3.2 Million Indian Debit Cards at RiskBanks Alerted Up to Six Weeks Ago; Investigations Ongoing
The National Payments Council of India confirmed Oct. 20 that more than 3.2 million debit cards issued by Indian banks may have been compromised.
According to NPCI's statement, complaints from banks of fraudulent transactions perpetrated primarily in China and the United States led to an investigation of the issue in early September by the three major card networks in India - NPCI's RuPay, Mastercard and Visa. Following subsequent analysis, banks were alerted that 3.2 million cards may have been compromised. Of these, about 600,000 are NPCI's RuPay cards.
Investigators believe the compromise was caused by a malware infection on a payment switch provider's system. Audits and investigations are ongoing at banks and third parties, sources say.
In all, the number of customer complaints regarding fraudulent transactions stands at 641 from 19 banks, and the total amount involved is Rs 1.3 crore ($214,000). NPCI is a quasi-public, umbrella organization for all retail payments systems in India that connects the country's ATM network and runs the RuPay payment card brand (see: NPCI's Head of Risk Bharat Panchal on Fraud and Cybersecurity Linkages).
Following the media furor since the news snowballed on Oct. 20, the Indian finance ministry has asked the Reserve Bank of India and NPCI to submit detailed reports on the compromise, according to some news reports. The RBI has also separately asked affected banks to shared details on the number of cards compromised and the amount of funds lost.
Sources close to the investigation tell Information Security Media Group that of the 3.2 million cards believed to be at risk, less than 1,000 have actually been used fraudulently. However, because the compromise appears to have taken place at a payments switch - which is believed by investigators to have been infected by a customized sniffer malware - details of millions of cards are at risk.
But because the fraudsters also need the PIN code, which is completely encrypted at the ATM PIN pad itself within the ATM hardware security module when a user enters the PIN, experts believe fraudsters are sourcing these via other methods, such as skimming and vishing. That's why the apparent number of victims is dramatically lower than the number of cards believed compromised.
Multiple experts with knowledge of the investigation tell ISMG that leading Indian banks, including SBI, HDFC, ICICI and Axis Bank, have had debit cards compromised. Following NPCI's advisory, SBI blocked and reissued 600,000 cards as a precautionary measure.
The issue has been on NPCI's radar since early September, when it received complaints from banks of their customers' cards being fraudulently used overseas. Fearing a card data compromise at ATMs and POS terminals, an investigation to determine the period of compromise and the number of affected cards was initiated.
A. P. Hota, managing director and CEO of NPCI, says in its statement: "Necessary corrective actions already have been taken and hence there is no reason for bank customers to panic. Advisory issued by NPCI to banks for re-cardification is more as a preventive exercise."
The compromise is widely believed to have originated on a payments switch run by third-party ATM service provider Hitachi Payments Services for Yes Bank, according to news reports and sources.
However, Loney Antony, managing director at Hitachi Payment Services, says in a statement: "We had appointed an external audit agency certified by PCI [the Payment Card Industry's Security Standards Council] in the first week of September, to check the security of our systems for any compromise based on a few suspected transactions that were highlighted by banks for whom we manage ATM networks. The interim report published by the audit agency in September does not suggest any breach/compromise in our systems. The final report is expected by mid-November."
A Yes bank spokesperson tells ISMG that the bank had proactively undertaken a comprehensive review of its ATMs, and that there is no evidence of a breach or compromise.
K.K. Mookhey of NII consulting, which is investigating an ATM switch malware issue at another one of the affected banks, suspects it is related to the same case as at Hitachi Payment Services, but declined to comment on the specifics of the case, citing ongoing investigations. ISMG contacted SISA Infosec, the agency auditing Hitachi Payment Systems, which declined to comment.
Information security strategist Onkar Nath says ensuring security when outsourcing ATM operations to service providers is the major issue here. He and several other experts have expressed concerns that a compromise involving so many cards may mean a large database at a third-party service provider may have been compromised, rather than this being a switch malware issue. "Service providers both on-site and off-site are getting exploited because of their need to have internet access to provide services, which wasn't the case when these ATMs were managed internally by the banks," he says.
Lack of Breach Disclosure Fuels Confusion
Given that India has no statutory breach disclosure norms, none of the affected parties need to make the details of such breaches public. Moreover, pinning responsibility is not going to be easy because all service providers and major banks identified as having "at risk" cards have released statements claiming their systems are secure. The prevailing confusion has meant that finding the source of the breach will remain challenging.
Mumbai-based Dinesh Bareja, COO of Open Security Alliance and founder of IndiaWatch, asks: "Why are breaches being suppressed? Such frauds affect bottom lines and need to be communicated to all stakeholders. Why isn't law enforcement in the picture in this case? The judiciary or law enforcement needs to take suo moto [proactive] action." Because of lack of law enforcement involvement in the investigations, any related evidence is now contaminated, he contends.
Mumbai-based cyberlaw expert Prashant Mali says banks need to be held responsible for the compromise of customer data and must compensate account holders for ongoing frauds which are costing ATM users money. Bank liability, based on previous court precedents, is usually decided on a case-by-case basis in India.
"The data belongs to the customers of banks and banks are just the custodians. It is the moral and legal responsibility of the banks to inform customers when a breach affecting their holdings takes place, under section 43(A) of the IT Act 2000," he says. Given that the payment switch provider appears to be PCI-compliant, the certifying agency needs to be held culpable as well, he says, although there is currently no precedent for that in Indian case law.