Nagpur/Mumbai: Recently, many customers have got mails and messages from their banks to change the ATM PIN of their debit cards. We now know the reason, with reports suggesting 3.2 million accounts in five leading banks — State Bank of India, Axis Bank, ICICI Bank, HDFC Bank and YES Bank — are compromised.
Bankers and cyber experts advise that ideally an ATM PIN should be changed every three to six months. Are they being overly cautious? Perhaps not. Several banks have already asked their customers to change their card security details and to stick to own ATM networks.
According to Reshmi Khurana, country head-operations for Kroll Advisory Solutions, there are reports of customers reporting transactions on their debit cards in China, which is how banks came to know of the breach of data security. A certain foreign payment services company, whose system is believed to have been compromised, is going for a forensic audit.
“While it is not confirmed, the breach of data seems to be on account of a malware inserted in a white-label ATM network, which is why banks are cautioning their customers to stick to their own bank’s ATM network,’’ she says.
An ATM breach means the PIN numbers of not only that bank’s customers but all those who use that bank’s ATM network could be compromised. For most customers, using the card at an ATM would seem a safe transaction, being monitored by the bank. However, not always so. About 70 per cent of ATMs in India are running on outdated Operating Systems, making it easier for fraudsters to exploit.
“Microsoft withdrew all support to Windows XP about two years before. But, there are still many ATMs running on Windows XP OS, which makes them vulnerable to malware and fraud,’’ points out Harshil Doshi, consultant at Forcepoint, a data privacy and security company.
Most banks also use ATM machines of different vendors, due to which standardisation of networks and technology is not possible. This also opens the system to possible fraud, Doshi adds. Fraudsters have developed devices to infect all types of ATMs.
“Once the malware is detected, the bank or payment services company will fix it but the problem is to identify the malware. While such incidents are common overseas, they are increasingly happening in India, too, as banks adopt more technology and transactions become digital. There is a need to be more pro-active and put the proper checks in place,’’ Khurana adds.
Operating expenses on digital security have to go up manifold, says Piyush Singh, Director at Accenture India. “While we have leapfrogged in digital technology, we still lag in digital security. Both banks and customers need to actively protect themselves. Going ahead, customers may ask a bank about its digital security and protection before opening an account and not only about services and rates. For banks, it is a question of their reputation,’’ he says.
.. By Priya Nair as published in rediff.com