DEBIT CARD FRAUD HOW HAPPENED?
3 views
Skip to first unread message
Kannan Bargavan
Oct 22, 2016, 9:38:14 AM10/22/16
to astrobargav
Multiple banks hit: 3.2 million debit cards compromised;
how it happened, what happens now
Khushboo Narayan
The Indian Express
Published on October 21, 2016
Indian Express explains one of the biggest data security breaches in
Indian banking, situates it in the context of the rising threat from
cyber crime.
New Delhi, October 20: On Wednesday, India’s largest bank, State Bank
of India, said it had blocked close to 6 lakh debit cards following a
malware-related security breach in a non-SBI ATM network. Several
other banks, such as Axis Bank, HDFC Bank and ICICI Bank, too have
admitted being hit by similar cyber attacks — forcing Indian banks to
either replace or request users to change the security codes of as
many as 3.2 million debit cards over the last two months.
How did the crisis begin and unfold?
On September 5, some banks came across fraudulent transactions in
which debit cards were used in China and the US when customers were
actually in India. Cardholders also detected similar transactions —
subsequently, the banks complained to the National Payments
Corporation of India (NPCI), which has oversight over retail payments
systems in India. The probe by NPCI found a malware-induced security
breach in the systems of Hitachi Payment Services, which provides
ATMs, point of sale and other services in India. The investigation
alleged that the security breach occurred in the ATMs of a particular
private bank. (On Thursday, Hitachi spokesperson Loney Anthony said
that an interim report submitted by an independent auditor in
September did not “suggest any breach/compromise” in its systems, and
that the final report was expected by mid November.)
After the probe found that ATMs had been compromised as early as in
May 2016, all three service providers — Visa, MasterCard and RuPay —
asked banks to either tell customers who could potentially be at risk
to change their PIN, or issue them new cards. Most banks asked
customers to change their PIN, and in certain cases blocked the cards
and decided to issue fresh ones.
How big is the problem? How many debit cards have been impacted?
This is one of the biggest data breaches in the country — about 3.2
million cards issued by Indian banks could be potentially replaced, or
their holders asked to change their PINs to avoid fraud. According to
NPCI, 90 ATMs have been compromised, and at least 641 customers across
19 banks have lost Rs 1.3 crore as a result of fraudulent transactions
on their debit cards. Until August, Indian banks had issued a total
712.39 million debit cards, according to Reserve Bank of India data —
while the number of cards affected by the breach may seem small in
comparison, the potential losses could still be significant if a large
number of them are exposed to this fraud.
How exactly does the malware work?
Malware is malicious software including viruses, worms, trojans,
ransomware, spyware and other programmes that damages computer systems
at ATMs or bank servers, and allows fraudsters to access confidential
debit card data. In this case, swiping a card at an allegedly
compromised ATM allowed the data on the card to be transmitted to the
fraudsters, who then misused it for fraudulent transactions.
What are banks doing to protect cardholders?
Since most of the cards at risk are not chip-based, banks are planning
to replace them with chip-based ones. The Maharashtra Police has begun
investigations into the security breach and has written to the RBI
seeking information on the fraudulent transactions. The council of
Payment Card Industry Data Security Standard (PCIDSS), an
international body that sets data security standards, has ordered a
forensic audit of the data breach in India, which will be concluded by
the end of this month.
Who is liable if a card is subject to fraud orchestrated by a third party?
According to the RBI’s draft circular on customer protection, a
customer is not liable for a third-party breach, or where negligence
or fraud is on the part of the bank, if the customer informs the bank
of the fraud within 3 working days of receiving a communication from
the bank on any unauthorised transaction.
What is RBI doing to mitigate cyber attacks on financial institutions?
In June 2016, RBI issued instructions on a cyber security framework in
banks, asking them to put in place a board-approved cyber security
policy, prepare a cyber crisis management plan, and make arrangement
for continuous surveillance. The circular also asked banks to share
unusual cyber security incidents with RBI. Apart from this, RBI has
set up an expert panel on IT Examination and Cyber Security to provide
assistance in banks’ cyber security initiatives, and proposes to
cover, by 2017-18, all banks under a detailed IT examination programme
that it launched in October 2015.
