India has seen several instances of banking cyber fraud over the years. If you haven’t received at least one call purportedly from the Reserve Bank asking to reset your PIN, you haven’t really lived here.
But the recent incident, where multiple banks have simultaneously said that their cards—estimated at 3.2 million by some reports—have been compromised makes this the first incident of such scale.
Only the final report of the forensic audit, to be submitted next month, will reveal exactly how the financial data from millions of cards were stolen. But it is unlikely that someone could breach the security of five or six banks simultaneously, PTI reported.
One would be triggering so many alarms on the way that the chances are it would be discovered fast. The breach was reportedly detected through the systems of Hitachi Payment Services, which maintains ATMs and point-of-sale terminals.
This kind of fraud can possibly happen using an extra “mouthpiece” (ATM skimmer), so that when you slide your card in, it first goes through the criminals’ device, which skims your data, and then into the ATM.
There is also specific malware that affects ATM software directly. In India, you can use your debit card across ATMs of different banks, which means that by compromising a single ATM, you can steal data across banks.
It’s not very complicated to steal the data of hundreds of thousands of cards through such mouthpieces. But if you want to scale up the operation, you will need greater access, such as through point-of-sale machines used in restaurants and retail stores.
There are special types of malware that infect only point-of-sale machines—this will give a criminal a higher “rate of return” because there are many more people who will be out shopping than making ATM withdrawals.
That’s what happened in the case of US retail chain Target in late 2013. Data from up to 40 million credit and debit cards of those who had shopped at Target were stolen by hackers, bang in the middle of the holiday shopping season.
Usually, the person who steals your financial data won’t use it himself. Instead, he will sell it online. There are websites that sell credit card information in bulk, in hundreds or thousands.
With banks, where the stakes are the highest, there is no solution that is 100% foolproof. It’s a game of cat-and-mouse where the banks have to make sure they are always ahead.
Add new comment
Read our comment policy before posting your viewpoints