Card check: Latest data leak episode exposes vulnerability of Indian system

The government may be hardselling Digital India based on a robust digital payment infrastructure, but the fact is, without commensurate security, it will be hard to sustain. CERT-In has been advising bodies on security threats, and banks have taken due care. Yet, data breaches of Indian users have increased over the last few years. The newest leak pertains to the information of 1.3 million bank cards that is available for sale on the dark web. Reports indicate 98% pertain to Indian banks—of this, 18% is of one banking entity. Although RBI has swung into action, asking banks to replace all cards and look into the matter, Indian banks need a more proactive approach to security given that this is the third big breach in as many years. In October 2016, 3.2 million cards getting compromised in a similar breach had been reported.

It would be best, from the users’ perspective, to migrate to online systems and payment options. A virtual card or a QR code are much more difficult to decode, but banks also need to push for end-to-end encryption for PoS terminals. As most thefts occur at PoS and ATM terminals, banks need to develop a system where only certain information is exposed and, that too, in encrypted form. More important, cyber checks need to be de rigeur every quarter, not post-crisis. With UPI hitting a billion transactions, and overtaking debit/credit cards, and AEPS becoming a convenient mode, government is moving towards safer modules. But, until a full switch happens, security needs to be top priority.