ATM Fraud:
Keypad jamming
The fraudster jams the ‘Enter’ and ‘Cancel’ buttons with glue or by
inserting a pin or blade at the buttons’ edge. A customer trying to
press the ‘Enter/OK’ button after entering the PIN, does not succeed,
and thinks the machine is not working. An attempt to ‘Cancel’ the
transaction fails as well. In many cases, the customer leaves — and is
quickly replaced at the machine by the fraudster. A transaction is
active for around 30 seconds (20 seconds in some cases), and he is
able to remove the glue or pin from the ‘Enter’ button to go ahead
with the withdrawal. The loss to the cardholder is, however, limited
by the ceiling on withdrawals, and the fact that only one transaction
is possible without swiping the card again and re-entering the PIN.
Commonsense advice: do not seek the help of a stranger to withdraw
cash, and do not leave the ATM box until the transaction has been
cancelled. Banks do not take responsibility for such a fraud, which
they put down to negligence on the part of the cardholder.
Card swapping
Sometimes, when a customer uses his debit card at a merchant
establishment, the fraudster (who could be a fuel pump attendant or a
restaurant waiter, etc.) will make a note of the PIN that is keyed in
and, while returning the card, swap it with an identical dummy from a
store of several cards he keeps. With both card and PIN, the fraudster
can then withdraw cash until the cardholder is able to block the card.
Banks advise customers to make sure their card is always in sight, to
check if it is indeed theirs when an attendant hands it back, and to
not ask him to punch in the PIN at the ‘point of sale’ terminal. In
cases of card swapping fraud too, banks do not accept liability.
Skimming
This kind of fraud is more sophisticated. A small skimming device is
planted in the ATM’s debit card slot, which is able to read the
information on the card’s magnetic tape. The information, once copied,
can be reproduced on any card, which can be subsequently used to
withdraw cash. The customer’s PIN is captured by a small camera that
the fraudster installs in the ATM kiosk. Banks generally take the
liability for skimming frauds and make good the customer’s loss.
However, the customer must block the card after the first instance of
misuse.
how it happened, what happens now
Khushboo Narayan
The Indian Express
Published on October 21, 2016
Indian Express explains one of the biggest data security breaches in
Indian banking, situates it in the context of the rising threat from
cyber crime.
New Delhi, October 20: On Wednesday, India’s largest bank, State Bank
of India, said it had blocked close to 6 lakh debit cards following a
malware-related security breach in a non-SBI ATM network. Several
other banks, such as Axis Bank, HDFC Bank and ICICI Bank, too have
admitted being hit by similar cyber attacks — forcing Indian banks to
either replace or request users to change the security codes of as
many as 3.2 million debit cards over the last two months.
How did the crisis begin and unfold?
On September 5, some banks came across fraudulent transactions in
which debit cards were used in China and the US when customers were
actually in India. Cardholders also detected similar transactions —
subsequently, the banks complained to the National Payments
Corporation of India (NPCI), which has oversight over retail payments
systems in India. The probe by NPCI found a malware-induced security
breach in the systems of Hitachi Payment Services, which provides
ATMs, point of sale and other services in India. The investigation
alleged that the security breach occurred in the ATMs of a particular
private bank. (On Thursday, Hitachi spokesperson Loney Anthony said
that an interim report submitted by an independent auditor in
September did not “suggest any breach/compromise” in its systems, and
that the final report was expected by mid November.)
After the probe found that ATMs had been compromised as early as in
May 2016, all three service providers — Visa, MasterCard and RuPay —
asked banks to either tell customers who could potentially be at risk
to change their PIN, or issue them new cards. Most banks asked
customers to change their PIN, and in certain cases blocked the cards
and decided to issue fresh ones.
How big is the problem? How many debit cards have been impacted?
