While some of the country’s premier banks are busy blocking debit cards that have been compromised (the numbers run into millions) in one of the financial sector’s biggest data breaches, it’s time for banks to adopt state-of-the-art, fully encrypted ATM security solutions to safeguard consumers, the country’s top cyber experts have suggested. The State Bank of India (SBI), HDFC Bank, ICICI Bank, Axis Bank and YES Bank are among banks which reported several of their customers’ debit cards being compromised following a malware-related security breach in an ATM network. The SBI has blocked nearly 600,000 debit cards so far.
“This incident is a wake-up call for the Indian banking ecosystem to pause and realise that adopting extra-layered, state-of-the-art encryption security to minimise consumer financial data breach has become essential. The breach is attributable to malware which was introduced in ATM systems. The said malware has resulted in unauthorised access to data,” Pavan Duggal, one of the nation’s top cyber law experts, told IANS.
Malware attacks and cyber threats have affected countries like Japan and Bangladesh in the recent past and banks in India will have to make efforts to ensure that data is protected with multiple levels of authentication and industry-standard encryption, ensuring data security at all points of a transaction.
“It is time that magnetic-stripe cards issued by banks for ATM transactions are replaced at the earliest. While the affected banks are blocking debit cards to minimise the impact, the already ongoing replacement of mag-stripe cards with EMV chip cards will help the banks and consumers,” explained Atul Singh, Regional Director-Banking and Transport (India Subcontinent) at the digital security giant Gemalto.
Gemalto works with some of the world’s leading enterprises, banks and telcos to help them deploy consumer-friendly technology solutions for payment, banking and other financial services on the mobile and securing confidential information. EMV — which stands for Europay, MasterCard and Visa — is a global standard for credit cards that uses computer chips to authenticate (and secure) chip-card transactions.
“This is in line with the RBI directive to issue EMV chip- and PIN-enabled cards. According to industry estimates, around 400 million mag-stripe cards have to be migrated to EMV standard in the next two years while nearly 120 million cards would have been migrated this year,” Singh told IANS. Further, banks need to work towards gradually enabling EMV chip and PIN-enabled card acceptance and processing at ATMs to enhance the safety and security of transactions.
While the point of sale (POS) terminal infrastructure in the country has been enabled to accept and process EMV Chip and PIN cards, the ATM infrastructure, on the whole, continues to process the card transactions based on data from the magnetic stripe.
“As a result, ATM card transactions remain vulnerable to skimming and cloning, etc., even though the cards are EMV Chip and PIN-based. Therefore, in line with RBI’s directive of May 26, 2016, to all banks to upgrade ATMs to accept chip and PIN by September 2017, banks must take immediate steps to implement this in a fast-track mode,” Singh added. Worryingly, Indian cyber laws do not talk specifically about banking frauds.
“The Information Technology Act, 2000, being the sector-specific legislation, was amended in 2008. By virtue of the 2008 amendments, certain cosmetic amendments concerning cyber security were made under the Information Technology Act, 2000. The said amendments are not sufficient and adequate in today’s scenario,” Duggal informed. “Further, the ground realities for cyber security breach are distinctly different in 2016 as compared to 2008. As such, there is a distinct need for India to beef up its legal frameworks on cyber security when it comes to banking frauds,” he told IANS.
According to Rakshit Tandon, a consultant at the Internet and Mobile Association of India (IAMAI) and a cyber security expert, ATM cards are vulnerable; ATMs are weak, and banks’ own servers are at hacking risk. “Banks must introduce biometrics like retina scan, voice scan or fingerprint as double verification at ATMs. PIN numbers must be changed periodically. But the option is only in four-digit and so making strong PINs is out of the question as of now,” Tandon told IANS.
Watch bank statements closely and contact the bank in the event of any signs of unexpected charges or transfers. Consumers also need to be aware of phishing scams where cybercriminals hijack banking systems and send bogus emails that lure people into sharing personal information or clicking malicious URLS with malware. “Make all new PIN and account passwords different and difficult to guess. Include upper and lower case letters, numbers and symbols to make passwords harder to crack online,” suggested Sunil Sharma, Vice President-Sales and Operations (India & SAARC), Sophos, a global leader in network and endpoint security.
Further, “the Information Technology Act, 2000, needs to be amended to come up with stringent provisions pertaining to a variety of cybercrimes, including banking frauds,” Duggal noted. In the meantime, banks must take a serious note of this incident to concentrate on cyber security and help protect the interest of users and consumers, the experts advised.
IANS