In what is being described as one of India's biggest financial hacking attack, according to news reported yesterday, at least 3.2 million debit cards issued to Indian users were compromised. Probes and investigations into the hacking have been ordered by the concerned institutions, including the the Reserve Bank of India. Here is a look at the sequence of related events.
What did the debit card hack do?
Some debit card holders filed complaints with their respective banks, reporting that their cards were being used without authority at locations in China. When the National Payment Council of India (NCPI) began looking into the matter, it found that a malware had crept into the servers of YES bank, SBI, HDFC, ICICI, and Axis Bank.
The malware had affected over 32 lakh debit cards. SBI alone blocked 6 lakh cards as a measure of precaution, assuring customers that replacement cards would be issued immediately. According to reports, it took almost six weeks to identify the scale of fraudulent activities. The affected cards had mostly been issued by Visa and Mastercard, along with a much smaller number of RuPay cards.
"We have received complaints from banks about debit cards being used in China which aroused suspicion," NPCI Managing Director AP Hota told Trak. "Though most of the suspected fraudulent transactions happened in the Visa and MasterCard network, we thought a whole a forensic audit of the entire network will help us find out where the compromise happened."
How did the hack happen?
A report published in the Economic times claims that all the affected cards had been used in ATMs made by the Hitachi corporation. According to the website, Trak.in, a malware crept into a Yes Bank ATM in Himachal Pradesh and subsequently made its way through to servers of other banks.
Most malware creep into networks through a vulnerability in their security system. While it is possible that a physical device might be used to inject a malicious piece of software code into the system, it is unlikely in this case as the servers were situated in China and there are physical locks on an ATM machine.
When someone makes a request to withdraw money at an ATM, it goes to a device called Link which switches networks depending on which bank's card is being used.
A malware in a bank's ATM machine or a network can access transaction details and even server details of that bank. And then hackers can try and breach the security to gain information about the bank and attack its servers.
However, all the banks involved are denying that the security in their own networks was breached, and are claiming that the incident took place because of third-party or white label ATMs.
"The breach occurred in the case of customers who have used certain non-Axis Bank ATMs," a spokesperson for Axis Bank said. "Over the last few weeks, Axis Bank has proactively reached out to the affected customers and advised them to change their Debit Card PINs. The Axis Bank ATM network is fully secured and customers should ideally use Axis Bank ATMs to change their Debit Card PINs."
"We are aware of the data compromise event. To be clear, Mastercard's own systems have not been breached," a spokesperson for Mastercard said in an e-mailed statement.
What happens next?
For the affected customers, the banks are issuing new debit cards to ensure there is no further damage. If you are a customer of any of the affected banks, you should contact the bank as well as change your ATM PIN at your own bank's ATM.
While all the banks are running audits on their networks and servers to identify the root cause, NCPI has ordered a separate investigation as well. Banks are also advising their customers to avoid using the non-bank ATMs until investigations are complete.
(With inputs from Rimin Dutt)