This is one of the biggest data breaches in the country — about 3.2
million cards issued by Indian banks could be potentially replaced, or
their holders asked to change their PINs to avoid fraud. According to
NPCI, 90 ATMs have been compromised, and at least 641 customers across
19 banks have lost Rs 1.3 crore as a result of fraudulent transactions
on their debit cards. Until August, Indian banks had issued a total
712.39 million debit cards, according to Reserve Bank of India data —
while the number of cards affected by the breach may seem small in
comparison, the potential losses could still be significant if a large
number of them are exposed to this fraud.
How exactly does the malware work?
Malware is malicious software including viruses, worms, trojans,
ransomware, spyware and other programmes that damages computer systems
at ATMs or bank servers, and allows fraudsters to access confidential
debit card data. In this case, swiping a card at an allegedly
compromised ATM allowed the data on the card to be transmitted to the
fraudsters, who then misused it for fraudulent transactions.
What are banks doing to protect cardholders?
Since most of the cards at risk are not chip-based, banks are planning
to replace them with chip-based ones. The Maharashtra Police has begun
investigations into the security breach and has written to the RBI
seeking information on the fraudulent transactions. The council of
Payment Card Industry Data Security Standard (PCIDSS), an
international body that sets data security standards, has ordered a
forensic audit of the data breach in India, which will be concluded by
the end of this month.
Who is liable if a card is subject to fraud orchestrated by a third party?
According to the RBI’s draft circular on customer protection, a
customer is not liable for a third-party breach, or where negligence
or fraud is on the part of the bank, if the customer informs the bank
of the fraud within 3 working days of receiving a communication from
the bank on any unauthorised transaction.
What is RBI doing to mitigate cyber attacks on financial institutions?
In June 2016, RBI issued instructions on a cyber security framework in
banks, asking them to put in place a board-approved cyber security
policy, prepare a cyber crisis management plan, and make arrangement
for continuous surveillance. The circular also asked banks to share
unusual cyber security incidents with RBI. Apart from this, RBI has
set up an expert panel on IT Examination and Cyber Security to provide
assistance in banks’ cyber security initiatives, and proposes to
cover, by 2017-18, all banks under a detailed IT examination programme
that it launched in October 2015.
ATM Fraud:
Keypad jamming
The fraudster jams the ‘Enter’ and ‘Cancel’ buttons with glue or by
inserting a pin or blade at the buttons’ edge. A customer trying to
press the ‘Enter/OK’ button after entering the PIN, does not succeed,
and thinks the machine is not working. An attempt to ‘Cancel’ the
transaction fails as well. In many cases, the customer leaves — and is
quickly replaced at the machine by the fraudster. A transaction is
active for around 30 seconds (20 seconds in some cases), and he is
able to remove the glue or pin from the ‘Enter’ button to go ahead
with the withdrawal. The loss to the cardholder is, however, limited
by the ceiling on withdrawals, and the fact that only one transaction
is possible without swiping the card again and re-entering the PIN.
Commonsense advice: do not seek the help of a stranger to withdraw
cash, and do not leave the ATM box until the transaction has been
cancelled. Banks do not take responsibility for such a fraud, which
they put down to negligence on the part of the cardholder.
Card swapping
Sometimes, when a customer uses his debit card at a merchant
establishment, the fraudster (who could be a fuel pump attendant or a
restaurant waiter, etc.) will make a note of the PIN that is keyed in
and, while returning the card, swap it with an identical dummy from a
store of several cards he keeps. With both card and PIN, the fraudster
can then withdraw cash until the cardholder is able to block the card.
Banks advise customers to make sure their card is always in sight, to
check if it is indeed theirs when an attendant hands it back, and to
not ask him to punch in the PIN at the ‘point of sale’ terminal. In
cases of card swapping fraud too, banks do not accept liability.
Skimming
This kind of fraud is more sophisticated. A small skimming device is
planted in the ATM’s debit card slot, which is able to read the
information on the card’s magnetic tape. The information, once copied,
can be reproduced on any card, which can be subsequently used to
withdraw cash. The customer’s PIN is captured by a small camera that
the fraudster installs in the ATM kiosk. Banks generally take the
liability for skimming frauds and make good the customer’s loss.
However, the customer must block the card after the first instance of
misuse.
Reply all
Reply to author
Forward
0 new messages