What the debit card breach means for Indian banks’ security

In an effort to neutralize the anxiety and fear among cardholders after the debit card breach, the National Payments Corporation of India (NPCI) has issued an explanation. A P Hota, MD & CEO of NPCI, the authority that controls all retail payments systems in India, said, “The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers.” The breach The security breach came into light when customers complained of their cards being used in China and USA. While NPCI maintains that only 641 customers were directly hit, it also says that a total card base of about 3.2 million could have been possibly compromised. Customers were left in total confusion about what happened, and what to do about it.  The breach is being audited by the Payment Card Industry Security Council and the banks have decided to wait and watch. Analysts point out the cracks in the system that should have been addressed. Suveer Khanna, partner, forensic, KPMG India, said, “Gone are the days where the intent of a cyber-attack is to disrupt business using Distributed Denial of Service (DOS) or by bringing down the website or a network.  “Thanks to the Darknet, cyber criminals are a well networked nexus. The Darknet not only provides a market place all kinds of information, right from card data to business information, but also provides the cyber criminals a market place for procuring state of the art hacking tools, attack target related information and hackers for hire services to help in executing devastating cyber-attacks without being detected.” Why are banks tight-lipped?  Vivek Gautam, Research Manager, Software & Services, IDC India said that organizations shy away from reporting cyber-attacks as it can affect their brand image adversely. However, Khanna pointed out that banking sector is more open in reporting such incidents to regulators in order to avoid violations and regulatory penalties.  Banks won’t be able to keep security breaches under wraps anyomore. RBI has mandated that all cyber security related incidents must be immediately reported.   Speaking about the RBI’s mandate, Rajpreet Kaur, senior research analyst, Gartner said,”They are already late in bringing this up. There have been a few banks who were working towards a robust cyber security policy. But the whole financial network in India needs fraud detection and management which is lacking as well as the detection and remediation.” Digital India dream – Cracks in foundation? Digital transformation is the road ahead for IT, especially the BFSI sector. India has plans of becoming a cashless economy by digitalising monetary transactions. At the same time, basic framework such as the physical and network security of Indian ATMs have been questioned by experts.  “Guidelines appointed by the RBI are not enough. The privacy and the security of the data on go, the data in-transit needs point-to -point encryption. I don’t see our organisations adopting it,” said Kaur.   Gautam concurred, “Advanced Persistent Threat (APTs) are designed in such a way that once infecting a local server or end-point, it can move laterally across the network without being detected and compromise the security posture of whole environment. Often internal security teams of Indian organizations lack skills and resources to identify such breaches.” Respond now – there’s no later  “The cyber incident response program like a disaster recovery program should be designed, built and tested periodically for all eventualities known to impact business,” added Kaur.   There is a need to adopt a framework that requires organisations to assess and treat risk without guidance of a compliance checklist.  Like the NIST, the US central risk based security framework.  “While investing in best of breed security products may not guarantee that data breaches will not happen, finance industry needs to develop a culture of security intelligence sharing,” said Gautam.