Banks or financial institutions are no longer just guardians of your hard earned money, but also custodians of sensitive information pertaining to its customers. Currently we are in an age where information is the strongest vector, far more formidable than hurling missiles at each other. So when you consider intelligence related to financial data, that also belonging to customers of the country’s most premium banks, it makes a very lethal combination which has every potential to create a major havoc.
Also, banking has perennially been a business of trust and so when news flashes came out confirming that about 3.2 million debit cards have been compromised, it is surely going to send tremors to already conservative customers of this country, who are trying hard to trust things digital. Just when the government is going overdrive on its digital initiatives, of course due to the virtues of the platform, this is going to be a shot in the arm.
So what has actually happened?
Let’s start by understanding the incident at the epicentre of this fiasco, which according to many pundits is the largest data breach witnessed in India. It all started sometime in the first week of May when a malicious software aka malware was found in the ATM switch software of Yes Bank. Since technology is not the key business driver for banks, so it is a common practice to outsource such activities to matured technology partners, in this case Hitachi Payments, who manages the infrastructure of various financial institutions along with the bank in question. There are multiple conspiracy theories as in how a malware was injected into such a secured perimeter, the most believable of which is some kind of negligence on behalf of the people associated with it. However, the existence of some technical flaw in the system which was exploited by the attackers could never be discounted. What we need to understand here, that we are not dealing with some run of the mill criminals who took to crime because of lack of education and poverty. Cyber-criminals are intelligent, motivated, very well connected and co-ordinated group of individuals, and hence it is but obvious that there would be days when they would have the last laugh, no matter how strong and impenetrable system the banks try to build. The malware in this case, was of network monitoring and data exfiltration variety. It was sitting on the ATM switch (a place where all the transactions originating from ATMs merge) and capturing all the data coming to it, post which it was sending all those data to its own server (a repository of sorts). Now this data is nothing but details of your debit card which you swiped at the ATM for performing any transactions, which could be used to create exact duplicates of the original debit cards. Using is simple yet effective modus operandi, attackers could gain access to the details of large number of debit cards which were swiped at any of the Yes Bank ATMs, after the infection happened.
Now debit cards cannot be used for cash withdrawals without entering the personal identification number/PIN. So the next question is how the attackers got access to the PIN.
Since PINs are exchanged via much secured channel and also stored using strong encryption methodology, good news is that attackers may not have got access to them. That surely minimises the risk arising out of the fraud and still exposes customers to a substantial amount of it. The debit card information can be used by attackers to launch a sophisticated and targeted social engineering attacks – those calls where the caller claims to know about some part of banking information and then lure you by giving extra bonus points, air-miles etc. and would ask for OTP/PIN to complete the transaction. In case you doubt their credentials, they would instantly abuse you and disconnect the call. But then there are scammers who are extremely sophisticated and also customers who are extremely naive, in both the cases it is perfect kill.
So what should you do as a customer in this scenario?
Immediately change the PIN of all your debit and credit card and do not use an easily guessable number like 1111/1234/first four digits of the card etc. Also, immediately modify all the existing passwords/PINs of your internet/mobile banking software. Use easy to remember but difficult to guess passwords. One good mechanism is to use a passphrase and then use the first letter of the phrase to create the password; e.g. if the passphrase is ‘I read TFI 2 times a day’, it would translate to ‘IrT2Tad’, which is strong password. Another suggested measure is to update the email address and mobile number for all banking accounts in order to receive real time notification, so that in the event of any attempted fraud the card could be blocked immediately. However, if you’re still not convinced and feeling jittery, simply go to your bank and ask them to reissue your debit card. This would definitely make you secure against this wave of data breach. We should also make some minor behavioural modifications to safeguard ourselves from being victim of such financial frauds. So many times in restaurants/pubs we give our card PIN to the waiter just to avoid a little discomfort. This is a highly unsecured practice and should never be engaged in. Just remember that your PIN is personal and hence it should never be shared with anyone, not even your best friend.
One comforting news is that the financial regulators of this country are doing all that is possible to contain the risk and also implement stronger control measures to prevent reoccurrence of such incident in future. Henceforth, just be a little careful with your banking credentials and keep enjoying the comforts of digital banking.