Though affected banks are downplaying the impact of the 3.2 million debit cards felt to be at risk following a data breach last month – SBI is replacing 6 lakh cards and some banks have advised customers to change their PINs and not use third-party ATMs – RBI would do well to do a complete audit including regular/surprise tests to check the resilience of banks to cyber attacks of the sort that are becoming increasingly regular across the world.
The response system has narrowed the breach to 90 ATMs of a private bank where these 3.2 million cards were used and has identified the transactions as originating from the US and China – what is more worrying is that the breach is supposed to have taken place last month while it only now being made public.
While several banks have said their systems are secure, a recent speech by RBI Deputy Governor SS Mundra suggests some of this may be whistling in the dark, something cyber-security firm Symantec also alluded to some months ago.
While talking of Suckfly, Symantec talked of the attacks in India carrying on over 2014 and 2015 and said they had affected one of India’s largest financial organizations, a large ecommerce company, one of India’s top-5 ITfirms, as well as two government companies including one that implemented ‘network software for different ministries and departments within India’s central government’ – the report had data on the ‘infection rate’ for each organization.
While talking of the increased cyberthreat to financial organizations – recall the attempted $1bn heist from Bangladesh Bank earlier this year – Mundra gave a similar example in India; while the attempt was foiled, as he said, ‘the incident has reinforced the fact that the various stakeholders have not learnt the lessons yet’.
In the case of a shared mobile wallet, rushing through a hackable product, resulted in Rs 12 crore of transfers being reversed back to the sender without a corresponding debit in the recipient’s account; and when an e-payment validation website of a large bank was hacked, ‘the bank was not aware of the incident till it was notified by a law enforcement agency’.
Mundra also spoke of how the system of physical controls over data systems was lax, often passwords were shared and in many cases there were no passwords even being used – ‘customer information’, the RBI DG says, is stored at vendors’ facility without adequate safeguards’.
For a country that is supposed to be very vulnerable to cyber-terrorists and which perceives a serious threat of malaware and trapdoors in Chinese equipment especially, this suggests an unacceptably relaxed approach.
While the authorities have their own reasons for not making public the name of the bank involved in the debit-card data breach, they need to ensure that all financial institutions, and their vendors, are as secure as can be – the possibility of breaches through customer phones and computers is also real and also needs to be dealt with by, for instance, ensuring no transactions go through phones whose IMEI numbers are not registered and/or linked to an Aadhaar number.