Banks Warn On ATM Use, Block Debit Cards Amid Security Risk: 30 lakh debit cards under threat? What we know about the security breach so far

A suspected breach of data security of a private sector lender a few months back has led to pre-emptive steps being taken by other banks to thwart any potential troubles, bankers said today.

The steps taken by the bankers include asking customers to change the PINs of their ATM-cum-debit cards, which has now gone up one level to changing cards as well, if the customers do not comply.

According to bankers, the breach effected in such a way that anyone using the said bank’s ATMs in the region might stand to get affected.

When asked about alleged lapses on its ATM network, an Yes Bank spokesperson said, “Proactively undertaken a comprehensive audit of ATMs, and there is no evidence of a breach or compromise on ATMs.

“We continue to work with relevant stakeholders, including other public sector and private banks, and NPCI, to ensure utmost safety and security of ATM network and payment services which are completely safe to use.”

HDFC Bank reportedly asked the customers to change their PINs and has also been asking them not to use any other banks’ ATMs as a precautionary measure.

After asking its customers who may be potentially hit, the largest lender State Bank of India has also started a process to block the cards of those who did not change the security code at its own cost, its spokesperson said today.

“Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by the networks,” SBI said in a statement this evening.

“We came to know about security breach and proactively recalled affected cards as we did not want our customers to be at any risk. There was no breach in our system. We are now issuing EMV-based debit cards which cannot be compromised,” SBI deputy managing director and chief operating officer Manju Agarwal told PTI.

She, however, declined to give the number of debit cards the bank has recalled. SBI has nearly 20 crore debit cards.

There were media reports that said SBI had recalled 6.25 lakh debit cards due to malware-related security breach.

SBI further emphasised that its systems are absolutely fine and not compromised at and that existing cardholders are not at any risks.

“We are in the process of issuing new cards at no cost to those cardholders whose cards have been blocked. This is a cards industry incident and not an SBI only incident,” an SBI statement said.

However, all the bankers were quick to claim that the breach has not led to any monetary losses to anyone and all the measures being taken are to safeguard the system against any potential threat.

When contacted, an RBI official said the central bank is seized of the matter and is looking into the issue.

Bankers said the problem was first discovered between May and July, and banks have resorted to recall the affected debit cards from September.

“Data processes of one private bank was compromised which affected other banks’ customers well. Customers who used that bank’s ATM stand to get potentially affected,” said another public sector banker.

Around 30 lakh bank debit cards may have come under threat after an alleged security breach at Yes Bank’s ATM raised fears of potential fraud. A slew of banks will either replace or ask customer to change the security codes.The move comes a day after India’s largest lender State Bank of India said that it had blocked cards of certain customers.

Where did the breach originate?

Several reports suggest that the breach is said to have originated in malware introduced in systems of Hitachi Payment Services, which has enabled fraudsters to steal information. Hitachi Payment Services manages the ATM network processing for Yes Bank. Other banks have reportedly been affected because YES Bank ATMs see third-party yransactions too. According to bankers, the breach effected in such a way that anyone using the said bank’s ATMs in the region might stand to get affected.

Bankers said the problem was first discovered between May and July, and banks have resorted to recall the affected debit cards from September.

“Data processes of one private bank was compromised which affected other banks’ customers well. Customers who used that bank’s ATM stand to get potentially affected,” a public sector banker was quoted as saying by PTI.

When asked about alleged lapses on its ATM network, an Yes Bank spokesperson said, “Proactively undertaken a comprehensive audit of ATMs, and there is no evidence of a breach or compromise on ATMs.

Banks that have suffered

An Economic Times report said the breach has affected State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank the most. The cards, as per the report, include 2.6 million of Visa and MasterCard and 6 lakh of RuPay cards.

Meanwhile, India’s largest bank State Bank of India and its subsidiary banks blocked around 6.25 lakh debit cards after suspicious transactions spiked at third-party ATM machines. Card holders were unaware as their cards were blocked without prior notice. The bank subsequently sent emails and SMSes to customers, alerting them about the blockage.

While State Bank of India said it was re-issuing over 600,000 debit cards because of a potential security breach, several others are taking pre-emptive to thwart any potential troubles. HDFC Bank reportedly asked the customers to change their PINs and has also been asking them not to use any other banks’ ATMs as a precautionary measure.

What steps are being taken by banks

The steps taken by the bankers include asking customers to change the PINs of their ATM-cum-debit cards, which has now gone up one level to changing cards as well, if the customers do not comply.

Banks have also been asking their customers not to share the password with any other person in order to avoid security breaches such as skimming and cloning of cards.

The RBI view

A report in Hindu Business Line says the Reserve Bank of India (RBI) has asked banks to replace debit cards whose security is suspected to have been compromised after being used in some ATMs.

With online bank frauds on the rise, the RBI had recently proposed that a customer will not be liable to make the payment if the fraud or negligence is on part of the bank and the customer notifies the lender within three working days of receiving communication from the bank regarding unauthorised transaction by a third party. In cases where the victim notifies the fraud between four and seven days, the liability will be capped at Rs 5,000. The proposed rules apply to all electronic transactions, including payments made remotely using net banking or cards and payments made in shops using cards or mobile wallets.

PTI