Indian banks hit by massive ATM breach

Indian banks hit by massive ATM breach

India's top banks are asking customers to change PIN codes and recalling millions of debit cards following reports of a malware-based security breach at a number of unspecified ATMs across the country.

State Bank of India, HDFC Bank, ICICI Bank, Yes Bank and Axis Bank have all issued advisories concerning the breach, which may impact up to 3.2 million debit cards. Earlier this week, State Bank of India blocked and recalled over 600,000 cards, while other banks have instructed some customers to alter their PINs and avoid using ATMs that are not on their network.

In a statement, SBI says: "Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by the networks."

Shiv Kumar Bhasin, SBI's chief technology officer (CTO), told the Times of India newspaper: "A few ATMs have been affected by a malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised."

A P Hota, chief executive of National Payments Corp of India (NPCI) that runs RuPay, told the CNBC TV18 television channel that cards were possibly compromised by suspected security breaches involving as many as 90 ATMs throughout the country. Of the debit cards affected, 2.65 million are on Visa and MasterCard platforms, while 600,000 are on RuPay.

Hota speculates that the infection spread from a compromised gateway switch. Banking industry sources contacted by Reuters pointed the finger at Hitachi Payment Services, which manages ATM network processing for Yes Bank.

Kspersky Lab, which last month informed Axis Bank of a breach of its servers by an offshore hacker, says ATMs are terrifyingly easy to hack. "Looting an ATM is a trivial task, and banks are losing big," says the firm.

Update National Payments Corporation of India says that the PCI Council governing international security standards for card-based transactions is conducting a forensic audit of the payments switch of one bank "which is likely to be the source of the compromise". Cases of illegal withdrawals have so far been limited to 641 customers of 19 banks, and the total amount involved was 13 million rupees ($194,600), according to the statement.

Comments: (2)

A Finextra member
A Finextra member 20 October, 2016, 13:17Be the first to give this comment the thumbs up 0 likes

India's regulator has come up with a cyber security framework in June 2016. Today US regulators proposed 'Enhanced Cyber Risk Management Standards' to mitigate cyber risk. US standards propose a comprehensive cyber risk management program encompassing (1) Cyber risk governance (2) Cyber risk management (3) Internal dependency management (4) External dependency management (5) Incident response, cyber resilience and situational awareness.

This concerted action by regulators augurs well to address cyber risk. In view of the frequent cyber incidents, Banks have to fast track adoption of the proposed cyber security frameworks. This would help Banks to prevent or reduce data loss occurrences.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 October, 2016, 19:23Be the first to give this comment the thumbs up 0 likes

Before the cybersecuristas run wild with doomsday scenarios, there are 697M debit cards in India, so the 3.2M debit cards affected by this breach works out to 0.46%. Hardly a massive breach...