Tuesday, 25 October 2016

The Big Billion (Data) Breach


By: Gursahib Singh Buttar
Last week on Thursday, 20th October 2016, whole nation faced the biggest data breach till date for debit card details of nearly 3.2 million card holders of multiple financial platforms and banks. Of 3.2 Million debit cards, 2.6 Million are powered by Visa or MasterCard and rest 600,000 work on India’s own RuPay platform. The biggest banks hit by this breach includes State Bank of India (SBI), HDFC Bank, Yes Bank, ICICI Bank and Axis bank. All the banks have released reported the breach to RBI and the rest are requested to check for breach and report it immediately.

Hackers specifically used a malware to compromise the Hitachi Payment Services platform –which is used to power country's ATM, point-of-sale (PoS) machines and other financial transactions, to steal details debit cards. It is not yet clear who is behind the cyber-attack, but the reports are filed that a number of affected customers have observed unauthorized transactions made by their cards in various locations in China.
Bank cards which use Magnetic Stripe transmit your account number and secret PIN to merchants, could make it easy for fraudsters to hack them, making these cards easier to clone. Whereas, banks who are using EMV (Europay, MasterCard, and Visa) chip-equipped cards (better known as Chip-and-Pin cards) store your data in encrypted form and only transmit a unique code (one-time-use Token/Password) for every transaction, making these cards more secure and lot harder to clone.
SBI CTO Shiv Kumar Bhasin said: "It's a security breach, but not in our bank's systems. Many other banks also have this breach—right now and since a long time. A few ATMs have been affected by malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised."
MasterCard also denied that its systems were breached, issuing the following statement: "We're aware of the data compromise event. To be clear, MasterCard’s own systems have not been breached. At MasterCard, safety and security of payments are a top priority for us and we're working on the investigations with the regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation."
SBI, have announced that they'll re-issue compromised 600,000 debit cards free of cost, which could take up to 3 weeks to do so. Others banks on the other hand, have urged their customers to change their ATM PINs and avoid using ATMs of other bank along with some important instructions. You can check these instructions here, published in Hindustan Times.
Meanwhile, the Payments Council of India has ordered a forensic audit on the Indian bank servers to measure the damage and investigate the origin of the cyber-attack. Bengaluru-based payment and security specialist SISA will conduct the forensic audit.

1 comment: