In what is being described as one of the biggest ever breaches of financial data in India, approximately 32 lakh debit cards in India are thought to be compromised as customers reported unauthorised usage from locations in China.
The banks worst hit from the cybersecurity attack are reported to be State Bank of India, Yes Bank, ICICI Bank and Axis Bank, among many others. The data breach appears to have affected international card issuers such as MasterCard and Visa, along with India’s RuPay. Until August, Indian banks had issued a total 712.39 million debit cards, according to Reserve Bank of India data — while the number of cards affected by the breach may seem small in comparison, the potential losses could still be significant if a large number of them are exposed to this fraud.
What seems to have happened?
On September 5, some banks came across fraudulent transactions in which debit cards were used in China and the US when customers were actually in India. Cardholders also detected similar transactions — subsequently, the banks complained to the National Payments Corporation of India (NPCI). The probe by NPCI found a malware-induced security breach in the systems of Hitachi Payment Services, which provides ATMs, point of sale and other services in India. The investigation alleged that the security breach occurred in the ATMs of a particular private bank. On October 20, Hitachi spokesperson Loney Anthony said that an interim report submitted by an independent auditor in September did not “suggest any breach/compromise” in its systems, and that the final report was expected by mid November.
After the probe found that ATMs had been compromised as early as in May 2016, all three service providers — Visa, MasterCard and RuPay — asked banks to either tell customers who could potentially be at risk to change their PIN, or issue them new cards. Most banks asked customers to change their PIN, and in certain cases blocked the cards and decided to issue fresh ones.
“It’s a security breach, but not in our banks’ systems. Many other banks also have this breach — right now and since a long time,” Shiv Kumar Bhasin, SBI’s chief technology officer (CTO), told TOI, adding that customers who used their cards only at SBI-run ATMs have not been affected by this. Yes bank in a statement clarified “Yes Bank has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on Yes Bank ATMs, Yes Bank continues to work with relevant stakeholders to ensure utmost safety and security of its ATM network and payment services which are completely safe to use,”.
Other major banks too, issued similar statements and did not comment on who is to blame for the fact that the system is vulnerable to such breaches.
So, what really happened?
There are lots of messages floating around on Whatsapp warning users to ensure that all connections are HTTPS and reports in the tabloids also indicate this was an ATM skimming fraud.
After going through what is published in the tabloids, using my more than 2 decades of IT and InfoSec experience plus my discussions with banking industry experts; one thing is very clear, the sheer magnitude of this heist makes it abundantly clear that this was not some skimming fraud or some malware at infected ATMs, had this been the case, then only the respective ATMs would have been infected and not spread across the networks… that too across 19 banks. ATM networks are isolated networks, even with some way a hacker is able to physically connect to an ATM and inject malware, the question remains is how will this malware send the date out of the ATM network into the waiting arms of the hacker? Plus there have also been instances of online usage of cards or CNP (Card Not Present) transactions, it’s a known fact that CVV is not stored on the magnetic stripe or the Chip, but without CVV, it is impossible to do online transactions. When using an ATM, the user enters the pin, which is different from the CVV. So, how did the hacker know the CVV for making those transactions?
My bet is on this… The central systems or the ATM switch has been compromised with malware sitting on it. Almost all bank outsource their payment operations to third parties such as Hitachi. The mechanics of operations are fairly simple. ATM operations of banks are mostly outsourced to third parties who provide the ATMs or POS devices plus the software to run the same. When a card is swiped, details from the magnetic stripe on the card are read by the reader on the ATM machine. This provides basic account details and the corresponding bank identifications. After the card is read, PIN is entered to authenticate the transaction.
These outsourced companies are connected to the bank systems from where they get the bank account and PIN details of the cards. These details are processed on the payment settlement system run by these outsourced companies and based on the authenticated details payments are made. These payment settlement systems also have “Ecommerce” modules which processes CNP transactions and receives the CVV, so, if a malware is sitting on these systems, getting the CVV is also not a problem. Once the payment systems are compromised, card details, PINs, limits etc. all reach hands of scammers.
