Card data of 3.2 million customers was stolen between 25 May and 10 July from a network of Yes Bank Ltd ATMs managed by Hitachi Payment Services Pvt. Ltd, but it was only in September that banks and payments services providers became aware of the extent of the breach. “Customers should not panic because these hackings are done through computers and a trail can easily be reached… they should not be alarmed. Whatever action has to be taken, it will be done with speed,” said Economic Affairs Secretary Shaktikanta Das. How did Data breach happened, what happens now?
How did Data breach came to light?
On Sep 5 2016, some banks came across fraudulent transactions in which debit cards were used in China and the US when customers were actually in India. Cardholders also detected similar transactions . The banks complained to the National Payments Corporation of India (NPCI), which has oversight over retail payments systems in India.
The probe by NPCI found a malware-induced security breach in the systems of Hitachi Payment Services, which provides ATMs, point of sale and other services in India. The probe found that ATMs had been compromised as early as in May 2016.
- 90 Yes Bank ATMs and point of sale (PoS) terminals were targeted by malware.
- The total amount involved is Rs 1.3 crore
- The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers.
- Worst hit banks are State Bank of India (SBI), ICICI Bank Ltd, HDFC Bank Ltd Axis Bank and Yes Bank
- Of the 3.2 million cards involved in the data breach, over 2.6 million belonged to Mastercard and Visa networks, and the remaining were from the RuPay network.
Until August, Indian banks had issued a total 712.39 million debit cards, according to Reserve Bank of India data.
Yes Bank said in a statement that there had been no security breach in its own systems. However, Rana Kapoor, managing director and CEO of the bank, admitted that there was a risk involved with third-party service providers who manage ATMs.
Hitachi Payment Services’ managing director Loney Antony said an interim report from the company investigating the issue “does not suggest any breach/compromise in our systems”.
What is Malware?
Malware is malicious software including viruses, worms, trojans, ransomware, spyware and other programmes that damages computer systems at ATMs or bank servers, and allows fraudsters to access confidential debit card data. In this case, swiping a card at an allegedly compromised ATM allowed the data on the card to be transmitted to the fraudsters, who then misused it for fraudulent transactions.
What have banks done after data breach?
All three service providers ,Visa, MasterCard and RuPay — asked banks to either tell customers who could potentially be at risk to change their PIN, or issue them new cards.
Most banks asked customers to change their PIN, and in certain cases blocked the cards and decided to issue fresh ones. Since most of the cards at risk are not chip-based, banks are planning to replace them with chip-based ones.
After becoming aware of the seriousness of the breach, SBI decided to reissue 625,000 cards. SBI has asked customers to change their PIN numbers as well. ICICI Bank and HDFC Bank asked some customers to change the personal identification number on their cards. HDFC Bank asked customers to restrict their usage of other bank ATMs.
How to know if the card was compromised?
- Did you swipe your debit card in the ATM of Yes bank between 25 May and 10 July 2016.
- Did you receive an SMS of unknown transaction?
Who is liable if a card is subjected to data breach?
- According to the RBI’s draft circular on customer protection, a customer is not liable for a third-party breach, or where negligence or fraud is on the part of the bank, if the customer informs the bank of the fraud within 3 working days of receiving a communication from the bank on any unauthorised transaction.
- According to the draft, on being notified by the customer, the “bank should credit (shadow reversal)” the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days.
- RBI has also proposed that banks should ensure that a complaint is resolved within 90 days and in case of debit card/bank account the customer does not lose out on interest. In case of credit card, banks should also ensure that the customer does not have to bear any additional burden of interest.
- Banks must ask their customers to register for alerts, the RBI draft says.
- Banks will issue you a new card at no cost. You can generate the PIN through SMS/IVRS/internet banking without visiting the branch. Alternatively, cardholders can collect the physical PIN mailer from their home branch.
So, remember to inform your bank or else the bank cannot be held liable. You can read RBI draft on Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions
What more can be done?
The Maharashtra Police has begun investigations into the security breach and has written to the RBI seeking information on the fraudulent transactions.
A forensic audit has now been ordered by Payments Council of India on Indian bank servers and systems to detect the origin of frauds that might have hit customer accounts. A forensic audit is being conducted by Bengaluru-based payment security specialist SISA. The final report will only come in November, after which there will be some clarity.
The finance ministry is in talks with all important stakeholders including banks and has sought a report on the impact of this breach. They are also looking at measures to increase security in card transactions.
How you can safeguard your debit cards?
- Few basic things that you can do to safeguard their debit cards from potential hacking risks.
- Change your debit card personal identification number (PIN) and internet banking password on a regular basis.
- Use different PIN numbers and different passwords every time.
- Pay attention to the transaction alerts you receive through SMS.
- If there is any suspicious transaction, report that to the bank quickly.
- Ensure that the mobile number you have registered with the bank is the correct one.
- Whenever doing ATM transactions, just look around for suspicious things like hidden cameras etc.
Related Articles:
- Debit Cards and Credit Cards: Plastic money
- Difference Between Ledger Balance and Available Balance
- What happens when credit card is swiped?
- Cyber Crime : Credit Card Fraud,Bank Account Hacked
This is one of the biggest data breaches in the country.
