NPCI assures customers of safety of their debit card data
The breach in national debit card data has shaken the banking industry into swift action. More than 32 lakh debit cards have been blocked or recalled by banks to prevent them from falling prey to any financial fraud after the detection of a major security breach at a payment services provider that manages ATM network of a private sector bank.
The suspected security breach happened through a malware in the systems of Hitachi Payments Services, which serves YES Bank. Hitachi provides payment services through ATM services, the point of sale services (POS), emerging payments services and banking channel products like cash recycling ATMs and auto passbook entry machines. According to bankers, the breach took place in such a way that anyone using the said bank’s ATMs in the region might stand to get affected.
To ward off an incident like this, Yes Bank’s managing director and chief executive Rana Kapoor underlined the need for a greater vigilance on outsourced work. “There needs to be a lot more vigilance where there are outsourcing partners to make sure they don’t endanger the delivery and system risk, and there’s a fair amount of policing as far as outsourcing risks are concerned.”
While some of the banks like SBI have recalled six lakh cards, others like Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have already replaced their debit cards which are affected as a pre-emptive measure
Some of the lenders like ICICI Bank, HDFC Bank, and Yes Bank have asked customers to change their ATM pin numbers. HDFC Bank also advised its customers to use its own ATMs for carrying out any transaction.
Domestic payment gateway National Payments Corporation of India (NPCI) has urged debit card customers not to panic as all necessary steps have been initiated to deal with the breach of their card-related data. According to a statement issued by the NPCI, 641 customer complaints from 19 banks have been received and the amount involved is Rs. 1.3 crore
“Necessary corrective actions already have been taken and hence there is no reason for bank customers to panic,” said A.P Hota, MD & CEO, NPCI. The advisory issued by the NPCI to banks for re-issue of cards is more a preventive exercise, he added.
According to RBI regulations, if a customer is not responsible for a fraudulent transaction, the bank is liable to pay compensation. Cyber law expert Pawan Duggal said, “The law is very clear. All banks are intermediaries under the Income Tax Act. Under Section 79 of the Act, they are mandated to do due diligence.”
In case banks are negligent in doing this, leading to a loss, it is the banks that will have to bear the brunt of the loss, Duggal added. However, a bank may not be liable if it asks the customer to change his or her PIN but the customer chooses to ignore the advice.
The NPCI statement said, “All affected banks have been alerted by all card networks that a total card base of about 3.2 million could have been possibly compromised.” The total debit card base of the country is 697 million.
Suspecting that it could be a case of card data compromise, all the three payment gateways that operate in India — RuPay, Visa, and MasterCard — swung into action in September.
“It was established through the analysis after such frauds were reported that there was a possible compromise at one of the payment switch provider’s system. Based on the analysis, NPCI and other schemes identified the period of compromise and the possible card numbers which could have been compromised during that period,” the NPCI statement said.
The country’s largest bank, State Bank of India (SBI), which is in the process of replacing over 0.6 million debit cards, corroborated the NPCI’s views.
“Card network companies NPCI, Mastercard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach. Accordingly, State Bank of India (SBI) has taken precautionary measures and has blocked cards of certain customers identified by the networks,” the SBI said in the statement.
Reputed Japanese company Hitachi, which manages ATM networks for some banks, said it had appointed an external audit agency certified by Payment Card Industry (PCI) in the first week of September to check the security of systems for any breach or compromise based on a few suspected transactions that were highlighted by its client banks.
Yes Bank has appointed a Certified Information Systems Auditor (CISA) for a forensic audit of its systems and processes. “Yes Bank has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on Yes Bank ATMs,” the bank said in a statement.
“Yes Bank continues to work with relevant stakeholders to ensure utmost safety and security of its ATM network and payment services which are completely safe to use,” it added.
In view of the latest debit card data fraud, Symantec Corporation’s Managing Director (India) Shrikant Shitole has recommended that “Consumers should consider frequently changing their passwords used for any financial transactions through accounts such as net banking, debit or credit cards or even mobile wallets.”
Account holders should use strong passwords, change them every three months, and never reuse a password. “Opening the wrong attachment can also introduce a malware to your system. Never view, open or copy email attachments unless you are expecting the email and trust the sender,” Shitole cautions.
Saket Modi, co-founder of cybersecurity firm Lucideus, suggests that instead of having just one debit card, consumers should keep at least 3-4 cards and use the one with the least balance while shopping outside. Modi recommends using the safe banking features that provide the option of generating virtual credit or debit cards with a set spending limit, valid only for one-time use. Alternatively, switch to the United Payments Interface, which is considered safer than debit cards.