Commercial banks have blocked or recalled 32 lakh debit cards of customers as a “precautionary” measure after being informed of potential risks to those cards following a major security breach at a payment services provider that manages ATM network of a private sector bank.
The finance ministry has sought information about the implication of such security breach from Indian Banks Association.
The National Payment Corporation of India (NPCI) said the complaints of fraudulent withdrawal were limited to cards of 19 banks and 641 customers. “The total amount involved is Rs 1.3 crore as reported by various affected banks to NPCI,” AP Hota, MD of NPCI said. State Bank of India has either blocked or is in the process of replacing around 6 lakh debit cards following a malware related to security breach in a private bank’s ATM network. Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have already replaced their debit cards. ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM pin numbers
According to bankers, the security breach happened through a malware allegedly in the systems of Hitachi Payments Services, which serves a private bank. However, Loney Antony, managing director, Hitachi Payment Services, said, “We had appointed an external audit agency certified by PCI in the 1st week of September, to check the security of our systems. The interim report published by the audit agency in September, does not suggest any breach/ compromise in our systems. The final report is expected by mid-November.”
“Necessary corrective actions have already been taken and hence there is no reason for bank customers to panic. Advisory issued by NPCI to banks for re-cardification is more as a preventive exercise,” Hota said. There are a total of 712.39 million debit cards all over India as on August 31, 2016, according to RBI data. Hota said the genesis of problem could be traced to complaints from some banks that their customer’s cards were used fraudulently mainly in China and the US while customers were in India. “Apprehending that this could be a case of card data compromise, all the ATMs and PoS terminals in India and three card networks — RuPay, Visa and MasterCard — worked in a collaborative manner in the month of September 2016. It was established through an analysis that there was a possible compromise at one of the payment switch provider’s system. Based on the analysis, NPCI and other schemes identified the period of compromise and the possible card numbers which could have been compromised during that period,” NPCI said.
“All affected banks have been alerted by all card networks that a total card base of about 3.2 million could have been possibly compromised. Out of this 0.6 million are RuPay cards,” Hota said. Based on the advisory issued by NPCI and other schemes, banks have advised their customers to change their debit card PIN.
According to bankers, 90 ATMs were compromised through malware and these ATMs were transmitting debit card data of customers to fraudsters. The data breach took place between May and July, but was discovered only in September and banks decided to proactively change the cards.
According to an ICICI Bank spokesperson, the possible breach of information of debit cards has taken place in the ATM network of another bank. “As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed … we are using our real-time fraud monitoring systems … .”
Yes Bank said it has undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on its ATMs. “Yes Bank continues to work with relevant stakeholders to ensure utmost safety and security of its ATM network and payment services which are completely safe to use,” Yes Bank MD and CEO Rana Kapoor said.
Mastercard, a payment intermediary, said it was aware of “the data compromise event”. “To be clear, Mastercard’s own systems have not been breached … we are working on the investigations with the regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation,” it said.
“NPCI, Mastercard and Visa had informed banks about a potential risk to some cards in India owing to a data breach … SBI has taken precautionary measures and have blocked cards of certain customers identified by the networks,” SBI said. Visa said that “It has been informed that some payment cards in India may have been compromised due to suspected breach of payment systems at a service provider …” Visa does not currently process domestic debit ATM transactions in India.