In the wake of recent ATM fraud involving around 3.2 million debit cards, with State Bank of India, ICICI Bank, HDFC Bank, Axis Bank and few other banks blocking lakhs of debit cards dust seem to be settling down on yet another ATM heist.
It was only in 2013, when the largest ATM heist of $45 million happened. This heist involved cards issued by National Bank of Ras Al-Khaimahand Bank of Muscat. Money was withdrawn in space of few hours in two separate time periods from across several continents. It was reported that two payment processing companies in India were probably compromised. Lessons, however, don’t seem to have been learnt.
Shockingly in the current case there was a prior warning. National Payment Corporation of India in May 2016 had informed the banks about the possible malware induced breach in payment systems operated by Hitachi Payment Services. Nothing much seems to have been done except for Hitachi Payment Services issuing couple of statements indicating their systems as per reports of the auditors have no breach.
The mechanics of operations are fairly simple. ATM operations of banks are mostly outsourced to third parties who provide the machines and the software to run the same. As a person swipes the card, the details from the magnetic stripe on the card are read by the reader on the ATM machine. This provides basic account details and the corresponding bank identifications. After the card is read, PIN is entered to authenticate the transaction.
These third-party companies are provided a link to the bank systems wherein they get details of the bank accounts and PIN details of individual cards and also the limits on each card. These details are processed on the payment settlement system run by these outsourced companies and based on the authenticated details payments are made. Once the payment systems are compromised, card details, PINs, limits etc. all reach hands of scammers.
These details are used to make fake cards. These cards are then handed over to persons who withdraw money from ATMs many a times this operation happens in a coordinated manner across several countries.
As reported, withdrawals from china happened in the current case. While Hitachi Payment Services may maintain that its servers were not breached, as far as a citizen is concerned, he lost his money. Money having gone and software systems possibly facilitating it does appear to be a case of wrongful loss to citizen and wrongful gain by unknown persons. This clearly attracts section of cheating as per Indian Penal Code.
Role of the banks, who hired the services of these payment settlement companies and also those who certified this software to be free of bugs is also not beyond the realms of sections of criminal conspiracy in Indian Penal Code.
Case could be made out that the intermediaries, i.e. the payment settlement companies and the banks were themselves a victim. But negligence in safekeeping of citizen’s money surely is criminal and needs to be investigated.
Outsourced operations no doubt add to ease of business. They are, however, prone to fraud in absence of proper checks and balances. Cases like these raise concerns on whether there has been a criminal negligence on part of the parties concerned.
Criminal investigations in current case involving banks, software service providers and auditors who certify these systems will not only help prevent future frauds but also help the citizens to safely and securely enjoy hassle-free banking services in future.
The author is Currently Additional Director General Home guards, Mumbai and former Controller, Legal Metrology, Maharashtra.
Updated Date: Oct 21, 2016 21:16 PM