Tackling cyber threats: Debit card breach shows India's vulnerability to data theft

Debit card breach shows India's vulnerability to data theft

It is said that there are two types of Internet users — those who have been hacked, and those who will be hacked. That is why, more alarming than the recent suspected security breach of over 6.5 million debit cards issued by at least 19 different banks is the fact that the Indian financial system is still not wise enough to create adequate security and damage-control systems to cope with such a possibility. Multiple agencies are investigating, but the dimensions of the damage are not yet fully apparent. There are reports that hackers from China may have been involved. The leak may have started with a hack of some ATMs; it is possible that either the databases of some banks or the payment gateways of some card issuers were compromised. Senior officers have made reassuring noises and it is likely this specific breach will be diagnosed and plugged. Banks, insurers and other financial service providers, will tot up the losses and write them off. Meanwhile, affected citizens will have to live with inconvenience and hope they don't suffer financial loss.

But here is the worrisome bit. Similar breaches will happen in future, the question is when, not if. That is because the financial system is highly connected. There are multiple databases containing sensitive information. There are over 600 million Indian debit cards in circulation, 26 million credit cards and 130 million mobile wallets. These bases are interlinked, and any or all may have exploitable vulnerabilities. The Unified Payment Interface is accessible to bank account holders with smartphones, and multiple financial and personal data are linked to Permanent Account Number and Aadhaar, which are two databases that are accessible to thousands of government servants. Moreover, there are devices such as ATMs and points of sale card readers scattered across multiple locales. Millions access banks online on possibly insecure connections. Any of these is potentially a weak spot. In addition, there are possibilities of phishing, or social hacking, where gullible persons are persuaded to provide personal details.

First world countries with sophisticated financial security systems routinely see databases being compromised, along with incidents of identity theft and social hacking. These nations have developed coping mechanisms such as strong data protection laws and systems for assigning clear liability for breaches. Databases are also designed to silo information such that one database being compromised does not lead to other databases being hacked. First world nations also have mechanisms, including call centres operating out of India, to enable rapid reporting of financial cybercrime and identity theft. Financial service providers and governments have developed clear, authenticated communication systems to inform affected persons and aid them to change PINs and passwords. 

India lacks many such mechanisms. For one, there is no specific data protection law. It is also unclear whether the PAN and Aadhaar databases are in secure silos. Systems do exist for reporting cybercrime and identity theft, but these are not well publicised. The Digital India Initiative and the drive to put government services and financial systems online are laudable. These could make life easier for everybody. But that, unfortunately, includes the category of cyber criminals. Privacy breaches like the one at present not only dent consumer confidence but also highlight the need to develop coping mechanisms.