PMO lens on debit card security breach probe

Concern highlights the fact that, unlike previous ATM frauds, current one might have far more serious repercussions and systemic risk

As the call for a detailed investigation into the security breach of 3.2 million debit cards heats up, the Prime Minister’s Office (PMO) has stepped in to ascertain the quantum of risk.

A P Hota, managing director of National Payments Corporation of India (NPCI), said Gulshan Rai, cyber security chief under the Prime Minister’s Office, had called to know about the security breach. “All the banks and other stakeholders are cooperating and are regularly in touch with each other and the agencies,” he said.

PMO's concern underlines the fact that unlike the previous ATM fraud attacks, the current data compromise might have far more serious consequences as it signals systemic risk.

ATM or automated teller machine is an electronic banking outlet, which allows customers to complete basic transactions without the aid of a branch representative or teller. Anyone with a credit card or debit card can access most ATMs.

Even Finance Minister Arun Jaitely said his ministry has sought a report on the issue. The Reserve Bank of India (RBI) has also asked banks and other stakeholders for updates.

“The government is concerned about the matter and reports have been sought from RBI and banks to know what exactly happened. A preliminary input has already come and the government is awaiting for the final report,” said Shaktikanta Das, secretary, economic affairs.

According to reports, the systems of Hitachi Payment Services were infested with malware that helped miscreants steal personal information and do fraudulent transactions. Hitachi Payment Services denied the malware infection took root in its systems. A detailed forensic audit is being conducted by SISA, payments security specialist, and the results are expected by the first week of November.

In what is being termed as the biggest data fraud in the banking sector, so far complaints of fraudulent withdrawals have been reported on 641 cards across 19 banks.

Apart from the government and national agencies, even the PCI Security Standards Council, an international agency, is probing the issue.

In the meantime, banks have stepped in and issued advisory notices to customers to change the personal identification numbers (PINs) of their cards. Some lenders have asked their account holders to use only their bank ATMs.

The banks are also likely to refund the loss arising out of these fraudulent transactions as customers cannot be held liable for any loss. According to NPCI, the amount withdrawn from various accounts is about Rs 1.3 crore.

The malware was reportedly found in the processors of Hitachi Payment Services’ central switch, which operates most of YES Bank and some other ATMs owned by non-bank entities.

However, both YES Bank and Hitachi said there was no breach or compromise at their end.
FULL ALERT

• 3.2 mn debit cards compromised in India's largest banking security breach
   
• Probe widens with the Prime Minister’s Office stepping in
   
• 12,000 frauds, related to credit and debit cards and net banking, were reported by Indian banks in 2015, govt told Parliament earlier in 2016
   
• 697 mn debit cards Indian banks had issued as of July, a small number compared to many other countries
   
• 10 digital transactions per person in India versus 163 in Brazil, 429 in Sweden, says a Visa study
   
• Indians are already suspicious of electronic payments and the country is largely a cash economy