These details are used to make fake cards. These cards are then handed over to persons who withdraw money from ATMs, many a times this operation happens in a coordinated manner across several countries. This seems to be the only way in which a heist of this magnitude can be affected.
Not a few dozen but a thousands of ATMs have been infected with malware. Again possible through a malware in the ATM network which is spreading OR someone manually infecting those thousands of ATMs and POS devices… manually infecting thousands of ATMs/POS devices by breaching their physical security is very implausible. There is a third option which I feel is more plausible that most of the ATMs are managed by outsourced vendors. These vendors use outdated operating systems outfitted with the ATM software and the required drivers. When there is an ATM problem, a small time engineer drawing a few thousand rupees as a salary is sent to the site who then follows a checklist to dump a working image on the system to get it going. So, the best way to infect thousands of ATMs is to infect these “images” with malware and then let the engineers do the rest. I sincerely doubt that the ATM outsourced vendors take the time and pain to check these images for malware.
A few questions?
- This hack was detected in the beginning of September 2016. Why was the hack disclosed openly to the public only on Oct 19? My guess is cause of SBI which being a public limited behemoth had to disclose the fact.
- Last month, Yes Bank had confirmed that its ATM network manager Hitachi Payments was reviewing its network to rule out any compromise. Hitachi had initiated a detailed audit of their systems through a certified agency SISA. This is nothing more than an internal audit and it is very well possible that even if there were findings, Hitachi would have closed it on the side and then denied any negligence. How come RBI and NPCI had not launched immediate investigation through external auditors? My guess, since these were giants such as ICICI, HDFC, Yes Bank… had this been a UCB, probably the same would have been initiated long back.
- National Payments Corporation of India had warned banks about the possible breach in Hitachi’s systems as early as May, but no action was taken. Why?
- According to current RBI regulations, banks are not required to disclose any security breaches to the public – making it possible for the banks to underplay the extent or impact of data thefts if there is no intervention. It is public money and personal information at stake, why is India’s premier regulatory organization hesitating from applying this basic requirement? My guess: The primary inference of organizations (BFSI & outsourced partners) is that as per any Hollywood movie all asteroids, aliens and superheroes land in the US, therefore this is also the land where all hacks happen; India is safe. Disclosure is simply not mandated so that this false sense of security should not be upset or in the “politically correct” parlance “We don’t want to start a public panic”… ya rite!!!
Of all the governmental institutions, I have faith in the RBI which does make an attempt to change things for the better…. Still laden with bureaucracy and lack of technical expertise… but still doing something.
Given the names involved, I don’t have much expectations. The RBI working group committee report was a well written document. But, it is still “guidelines” and therefore dismissed by many as “not a mandate… so why should we bother”… this was back in 2011.
There was a “Cyber Security policy” document released in June 2016… but again, this was not a mandate leaving the banks to take a call on whether to use it or keep it as a pipe dream. A quick look through the document also puts many of the controls beyond the “due requirement” for most banks… leads me to think whether any practical thought process was put behind it or was it written by some senior management bureaucrat who has lost all touch with reality.
What needs to be done immediately
A few suggestions:
- A panel of industry experts who can create a secure banking framework with multiple gradations as per the size and risk appetite of the bank.
- Mandate the SLA requirements from outsourced vendors.
- Mandate the controls which should be in place at the outsourced vendors depending on the process being outsourced.
- Have well defined milestones to grade the security management systems in the banks.
- Mandate disclosure of any and all Infosec events to the public and provide for criminal charges incase of non-disclosure
- Lastly and most importantly, identify third party consulting companies to conduct periodic audits of banks. Hold these consulting companies responsible and accountable for their work including financial liabilities incase of negligence.
Our country has great systems and laws in place but things are chaotic due to lack of enforcement and effective grievance redressal. India is growing and everything is in the digital world. I surely hope that this is a wake up call for the RBI and NPCI to pull up it socks instead of passing the buck or relying on the political strategy of “Keep quiet… this will also blow away soon”.