How big was the breach? Are ATMs still affected? What type of data was stolen? Poor regulation and insufficient information-sharing within the banking industry has left the general public in the dark.
New Delhi: The potentially biggest-ever data breach in India’s banking system has all the elements of a perfect murder. There are victims (customers and specific banks), possible suspects who deny their culpability (YES Bank, Hitachi), but almost everything else is unclear and up in the air. However, whatever little is known is alarming and has serious ramifications for both the banking system and customers.
The official account – pieced together by banking stakeholders The Wire spoke to, media reports and public statements put out by NPCI and RBI officials – is very barebones. Sometime between May and July, an unknown number of ATMs and point of sale (PoS) machines were compromised by an unknown malicious virus. This correspondingly compromised the data of up to 3.2 million customers.
According to people with direct knowledge of the matter, while one or two banks and white-label ATM operators may have known of the breach by the end of July and the beginning of August, most banks were alerted to the fact only by late August once customer complaints of unauthorised withdrawals (mostly for purchases originating in China or the US) started pouring in.
By September, other stakeholders of the banking and financial industry started getting notified: payment gateways, the Reserve Bank of India and other players. In September, as yesterday’s statement from the National Payments Corporation of India (NPCI) notes, stake holders “started working in a collaborative manner” and established that there was a “possible compromise at one of the payment switch provider’s system”.
What are the questions that remain? Simply put – nearly everything. The general public is as blind, as it turns out, as various stakeholders and members of the banking community.
Scale and impact of the breach: absurd and confusing numbers
How big was the breach? How many affected customers? There are a number of initial estimates floating around. Most media reports and official statements say that the data of up to 3.2 million customers could have been compromised, that the compromise happened over a period of roughly 45 days (Mint’s version says from May 20th to July 15th) and that roughly 90-92 YES Bank ATMs and PoS machines were targeted by the malware.
These numbers, however, make very little sense: 3.2 million customers affected through 90-92 ATMs/PoS devices over a period of 45 days. This implies that the average number of daily, unique users at a compromised ATM was approximately 800. Put more simply, on any given day between May 20th and July 15th, 800* different people swiped their cards at a compromised YES Bank ATM or POS machine.
What’s wrong with this? For one, the average number of transactions that take place at a YES Bank ATM on any given day is around 50-52. The average number of daily transactions at a YES Bank PoS machine is 40-43. The Wire has collated this publicly available data (for the month of July) from the RBI and is available to view here.
This gives rise to three potential implications, the first two of which are particularly alarming.
One, the number of compromised ATMs is far higher than the ‘90 ATMs’ figure put out by the NPCI. If 3.2 million users have been compromised, a far greater portion of the YES Bank network could be potentially compromised. If this scenario is true, and if only YES Bank ATMs (and those operated by third-party Hitachi) were compromised, then there should be caution about using any YES Bank ATM.
Two, the compromising of user data happened over a much larger period (far greater than the 45 days reported so far). This throws into doubt the cybersecurity competency of most banks and payment service providers.
Three, which also seems equally likely, is that the actual number of compromised customers is far less – and the banks and NPCI are erring on the side of caution in their estimates.
What data was stolen?
Stepping back slightly, it is still unclear at this point what types of data were compromised in the data breach. Was it limited it to PINs and other non-personal authentication information? Or was personally-identifiable information such as names and date-of-birth data also affected?
Official statements appear to indicate that the breach was mostly limited to ATM PINs. NPCI CEO Hota for instance confusingly indicates that most cards may have not even been compromised, but states that fraudulent transactions may have happened in “August and September” and by this time “customers and banks have changed the PIN “.
“At this moment, we have no way of knowing until the forensic audit by SISA Information Security takes place. The only people who could possibly know what types of data have been stolen are the folks at YES Bank and Hitachi. And their interim report has denied all allegations, including the fact that their ATMS were compromised in the first place,” a senior cybersecurity official of a top private sector bank told The Wire.
Info sharing between banks, ATM operators and gateways
One of the more startling lessons from this data breach is how little banks, both private sector and public sector, share information with one another over security incidents.
Multiple sources pointed out that the first banks to gain some sort of information about the breach were YES Bank, HDFC, ICICI Bank. State Bank of India, Axis Bank, payment gateway services and a handful of white label ATM operators were officially alerted only up to 2-3 weeks later.
“It’s a little disgraceful. Through informal channels, some people were potentially aware but when information was asked for through formal channels it was first denied. Then later, some news started coming through. Nobody wants to admit that they’ve been compromised, even though the first step should be securing the interests of the customer, “ a senior executive of a top private sector bank, declining to be identified, told The Wire.
Why is such information-sharing valuable, but still not done on a professional and regular basis? While legal concerns and keeping paper trails to a minimum are important (no bank wants to to be subject to a shareholder lawsuit), bank executives are also wary of sharing details with rival banks over concerns of being ratted out to the RBI or other market regulators.
This hurts when it comes to containing the consequences of the data breach. For example, a number of white-label ATM operators that The Wire spoke to, pointed out that they had still not been officially briefed by the RBI, NPCI or any other bank. If Hitachi (a white-label operator that managed YES Bank’s ATMs) had malware issues and this problem could affect the software that other white-label ATM operators use, then it’s important for similar stakeholders to be briefed.
“It’s a sad fact, but the banking system here is simply not capable of handling something technological like this. We have not received any notice or briefing from authorities, but our own checks show that none of our ATMs or customers have been compromised,” the head of a large white-label ATM operator said.
Info-sharing between banks and authorities
Another puzzling question that is remains unanswered is how quickly these data breach notifications were detected and after that how long it took for the concerned parties to notify the NPCI, RBI, SEBI and other appropriate government-run cybersecurity organisations.
The Wire has sent out questionnaires to various banks and the RBI and will update this story with the information when it comes in.
In this malware-ATM controversy, what has escaped notice is that Axis Bank in particular has been hit by another separate data breach and at the very least, a robust hacking attempt. According to sources, Axis Bank’s servers were hit by an unauthorised offshore login attempt at the beginning of September and was alerted it to it by the engineers at Moscow-based Kaspersky Lab. It is unclear at this point whether any data has been compromised.
However, according to media reports, Axis Bank only notified the RBI of the incident last week– even though they are officially supposed to do it within six hours of notification.
Cybersecurity and banking experts point out that this lackadaisical attitude is common throughout the financial industry and reflects poorly on the manner in which Indian banks treat their customers.
With the malware-ATM breach, NPCI appears to have taken the initiative in coordinating a combined response at identifying the issue and assuaging the concerns of worried bank customers. And yet, even here, the time between the actual incident (May) and the general public being informed (October) is too long.
“At the very least, this controversy should be used as a lesson and justification for formulating harsher and stricter regulations regarding data breaches. India’s road to becoming a cashless economy must be paved with proper security,” said Anand Luthra, a cybersecurity and financial expert.