There has been a massive ATM card breach in India with 3.2 million debit card details (card number and pin code) being stolen. The news broke yesterday when State Bank of India blocked around half a million debit cards. Soon it came to be known that State Bank of India was not the only victim. Almost all banks that use Hitachi Payment Services have fallen victim to this serious ATM card breach. The vulnerability has been located to Hitachi Payment Services, that manages the ATM network processing for these banks and the hackers have exploited this vulnerability by planting a malware in these systems. Some of the other banks that are worst hit are Axis Bank, Yes Bank, HDFC Bank and ICICI Bank.
Prima facie it looks like the breach has occurred but some of the banks are still maintaining that no data leakage has occurred. The breach came to be known when victims started reporting unauthorized usage of their ATM cards from locations in China. This is for the first time that such a huge number of card details have been stolen in India. However, it still forms a fraction of the total debit cards issued across India that stands at 600 Million.
What is this security breach? I am unable to understand it!
Security breach means when an unauthorized person gains access to confidential systems and networks thereby getting access to sensitive data. In this case the breach means that cyber criminals have been able to exploit vulnerability in Hitachi Payment Systems thereby getting access to confidential debit card details of people who have used their card in these ATM machines.
How big is this ATM card breach?
As per news, the breach is quite huge with hackers stealing around 3.2 million card details. Few customers have also reported unauthorized transactions that have been located to China.
Which cards are affected?
Around 3.2 million cards have been affected. Out of these 3.2 million, 2.6 are on Visa and MasterCard platforms, while 600,000 are based on RuPay platform. The worst hit banks include State Bank of India, HDFC Bank, Yes Bank, ICICI Bank and Axis Bank.
Source: Economic Times
How much money has been stolen?
The ATM card breach is reported to have occurred a month ago. While customers have reported unauthorized transactions but the overall loss is being said to be minute.
How do I get to know if my Card details have been stolen?
It is a futile exercise trying to know if your card details were stolen. What really matters is that your money should be safe. Incase your account is showing unauthorized transactions, report it to your bank immediately. The RBI has issued a new circular as per which the banks will have to reimburse all such transactions that have occurred as a result of data breach.
SBI has blocked my card. Does that mean my details have been stolen? Has my money been stolen?
Yes and No! Well, SBI has blocked around half a million cards as precautionary measure which means that these cards were identified as potential victims. Whether the details were stolen in reality or not, nobody can tell that. It does not mean that your money has been stolen or will be stolen. Check your transaction details to look for any unauthorized transactions. Take precautionary measures (explained ahead) and follow a good cyber hygiene.
I see unauthorized transactions in my account. What should I do?
Immediately get your debit or ATM card blocked. Approach your bank and register a complaint. If you don’t inform your bank, you cannot hold bank liable at a later stage. You need not worry as most probably your money will be reimbursed by the bank. As per an RBI circular, banks are responsible for security of the debit cards issued by them. Therefore, if any ATM card breach occurs, it is their responsibility to bear the loss. In cases where transaction has placed without the authentication from the customer and duly has been complained by the customer, the bank will have to reimburse the customer.
In a recent circular on customer protection issued by RBI, the RBI has mentioned that a customer will not be held liable where fraud or negligence is on the part of the bank or has occurred due to third-party breach where the customer notifies the bank within three working days of receiving a communication from the bank on any unauthorized transaction. The circular says “Where customer’s own involvement is not clearly established, customer liability will be limited to a maximum of Rs5,000 if she reports within 4 to 7 working days and if customer reports beyond 7 working days, customer liability will be determined based on bank’s Board approved policy,” RBI said in the circular.
What precautions should I undertake to prevent theft of my details?
Well, in this case the vulnerability was in ATM machine services and you can’t do pretty much about it. However, in spite of you not being at any fault, you should develop a good cyber hygiene. If you are a victim of this breach, most likely your card would have been blocked by now. Even if you are not a victim of this breach or don’t have ATM cards of any of the above mentioned banks you should still change your ATM pin immediately. In fact you should change your ATM pin code every 4-5 months. Secondly, do not share your card and pin details with anyone in person, phone or over the internet.
For future safety, set the limit on the daily transaction on your card. Banks do provide this option which is a very good precautionary step to prevent loss of a large sum. Also get transaction alerts activated in your account. RBI has mandated banks to send alerts through SMS and emails to customers so that they come to know of any unauthorized transaction. Enable 2 Factor Authentication on all of your accounts. This feature prevents from hackers accessing your accounts even if they get hold of your details.
Timeline of ATM Card Breach
The breach is believed to have taken place about a month ago. This all started when many people in India reported unauthorized transactions through their debit cards. These transactions are said to have been traced to China and US. Immediately after this brief episode thousands of people in India started receiving SMS from their respective banks that they need to change their ATM card PIN number. The SMS also informed them that their international transaction limit was reduced to Rs 7000. The reasons for the same were not informed.
On 19th of October, Times of India broke the news that State Bank of India had blocked around 6 lakh debit cards because of a data breach. The report further stated that breach occurred due to a malware found in the non-SBI ATMs. Later it was pinpointed to Hitachi Payment Services based ATM machines. The TOI quoted Shiv Kumar Bhasin ( Chief Technology Office, SBI) as saying, ” It’s a security breach, but not in our banks’ systems. Many other banks also have this breach — right now and since a long time, few ATMs have been affected by a malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised”. As the news came out in the main stream media, people started panicking.
In the wee hours of 20th October, the news started breaking that a massive breach affecting 3.2 million debit cards has taken place. The details started coming out. Not only SBI was affected but other major banks including ICICI bank, YES bank, HDFC Bank, and AXIS Bank were also affected. The PTI quoted an RBI official saying that Central Bank is seized of the matter and is looking into it.
As per a statement given by A.P Hota, MD & CEO, National Payments Corporation of India (NPCI), “Necessary corrective actions already have been taken and hence there is no reason for bank customers to panic”. Later NPCI issued an advisory and a statement which mentioned that banks have been asked to re-issue debit cards as a preventive measure. The statement further said that, “All affected banks have been alerted by all card networks that a total card base of about 3.2 million could have been possibly compromised.”
Hitachi, the company that operates the affected ATM machines also issued a statement that it had appointed an external audit agency certified by Payment Card Industry (PCI) in the first week of September, to check the security of systems for any breach or compromise based on a few suspected transactions that were highlighted by banks for whom it manages ATM networks.