Security breach: Don't ignore banks' advice to change ATM PIN

Leakage of data from ATM due to compromise of systems could lead to fraudulent withdrawal from your account

If you have received an alert from your bank over the past week asking you to change your PIN, don't dismiss it as a routine warning. Do it promptly. Even if you have not received any such alert, change your PIN as a precautionary measure.

According to newspaper reports, banks like HDFC Bank, Yes Bank, Federal Bank and DBS have issued warnings to their customers. "The reason for the warning is the likelihood of a fraud having taken place due to leakage of data from the ATM of a private sector bank," says Sivarama Krishnan, leader-cyber security services, PWC India.

"The leakages are potentially possible due to compromised Hardware Security Module (HSM) and also from ATM machines and ATM users. So, the fear is of a potential PIN compromise, which can lead to a financial loss if your card gets clonedm,” says  Krishnan

When we set our card's PIN, it gets stored in two places: on the card and on the HSM. It is not possible to extract data from the HSM, it can only be verified. This is what makes it more secure than normal databases, where an administrator can access the data. In the latest incident, it is this security that has been breached, explains Krishnan.

Since many of us tend to have the same PIN for multiple uses like credit card, mobile etc, access of the debit card PIN could allow fraudsters to access credit cards or mobile phones as well.

Customers regard using a debit card at an ATM as a safe transaction since the ATM is supposedly monitored by the bank. This is not always the case. About 70 per cent of ATMs in India are running on outdated operating systems (OS), which makes it easier for fraudsters to crack them. "Microsoft withdrew all support to Windows XP about two years back, but many ATMs still run on this OS, which makes them vulnerable to malware and frauds," points out Harshil Doshi, strategic security solutions consultant, Forcepoint, a data privacy and security company. Banks also use ATM machines of different vendors due to which standardisation of networks and technology is not possible. This too opens up the system to possible fraud, says Doshi.

ATMs in remote locations are not necessarily monitored by the bank. "In India banks don't manage the ATMs themselves. They outsource the task to independent companies which in turn outsource it to others. Often, a background check of the third-party service providers is not done. Sometimes security personnel at ATMs could be responsible for the loss," says Krishnan.

Sometimes, fraudsters insert a small drive into the ATM, which then copies and saves any data entered by the customer, like ATM PIN and account number. Then the card is cloned and used to withdraw money. Use the pointers provided in the box to protect yourself against frauds.

PRECAUTIONARY MEASURES

• Change ATM PIN regularly, say after every six months or one year
   
• Avoid using the same PIN for multiple uses
   
• Sign up for SMS alert from your bank, so that you come to know of fraudulent withdrawal immediately
   
• In case of such an event, alert your bank and block your card to prevent further loss