Bankers and cyber experts advise that ideally an ATM PIN should be changed every three to six months. Are they being overly cautious? Perhaps not. Several banks have already asked their customers to change their card security details and to stick to own ATM networks.
According to country head-operations for Kroll Advisory Solutions Reshmi Khurana, there are reports of customers reporting transactions on their debit cards in China, which is how banks came to know of the breach of data security. A certain foreign payment services company, whose system is believed to have been compromised, is going for a forensic audit. “While it is not confirmed, the breach of data seems to be on account of a malware inserted in a white-label ATM network, which is why banks are cautioning their customers to stick to their own bank’s ATM network,’’ she says.
An ATM breach means the PIN numbers of not only that bank’s customers but all those who use that bank’s ATM network could be compromised. For most customers, using the card at an ATM would seem a safe transaction, being monitored by the bank. However, not always so. About 70 per cent of ATMs in India are running on outdated Operating Systems (OS), making it easier for fraudsters to exploit.
“Microsoft withdrew all support to Windows XP about two years before. But, there are still many ATMs running on Windows XP OS, which makes them vulnerable to malware and fraud,’’ points out Harshil Doshi, consultant at Forcepoint, a data privacy and security company.
Most banks also use ATM machines of different vendors, due to which standardisation of networks and technology is not possible. This also opens the system to possible fraud, Doshi adds. Fraudsters have developed devices to infect all types of ATMs.
Once the malware is detected, the bank or payment services company will fix it but the problem is to identify the malware. While such incidents are common overseas, they are increasingly happening in India, too, as banks adopt more technology and transactions become digital. There is a need to be more pro-active and put the proper checks in place,’’ Khurana adds.
Operating expenses on digital security have to go up manifold, says Piyush Singh, Managing Director, Financial Services, Accenture India. “While we have leapfrogged in digital technology, we still lag in digital security. Both banks and customers need to actively protect themselves. Going ahead, customers may ask a bank about its digital security and protection before opening an account and not only about services and rates. For banks, it is a question of their reputation,’’ he says.
Payments Council of India has, meanwhile, begun a forensic audit to check into signs of financial fraud into customer accounts. NPCI Managing Director AP Hota told that NPCI had received complaints from banks about debit cards being used in China which had aroused suspicion"
What happens next?
For the affected customers, the banks are issuing new debit cards to ensure there is no further damage. If you are a customer of any of the affected banks, you should contact the bank as well as change your ATM PIN at your own bank's ATM.
While all the banks are running audits on their networks and servers to identify the root cause, NCPI has ordered a separate investigation as well. Banks are also advising their customers to avoid using the non-bank ATMs until investigations are complete.