• United States



by Sejuti Das

Indian debit card scam is a wakeup call for the banking industry

Oct 20, 20165 mins
AnalyticsAnti MalwareAntispam

The recent security breach of 3.2 million debit cards has created a lot of negative sentiment among bank customers as feared by many industry leaders.

In the wake of the biggest banking security breach in the country, it has come to light that nearly 3.2 million debit cards had been put at risk of fraudulent transactions after cybercriminals stole customer data from Indian ATMs.

CSO online spoke to a few enterprise leaders for their views on this breach, and how this is going to affect the Indian banking industry.

Rajesh Maurya, regional director, India and SAARC at Fortinet, said that, with the emergence of the digital economy, banks are embracing digital transactions along with its risks. Financial firms are likely to face new strains of malware and innovative phishing attacks aimed at exploiting loopholes as banking firms start to share more customer data between branches, mobile users, and even the cloud.

He said, “Banking firms are now required to conduct businesses in real-time while also protecting against cyber-attacks that are targeting highly-valuable data they possess. This is a tall task that requires dedicated staff and resources.”

Analysts have predicted that the data used by banks will increase seven-fold between now and 6850. A lot of the data being generated includes customer financials, account information, cardholder data and transactions and personal information, all of which are regulated and potentially sensitive or private.

Shrikant Shitole, MD at Symantec India, believes that businesses operating in the financial services domain are constantly innovating to equip customers with modern products and services. However, on the sidelines of such a technology upheaval, cyber-attacks are becoming increasingly diverse and impacting business of all sizes as well as consumers.

Given this situation, Shitole mentioned that it is important for financial firms to adopt solutions that proactively address adversaries and establish real-time monitoring systems to detect and protect from cyber-attacks. He believes that automation of processes is a vital part of a future-proof security infrastructure as it helps in guarding against human error and offers capability to manage large amounts of data.

“RBI’s cyber security guidelines issued in June are great enablers to help banks as well as their customers stay more secure and safe from such targeted attacks,” he said. “It is important for customers to be vigilant.”

Banks may come under many such targeted attacks in the future too. Banks should ensure data confidentiality at all times. Banks’ outsourcing partners should have the same security standards as the bank so that customers’ data does not get leaked at any juncture, agreed leaders.

Ajay Dubey, senior channel manager, Forcepoint said, “Banks should look to regularly update operating systems and consider using applications control and ATM network segmentation. Deploying web, email and data security solutions along with insider threat solution becomes important to contain such threats.”

Explaining the breach, Sudeep Charles, product marketing manager, security at Akamai Technologies said that malware is a software that can be designed to get into systems very slowly, gather information, and understand the security implications. Along the way, it also creates unwanted advertisements.

He said, “The reason it has taken so long for banks is essentially because detection of malware has not probably been efficient. The more control banks get on their systems, the better off they are.”

Agreeing with Charles, Bhaskar Bakthavatsalu, MD at Check Point India and SAARC said that this breach has been a wakeup call for the entire banking and financial industry. “When it comes to cyber criminals, banks are always the top target. So banks are required to take security seriously,” he said.

Enterprise leaders agreed that the mag-stripe cards issued by banks for ATM transactions should be replaced at the earliest. The concerned banks are blocking the debit cards to minimize the impact; however, the already ongoing replacement of mag-stripe cards with EMV chip cards (a global standard for credit and debit payment cards based on chip card technology), will help the banks.

According to industry estimates, around 63 million mag-stripe cards have to be migrated to EMV standard in the next two years. Nearly 672 million cards would have been migrated this year.

In line with that, Atul Singh, regional director – banking and transport at Gemalto India said, “Malware attacks have also affected countries like Japan and Bangladesh in the recent past. Therefore, Indian banks will have to make special efforts to ensure that their most sensitive data is protected with multiple levels of authentication and industry standard encryption, ensuring data security at all points of transaction.”

Amit Nath, head of Asia Pacific – corporate business at F-Secure Corporation, believes that there is a lot of work that needs to be done on the security front. “Banking firms need to have the ability to detect the breach and the ability to look at the entire customer IT framework so that a comprehensive cyber security strategy can be put in place.”

When it comes to cyber security, many Indian firms prefer to throw people at the expense of investing in robust technology and intelligence capabilities. As a result, some Indian businesses are massively underinvested in technology to detect and respond to attacks, and this leaves them very vulnerable to targeted attacks.

This breach speaks of the advanced sophistication of cybercriminals and the malware tools they use. According to RSA, cybercrime has moved beyond targeting individual users to targeting corporate servers, payment networks and other systems on a massive scale. Implementing transaction monitoring and other advanced controls across all digital channels is critical if you want to mitigate the impact these types of breaches have.

Bryce Boland, chief technology officer, Asia Pacific at FireEye said, “Cyber security issues can only be addressed by expertise, but it also requires a combination of technology and threat intelligence for it to be effective.”

“In the end, many Indian business leaders mistakenly think their security and risk efforts are effective, but attacks can actually remain invisible and undetected for extended periods of time,” concluded Boland.

With added inputs from Shraddha Singh and Mansi Joshi.