MUMBAI: Close to 30 lakh debit cards are understood to have been used in ATMs that are suspected to have exposed card and PIN details to malware at the back end. While State Bank of India+ (SBI) has decided to reissue debit cards to six lakh customers who had used their cards at suspect networks, other banks are asking customers to change their ATM PIN. They are also blocking international transactions that can be conducted without PIN.
The problem relates to the feared breach in the systems of Hitachi Payment Services, which manages the ATM network processing for Yes Bank. The matter came to light around July. The private bank maintained that no compromise had been detected in its ATM network and that the measures were proactive.
The reason why a large number of banks are impacted is that Yes Bank, despite having a small number of ATMs, sees a large number of third-party transactions on its machines.
Yes Bank has undertaken a review of its ATMs, and there is no evidence of a breach or compromise. Yes Bank continues to work with relevant stakeholders, including other public sector and private banks, and NPCI (National Payments Corporation of India), to ensure utmost safety and security of its ATM network and payment services which are completely safe to use,” it said.
“The affected systems were quarantined and inspected and the cards that were exposed have been identified and each bank has taken action according to its risk management practices,” said a regulatory source. The incident has also compelled RBI to review its reporting framework and it has asked banks to immediately inform the central bank of any suspected fraud. The information would be shared with other banks on ‘no-name’ basis so that proactive measures can be taken by the industry.
The recent incident also highlights new security challenges for banks. Until now, ATM related thefts were largely a fallout of fraudsters installing skimmers on machines or placing hidden cameras to capture PIN. The fact that neither the regulator nor the affected bank have released details of the malware has led to speculation. Some industry experts said that given the scale of card reissuance by SBI, it looks like a malware had access to the HSM (hardware security module) card which receives card information and PIN.
Loney Antony, MD, Hitachi Payment Services, said “Prima facie the system does not appear to be compromised but I cannot comment until the final report is issued. I do not think it is necessary for any bank to reissue cards. Many banks have asked customers to change their PIN number, but this is a general practice to get customers to keep changing their password,” said
While the number of affected cards is large, it is a small fraction (less than half a percent) of the total number of cards in the country. As per numbers reported by RBI there are 60 crore debit cards in the country.