Intelligence agencies said CERT-IN had issued warnings of cyber attacks following India’s recent commando operations across the Line of Control in Kashmir.
The concerned agencies seem to be taking comfort from the fact that only a small number of card breaches (641 customers in 19 banks) were reported.
Hackers love unsecured connections, and that is where they like to ‘tap in’, literally into the processes. While the recent malware attacks on ATMs across the country were not unprecedented, considering the scale and the technological possibilities of such attacks, it can be said that the banks were caught completely off guard.
It all began in June, when the Hitachi-owned software used in ATMs of Yes Bank got infected, resulting in a massive data breach that had its source in the US and China. It soon became a matter of grave concern, with alarm bells ringing even in the Prime Minister’s Office.
At the PMO, Gulshan Rai, India’s first cyber security chief, now has a difficult task at hand. He has to find the right balance between manoeuvring the government towards a mature response, not playing down the breach and speeding up action for cyber security. Rai’s concern is that the ‘first-of-its-kind breach’ occurred in the backend systems of the banks and that it forced the re-issue of more than six lakh debit cards.
The finance ministry, too, has woken up to assess the preparedness of banks. Finance Minister Arun Jaitley called for an urgent meeting with representatives from the RBI and other banks on October 24. After the meeting, Jaitley said damage control was being done and that people should not panic. “The breach is contained and there are only limited number of breaches reported. As of now, there is no need for customers to be unduly worried or fear anything untoward,” he said.
Jaitley, however, was not impressed with the presentations given during the meeting and gave the banks 10 days to report back on their cyber security arrangements. The finance ministry has now engaged global payments security experts SISA to conduct a forensic audit of the breach. It is expected to reveal the gaps in systems that involve last-mile transactions at not just ATMs but also point-of-sale terminals and online payment gateways.
While the new report would hopefully give a new perspective on preventing cyber attacks, the writing was on the wall for a while. In June, the RBI had issued detailed guidelines on how to handle lapses in data security or breaches that can fool payment approval checks of the banks. It had asked the banks to self-assess their riskiness while dealing with various technological interfaces and payment gateways and set up a security operations centre to monitor their networks and respond to security threats round the clock.
Acknowledging the CERT-IN’s (Computer Emergency Response Team–India) role in strengthening cyber security arrangements, the RBI had asked banks to adhere to the guidelines the institute had specified and seek its help to frame their own cyber crisis plans. It had also recommended enlisting banks with the National Critical Information Infrastructure Protection Centre (NCIIPC) of the information technology ministry. However, the repeated reminders largely went unheeded.
After the data breach was notified in September by VISA and Mastercard, all major stakeholders, including the National Payments Corporation of India, have been working together to contain the breach. “During this collaborative analysis, it came up that one of the payment switch providers’ system was possibly breached with a malware. Further analysis was done to confirm the period of breach (detected to be about 90 days), and the possible number of 32 lakh ATM cards that were breached were arrived at,” said an NPCI official. As on October 1, there were 67.9 crore debit cards issued by all Indian banks.
So far, the concerned agencies seem to be taking comfort from the fact that only a small number of card breaches (641 customers in 19 banks) were reported. The total amount involved in such fraudulent withdrawals was just Rs 1.3 crore. Of 32 lakh compromised ATM cards, close to six lakh were reported to be RuPay cards. “Necessary corrective actions have already been taken and hence there is no reason for customers to panic. Advisory issued by the NPCI to banks for issuing new cards is more of a preventive exercise,” said A.P. Hota, managing director and CEO of NPCI.
Intelligence agencies said CERT-IN had issued warnings of cyber attacks following India’s recent commando operations across the Line of Control in Kashmir. Agencies like the National Technical Research Organisation and Intelligence Bureau have asked their sleuths to probe the vendor who had contributed in creating the Hitachi Payment Services.
For victims of card fraud, the matter of getting compensation from banks is currently governed by a draft circular on the issue. It suggests that the customer has no liability for unauthorised transactions if they are reported within three days. In cases where the responsibility lies neither with the bank nor with the customer, but elsewhere in the system, the customer’s liability shall be limited to the value of the transaction or Rs 5,000, whichever is lower, if reported within four to seven days. If the delay is more than seven days, the amount of compensation can be decided only with the approval of the bank’s board. “These guidelines are still under public discussion, but this clearly shows the RBI’s preference to protect the banks’ interests over customers,” said Pavan Kumar Vijay, a merchant banker.
The cyber appellate tribunal under the ministry of information technology is the last refuge for victims of cyber fraud. The tribunal is without a chairperson since June 2011. Letters accessed by THE WEEK show that the government is looking at bringing an ordinance to allow a judicial member of the tribunal to discharge the functions of the chairperson. But despite such attempts, the tribunal, which is housed in the centre of the national capital by paying an exorbitant rent (Rs 2.79 crore in 2013-14), remains defunct.
As banks work on new security measures, customers also need to be more careful. “We Indians are a trusting lot,” said Anjuly Chib Duggal, secretary, department of financial services in the finance ministry. “Adhering to good banking hygiene, like changing the card PIN every three months, not sharing card details and registering for mobile banking are a must to protect us from cyber attacks.”