Indian banks are in the news for the wrong reasons - a massive data breach in which about 3.2 million debit cards have been reported to be compromised. The cards were fraudulently used in foreign countries, mainly in China and the US. According to the National Payments Corporation of India, or NPCI, 641 customers of 19 banks complained about fraudulent withdrawals totalling Rs 1.3 crore.
This could be one of the biggest security breaches in Indian banking history.
How it Happened
Debit cards are used at point of sales (PoS) as well as at ATMs. Banks generally outsource the processing to one or multiple companies. In this case, the hackers targeted one of the vendor companies and used malware to steal data. Experts say they might have entered the servers by targeting employees. With the amount of data that we share on social media, it is not very difficult nowadays to gather basic information about any person. "The hacker can find the identity of the employee of the bank or the vendor company handling a particular division by simply typing the name of the company and the department on LinkedIn and then target that person through mails containing malware," says Amit Jaju, Executive Director, Fraud Investigation & Dispute Services, EY India.
If the employee downloads the attachment or clicks on the link in the mail, the malware can enter the system, giving the hacker access to the servers of the bank or the company where the data is stored. Companies and banks have firewalls to protect systems from such attacks, but if they are not updated or up to the mark, it becomes easy for the hackers.
Apart from this, there are certain infrastructural flaws in the Indian banking system that lead to such frauds. Although the Reserve Bank of India, or RBI, has asked banks to issue only EMV chip and PIN cards from September 2015, a large number of debit cards in use still have magnetic strips. EMV chips protect users from skimming and stolen card frauds. Skimming is a method of capturing the information in the card using a device. In a notification this year, the central bank also asked banks to provide ATMs that support EMV chip cards rather than magnetic strips.
How to Be Safe
Fraudsters target people using banking services. They use different techniques such as phishing (sending fake mails to steal sensitive data such as bank account numbers and passwords), skimming (use of a device to steal card information at PoS), vishing (making a person divulge personal/financial details over the phone), ATM skimming (tampering with the ATM machine to collect data of cards), and card cloning (data of original card is imprinted on another card). Here are the steps you can take to safeguard your money.
Have strong passwords: Keep changing your bank-related passwords at regular intervals; prefer complex strong passwords, says Tarun Bhatia, Managing Director, Investigations and Dispute, Kroll, a corporate investigations and risk consulting firm. And don't have the same password for each bank account, he says. Change the password that your bank has given you. Also, change the password if you hear about any data theft. Don't use passwords that are easy to predict, such as date of birth. Use a mix of numbers, alphabets and special characters.
Register your mobile and email id with your bank: The RBI mandates banks to send online alerts for all card transactions. Update your phone number and email id with your bank.
Set limits: It is advisable to set transaction limits on every card to limit the loss. Bank apps let you do this with a few clicks. "Various banks provide the facility for setting separate limits for transactions such as e-commerce, PoS and ATM. One can have a different limit for each. One can also set separate limits for domestic and international uses," says Amit Jaju of EY India.
Revisit privacy setting on social media: Among the security questions banks ask is your sibling's name, you pet's name or your mother's name. These can be easily fished out from your social media accounts. Change setting on sites such as Facebook so that only close friends and family members can access information.
What if you are duped?
- 1) Inform bank immediately. As per an RBI circular: "If there is a third-party breach where neither the bank nor the customer is at fault, the customer will have no liability if he or she has informed the bank about the transaction within three working days. If the card issuer is at fault, the customer will be fully reimbursed." Card issuers and payment processors buy insurance to secure themselves against financial losses from such frauds. "As regards the card holder, if the fraud has taken place at the card issuer or the payment processor's end and the card holder is not responsible, he or she will be reimbursed," says Sushant Sarin, Senior Vice President, Commercial Lines, Tata AIG General Insurance
- 2) Block your card immediately. Call on the bank's customer care number if you suspect that there has been a fraudulent transaction through your card.
- 3) File a first information report with the police and get an acknowledgement for the complaint.