Battling Cyber Threats: India's ATM Security Challenge
Paragraph 1
Hackers love unsecured connections, and that is where they like to ‘tap in’, literally into the processes. Intermittent malware attacks on ATMs across the country have very often caught the banks completely off guard. It all began in June 2016, when a Hitachi-owned software used in ATMs of a reputed private bank got infected, resulting in a massive data breach that had its source in the US and China. It soon became a matter of grave concern, with alarm bells ringing even in the Prime Minister’s Office.
Paragraph 2
At the PMO, the cyber security chief, has a difficult task at hand. He has to find the right balance between manoeuvring the government towards a mature response, not playing down the breach and speeding up action for cyber security. The cyber security chief’s concern is that the ‘first-of-its-kind breach’ occurred in the backend systems of the banks and that it forced the reissue of more than six lakh debit cards. The finance ministry, too, has woken up to assess the preparedness of banks. The Finance Minister called for an urgent meeting with representatives from the RBI and other banks. After the meeting, the Finance Minister said damage control was being done and that people should not panic. “The breach is contained and there are only limited number of breaches reported. As of now, there is no need for customers to be unduly worried or fear anything untoward,” he said.
Paragraph 3
The Finance Minister, however, was not impressed with the presentations given during the meeting, and instructed the banks to submit an exhaustive report on their cybersecurity arrangements. The finance ministry has now engaged global payments security experts SISA to conduct a forensic audit of the breach. It is expected to reveal the gaps in systems that involve transactions at not just ATMs but also point-of-sale terminals and online payment gateways. While the new report would hopefully give a new perspective on preventing cyber-attacks, the writing was on the wall for a while. In June 2016, the RBI had issued detailed guidelines on how to handle lapses in data security or breaches that can fool payment approval checks of the banks. It had asked the banks to self-assess their riskiness while dealing with various technological interfaces and payment gateways and set up a security operations centre to monitor their networks and respond to security threats round the clock.
Paragraph 4
Acknowledging the CERT-IN’s (Computer Emergency Response Team - India) role in strengthening cyber security arrangements, the RBI had asked banks to adhere to the guidelines the institute had laid down and seek its help to frame their own cybercrisis plans. It had also recommended enlisting banks with the National Critical Information Infrastructure Protection Centre (NCIIPC) of the information technology ministry. However, the repeated reminders largely went unheeded. After the data breach was notified in September 2016, by VISA and Mastercard, all major stakeholders, including the National Payments Corporation of India, have been working together to contain the breach. “During this collaborative analysis, it came up that one of the payment switch providers’ systems was possibly breached with a malware. Further analysis was done to confirm the period of breach (detected to be about 90 days), and the possible number of 32 lakh ATM cards that were breached were arrived at,” said an NPCI official. As on October 1, 2016, there were 67.9 crore debit cards issued by all Indian banks.
Paragraph 5
So far, the agencies concerned seem to be taking comfort from the fact that only a small number of card breaches (641 customers in 19 banks) were reported. The total amount involved in such fraudulent withdrawals was just `1.3 crore. Of the 32 lakh compromised ATM cards, close to six lakh were reported to be RuPay cards. “Necessary corrective actions have already been taken and hence there is no reason for customers to worry. Advisory issued by the NPCI to banks for issuing new cards is more of a preventive exercise,” said the CEO of NPCI. Agencies like the National Technical Research Organisation and Intelligence Bureau have asked their sleuths to probe the vendor who had contributed in creating the Hitachi Payments Services.
Paragraph 6
For victims of card fraud, the matter of getting compensation from banks is currently governed by a draft circular on the issue. It suggests that the customer has no liability for unauthorized transactions if they are reported within three days. In cases where the responsibility lies neither with the bank nor with the customer, but elsewhere in the system, the customer’s liability shall be limited to the value of the transaction or `5,000; whichever is lower, if reported within four to seven days. If the delay is more than seven days, the amount of compensation can be decided only with the approval of the bank’s board. The cyber appellate tribunal under the ministry of information technology is the last refuge for victims of cyber fraud. The tribunal is without a chairperson since June 2011. The government is looking at bringing an ordinance to allow a judicial member of the tribunal to discharge the functions of the chairperson. But despite such attempts, the tribunal, which is housed in the heart of the national capital, paying an exorbitant rent (Rs. 2.79 crore in 2013-14), remains defunct.
Paragraph 7
As banks work on new security measures, customers also need to be more careful. “We Indians are a trusting lot,” said a secretary in the finance ministry. “Adhering to good banking hygiene, like changing the card PIN every three months, not sharing card details and registering for mobile banking are a must to protect us from cyber-attacks,” he added.
