months in Asia’s third-largest economy. The incident has also underscored India’s urgent requirement to overhaul consumer protection and cyber security regulation, especially at a time when the Narendra Modi government is attempting to create a robust digital economy.
Here’s what we know so far:
Initially, malware—malicious software that targets computer systems—was detected in some ATM machine systems belonging to Yes Bank, India’s fifth-largest private sector bank. These ATMs are operated by Japanese firm Hitachi Payment Services.
The malware presumably allowed hackers to extract money from bank accounts via debit cards, but the exact number of accounts affected is unclear. Media reports suggest it may be around 3.2 million debit cards. The Maharashtra Police, on the other hand, said on Oct. 21 that it could be as high as 6.5 million.
So far, customers have lost Rs1.3 crore in fraudulent transactions following this breach, according to estimates from the National Payments Corporation of India (NPCI), an umbrella body that oversees the payment systems in the country. NPCI also runs the RuPay card system, which competes with the Mastercard and Visa payment platforms.
The problem was reported on Oct.19 when SBI said it would reissue some 600,000 debit cards after the data breach was brought to its notice. The NPCI subsequently announced that customers across 19 banks had reported unauthorised withdrawals. Some complained that their debit cards were used for transactions in the US and China, even though they were in India.
The data breach happened in August and September, according to the Mint newspaper. But the banks apparently weren’t aware, several bankers told Mint.
This is the list of all of those involved: bank customers, 19 Indian banks, the NPCI, Hitachi Payments Systems, Mastercard, Visa, RuPay. But they are all shirking responsibility for the mess.
Most banks, including SBI, HDFC Bank, and ICICI Bank, have said their systems are safe. The platforms these banks use for debit cards—Mastercard, Visa, and Rupay—have also washed their hands off the crisis. Hitachi Payments Services, which managed Yes Bank’s ATMs, said that an initial review “does not suggest any breach/compromise.”
So who exactly is at fault? So far, clearly no one is owning up—and perhaps, no one is sure either.
Last week, India’s finance ministry stepped in, asking the Reserve Bank of India (RBI) and banks to investigate and release their findings within the next 10 days. Last month, Hitachi, too, initiated a probe, along with the banks involved, NPCI, Visa, and Mastercard. The results will only be out in November.
On Oct. 23, NPCI said that only 641 customers have complained of fraudulent activity so far. “The figure of 3.2 million cards is a proactively identified base of customers who have transacted in the set of suspected ATMs in the recent past,” it said in a statement.
Meanwhile, the Mint newspaper reported that RBI will meet bank officials today (Oct. 24) and come out with guidelines covering such security breaches.
The RBI rules on monetary losses caused by security breaches are clear. “The bank shall ensure full security of the debit card. The security of the debit card shall be the responsibility of the bank and the losses incurred by any party on account of breach of security or failure of the security mechanism shall be borne by the bank,” RBI said in a circular in July 2015.
But no bank has admitted to a failure of its security system. If the data breach was at Hitachi’s end, as some are making it out to be, then one isn’t sure what exactly RBI can do as Hitachi is a third-party vendor. An email sent to RBI seeking details hasn’t evoked a response.
However, new regulations may soon get rid of this grey area.
To address the third-party security issue, RBI put out a draft proposal in August, which would protect customers with limited liability in case of unauthorised e-transactions. These proposals, if finalised, would cover third-party security breaches, too, provided the customers report suspected fraudulent activity within three days.
Nonetheless, it is also clear that banks need to ramp-up their own security systems.
“For a banking institution, it is important to adopt solutions that proactively address adversaries and establish real-time monitoring systems to detect, protect and prepare from cyber attacks,” said Shrikant Shitole, a managing director at Symantec, a security software firm.
Customers who think they’ve been hacked must report to their banks immediately. Other customers would do well to change their ATM PINs, banks have urged. Meanwhile, the NPCI has suggested some fairly standard practices and precautions:
- Registering mobile numbers and email IDs with the bank to get notifications
- Not sharing ATM PINs and internet banking passwords with anyone
- Not sharing bank details over the phone
- Changing ATM PINs and banking passwords at regular intervals
- Reporting any fraud to banks at the earliest
For one, the responsible party (or parties) must be tracked down and the exact timeline of this breach must be established.
And India’s banking sector must swiftly firm up regulations that safeguard consumers. Ross Anderson, a professor of security engineering at the University of Cambridge who has conducted extensive research on bank fraud, explained what can banks and consumers can do in such situations:
It is an issue of consumer protection. What will go wrong is that you (or any other Indian bank customer) go to get money from an infected ATM, which steals your PIN and your card details. The bad guys then make a forged card and use it at another ATM. The debit appears on your account. You go to the bank and say “I didn’t do that” or even ”Hey, I have never been in Coimbatore in my life.” The bank says ”Sorry, our records show that your card was used, and your PIN was entered correctly. Either you did it, or you helped someone else to, or you were negligent. Go away!”
This sort of negligence, Anderson explained, can be done away with strict laws. “Different governments deal with this risk in different ways. The Americans are best, their Reg E and Reg Z (regulations laid down by the Federal Reserve to safeguard consumers) say that banks have to make card fraud victims good. Britain is among the worst; the regulators won’t do anything to upset the banks,” Anderson said.
In India, he added, “you need to get RBI or the ministers engaged.”