3.2 billion debit cards face security breach

Of the cards, 2.6 million are said to be on the Visa and Master-Card platform and 6,00,000 on the RuPay platform

3.2 billion debit cards face security breach

In what appears as a biggest ever breaches of financial data in India, banks in India are opting risk management options for as many as 3.2 million debit cards. This comes after several victims have reported unauthorised usage from locations in China.

Of the cards, 2.6 million are said to be on the Visa and Master-Card platform and 6,00,000 on the RuPay platform, The Economic Times reported. The worst hit banks are the State Bank of India (SBI), HDFC Bank, ICICI Bank, YES Bank and Axis Bank, the report added. In the risk management options, banks can either replace the card or ask users to change the security code of their card.

According to a report in Times of India, the breach is said to have originated in malware introduced in the systems of Hitachi Payment Services, which manages ATM network processing for YES bank. This breach enables fraudsters to steal information which in turn allows them to steal funds.

It has been reported that the matter came to light in July and the reason why a bank with such small number of ATMs impacted a large number of banks is that it sees a large number of third-party transactions on its machines.

"Data processes of one private bank was compromised which affected other banks' customers well. Customers who used that bank's ATM stand to get potentially affected," a public sector banker was quoted as saying by PTI.

When asked about alleged lapses on its ATM network, a Yes Bank spokesperson told HDFC, "Proactively undertaken a comprehensive audit of ATMs, and there is no evidence of a breach or compromise on ATMs. We continue to work with relevant stakeholders, including other public sector and private banks, and NPCI, to ensure utmost safety and security of ATM network and payment services which are completely safe to use."

Following the large-scale breach, a forensic audit has now been ordered by Payments Council of India on Indian bank servers and systems to detect the origin of frauds that might have hit customer accounts. NPCI Managing Director AP Hota said, "We have received complaints from banks about debit cards being used in China which aroused suspicion."

"Though most of the suspected fraudulent transactions happened in the Visa and MasterCard network, we thought a whole a forensic audit of the entire network will help us find out where the compromise happened," he said.

Amongst other banks, Axis bank has asked its customers to change their ATM pin. While HDFC bank has taken a forward step, advising its customers to only use HDFC ATM as they “believe security controls at some of the other bank ATMs may not be at par with HDFC Bank ATMs,” a spokesperson said. He added that, "We take this opportunity to reiterate that it's always prudent  to change ATM PINs from time to time. It prevents misuse."

The Times of India had reported on Wednesday that SBI would reissue 600,000 debit cards following a malware-related security breach. SBI has asked customers to change their PIN numbers as well. "Based on the complaints we have received, we are suspecting a compromise on the non-SBI ATM network which could include various white-label ATM service providers," SBI Chief Information Officer Mrutyunjay Mahapatra told ET.

According to the reports, banks had been receiving multiple complaints from customers about cards being used in China at various ATMs and point of sale terminals. They in turn, alerted Visa and MasterCard.