Govt assures 99.5 per cent debit cards safe as millions panic over data breach

The finance ministry on Thursday said debit cards are “completely safe” and there is no need to panic over the feared security breach that affected over 32 lakh cards.

“Only about 0.5 per cent of the total debit card details were compromised while remaining 99.5 per cent cards are completely safe and bank customers should not panic,” department of financial services additional secretary GC Murmu told PTI.

There are around 60 crore debit cards operational in India, of which 19 crore are indigenously developed RuPay cards while the rest are Visa- and Master Card-enabled.

Since the data compromise took place from specific machines within a particular time period, it is just a limited issue and banks have asked their affected customers to replace their card or change their PIN, Murmu said, adding that other cards are not affected at all.

In a message to its customers, Canara Bank said: “In view of security reasons…Please change the ATM PIN immediately. In case not adhered to, we will be blocking the existing card on 21-OCT-2016.”

Murmu said data of the users who have transacted from Hitachi ATM machines have been compromised during the month of May, June and July. The Hitachi ATMs, he added, deployed by many White Label ATM and Yes Bank were impacted by a malware, but other ATMs were completely safe. The extent of financial loss due to the breach is still being collated.

The genesis of the problem was receipt of complaints from a few banks that their customer’s cards were used fraudulently, mainly in China and the US when the customers were in India, NPCI said in a statement.

Apprehending that this could be a case of card data compromise, all the ATMs / PoS terminals in India and three card networks — RuPay, Visa and MasterCard worked together in September. It was established a compromise at one of the payment switch provider’s system had taken place. Based on the findings, NPCI and other schemes identified the period of compromise and the affected cards.

Though there were no complaints from any of the RuPay cardholders, NPCI as a domestic utility for ATM payments has taken the lead role for proactive steps in discussing the matter with various banks and card networks.

The complaints of fraudulent withdrawals are limited to cards of 19 banks and 641 customers, NPCI statement said, adding that the total amount involved is Rs 1.3 crore as reported by various affected banks.

Cards of all these complainants are related to other card schemes and there is no RuPay cardholder who had lodged any complaint for such fraudulent usage, it said.

Murmu said all the affected banks have been alerted by all card networks that a total card base of about 32.14 lakh could have been possibly compromised. Out of this, 6 lakh are RuPay cards.

“It was suspected that a compromise was at switch level which is PCI-DSS certified. Hence, subsequently PCI Council (the international body which sets standards on for PCI–DSS) was persuaded to conduct a forensic audit of the switch of one bank which is likely to be the point of compromise. The forensic study is in progress and NPCI is in touch with relevant stakeholders,” he said.

NPCI is closely working with all stakeholders and once the forensic investigation is over and the root cause is identified, we will issue a further set of recommendations as precautionary measures to member banks, he added.

According to Yes Bank statement, it has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on the bank’s ATMs.

“We would like to inform that the possible breach of information of debit cards has taken place in the ATM network of another bank. As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed. This has been done in order to protect our customers from any potential fraudulent transaction,” ICICI Bank said.

Even HDFC Bank said the bank’s systems detected a potential compromise of debit cards arising from usage at a non-home ATM network a few weeks ago.

“We immediately notified customers who we knew had used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN. We take this opportunity to stress that all our customers use HDFC Bank ATMs only and also change ATM PINs from time to time to prevent misuse,” the bank said in a statement.