30 lakh cards compromised: Why were banks secretive in dealing with ATM security breach?

About 30 lakh bank debit cards issued in India by various banks, including the largest State Bank of India, have come under threat of potential financial fraud after reportedly the systems of Hitachi Payments Services were infested of a malware. According to media reports, the malware infestation is likely to have started with YES Bank ATMs, which are managed by Hitachi. However, the bank has issued a statement saying it has proactively undertaken a comprehensive review of its ATMs. “There is no evidence of a breach or compromise on YES BANK ATMs,” the bank has said. Hitachi too is reportedly conducting an audit of its systems. However, the reported ATM security breach has sent shock waves across the country as it reveals the risks the consumers face in a world where digitisation is gathering momentum. In this backdrop, a pertinent question to ask here is whether the banks concerned have dealt with the evolving scary situation with utmost care, sense of responsibility and urgency. Prima facie, the answer seems to be a ’no’. [caption id=“attachment_3062488” align=“alignleft” width=“380”]  Reuters[/caption] For sure, the number of debit cards suspected to be compromised now is not proportionately large - just half a percent of the total debit cards issued. But that doesn’t make it a smaller issue. Reports say the security breach could have taken place sometime during May-July period. Banks have been issuing emails and text messages to consumers urging them to change their ATM PIN. But why did it take three months for the suspected security breach to become a major issue? According to this ToI report, there are no RBI rules as of now that stipulate banks should announce to the public any security breach that happens in its network. So, technically, one cannot accuse the banks of any mis-management. But isn’t it the responsibility of the banks to be open about such events for the larger public good? “Going by reports of security being compromised of 30 lakh accounts, this large number of accounts would not be infected in one swift action at the same time. It would have started off sporadically and this is where both the banks and customers could have helped stem the large scale damage that it has turned out to be now,” said a cyber security analyst with one of the reputed foreign consultancy and audit firms. He was also also of the opinion had that been done, the issue would not have snowballed to such a large scale as it is now. He further feels banks should put in place a detection capability and not be solely dependent on prevention. It is also to be noted that banks’ public comments or clarification have come in with a delay. State Bank of India, the country’s largest lender which is reportedly looking to block and replace about 6.25 lakh cards, released a statement today - more than a day after the potential threat was reported in the ToI. “Card network companies NPCI, Mastercard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach. Accordingly, State Bank of India (SBI) has taken precautionary measures and have blocked cards of certain customers identified by the networks. This has been a proactive measure to protect our customers from any potential fraud, once we came to know of some data breach outside our Bank. We’d like to inform that SBI’ robust systems are absolutely secure and no security breach has happened. Customers can continue to use their Debit Cards securely. This is a cards industry incident (not only SBI),” it has said. “SBI is in the process of issuing new cards at no cost to the customers whose cards have been blocked. The Cardholders can generate the PIN through SMS/IVRS/internet banking without visiting the branch. Alternatively, the cardholders can collect the physical PIN mailer from their home branch,” it has added. Interestingly, some of the customers were in the dark about the bank’s move to block their cards. The ToI report quotes customers who were caught off guard when they tried to pay for a transaction. This only underscores the suspicion that the banks were not forthcoming about informing customers regarding the situation. Vijay Mukhi, one of the pioneers of the Internet revolution in India, is furious about the banks attitude. “I have lost faith in the banking system in the country where lakhs of debit cards have been compromised. If, for instance, opium is found in my office, the police would hold me responsible. By that same logic, if as an account holder of a bank, my account has been compromised, the concerned bank should be held responsible. You cannot palm it off with excuses such as third party ATM or other security-related issues,” he says. Every ATM machine is connected to the other, irrespective of which bank uses it for its transactions. That is why customers are able to use ATMs of other banks. “When an ATM of one bank gets infected, does another bank’s ATM have to suffer?” asks Mukhi. If the banks are complaining about virus infecting their computers, Mukhi says, then that it is a serious lapse of security as the banks need to answer how the virus entered their computer system. “No one is answering these questions and that is making this issue murkier. I feel there is more than what meets the eye,” he says. A debit card is not secured by a chip and hence it is easy to clone it. Banks are aware of this technology, says Mukhi, and yet many have not updated debit cards with the chip. As he views it, banks are unwilling to spend money on upgrading technology or hiring hackers to be updated on technology. “Banks don’t have a cyber security branch or system. Hacking into credit and debit cards is not a new phenomenon and has been happening in the country and globally, though not on the scale as reported by a few banks in the country at present. What were they waiting for – to compromise with customer accounts before they are forced to take pro-active steps?” True, the problem is not restricted to India. “Malware can surface from any location in the world and can target any device or platform that customers may use – either an ATM, a full-fledged online banking platform or cloud-based services such as email providers where passwords and card details may be stored. In such a situation, fraud risk tends to get amplified,” says KV Karthik, partner, financial advisory services, Deloitte Touche Tohmatsu India LLP. And that makes this all the more dangerous. As the cyber analyst quoted earlier says, the issue cannot be resolved completely as this is a global phenomenon, but it does ring alarm bells. To resolve the issue, banks and RBI have to come together. “If the Reserve Bank of India makes it mandatory for banks to make security lapses public, banks will have to take a stand on security issues so that widespread damage does not take place,” he says.