It was very much expected.. And know it very well despite of all claims made by Banking Institutions and Technological Experts that “every aspect of your your Online presence are open to breach” … Most of the time by the same Banks, Handling Institutions and Technology Service providers and occasionally to every  traditional perils of the world lurking online

The problem

About 30-32 lakh debit cards are learnt to have come under threat of potential fraud after a ATM security breach through malware infestation. According to media reports, the payment systems of Hitachi Payment Services were infested with malware that helped miscreants to steal personal information and do fraudulent transactions.

Banks, cards affected

A report in The Economic Times says citing sources that cards issued by State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank as “worst affected”. The cards, as per the report, include 2.6 million of Visa and MasterCard and 6 lakh of RuPay cards.


How the breach happened

The breach might have happened at YES Bank as Hitachi manages the bank’s ATMs, says a report in The Times of India. The reason why other banks became vulnerable is because YES Bank ATMs see many third party transactions, says the report. What is worrisome is that the breach was effected in such a way that anyone using the bank’s ATMs in the region would risk having data compromised, a PTI report said citing bankers.

“Data processes of one private bank was compromised which affected other banks’ customers well. Customers who used that bank’s ATM stand to get potentially affected,” the PTI report quoted a banker as saying without naming the bank. Though the bankers claim the breach has not led to any monetary losses to anyone, the ET report says some customers have complained of unauthorized usage from China.

YES Bank on its part has “proactively undertaken a comprehensive audit of ATMs”. “There is no evidence of a breach or compromise on ATMs. We continue to work with relevant stakeholders, including other public sector and private banks, and NPCI, to ensure utmost safety and security of ATM network and payment services which are completely safe to use,” a bank spokesperson told the PTI.

Hitachi too has denied that its systems have been compromised. “I do not think it is necessary for any bank to reissue cards,” Loney Antony, MD, Hitachi Payment Services, has been quoted as saying in the ToI report.

Steps taken by banks

The breach happened sometime between May and July. Banks have been alerting customers to change the security PIN or even replacing the cards. Bankers have told PTI that all measures being taken are to safeguard the system against any potential threat.

RBI steps

The PTI quotes an RBI official as saying that the central bank is seized of the matter and is looking into the issue. According to the Times of India, the infested systems have been quarantined and inspected, the affected cards have been spotted. The RBI has also asked banks to inform it about any suspected fraud immediately, the report said.



AP Hota, Managing Director and Chief Executive Officer of National Payments Corporation of India – the domestic payment gateway discusses the recent suspected debit card data compromise issue and the lesson we learn from the episode.

What are lessons that we learn from this episode?

One of the lessons that have come out very clearly is that we were thinking that 100 per cent of the customers have linked their mobile number to the bank account, But it is no so. As far the information we have got, it is only 50 per cent of the customers whose mobile numbers are registered with the bank.

NPCI gave a statement yesterday saying there is no need for customers to panic. Why do you say so?

If at all there was any card compromise, if at all, the fraudulent transactions should have happened by now and the customer would have complained. A total 641 complaints have come in the first week of September and not now. And the card compromise, if at all that has happened, it happened in June and July. The fraudsters would have taken sometime to make the cards, and fraudulent transactions would have happened in August and September. By this time, the customers and banks have changed the pin also. If the pin is has not been changed, the card if blocked.

But is there a failure on the part of the bank to educate their customers?

Customer education is a continuous process. We cannot say it is a part of the failure of the banks, but they could have done more.

It has been noticed by several customers that there are some small value transaction for which banks don’t sent alerts…

As per RBI circular, irrespective of the amount the bank should send alerts. RBI has also allowed that if the banks so like they can charge the customers for the mobile alerts service. But some banks have decided not to charge but fixed a transaction limit beyond which they will send the alert. Banks should follow what RBI said and not make their own rules.

Who will compensate the customers for any loss?

RBI has clear guidelines on the issue. As far as the customer is concerned, once it is proven that the transaction is fraudulent, banks will reimburse. And the bank later on would get reimbursed from the bank which is responsible for the fraud.

For example, in the 641 complaints, the largest number if from Axis Bank. Axis Bank will refund the customers and they in turn will get compensated once it is proven that switch of other banks is at fault. There are well laid out ruled for that.

There was not a single complain on RuPay cards, mainly because our RuPay international cards are less. All the complaints were from Visa and Mastercard.

What are the steps that banks should take to avoid such incidents?

All the banks have should have the fraud risk management tool. They can subscribe to NPCI services and most of the banks have subscribed. Banks also must conduct the PCI-DSS audit (Payment Card Industry-Data Security Standard), once in an year to ensure how the data security should be maintained.

Do you think the incident will affect RBI’s vision of a cashless economy?

No don’t think this incident will not effect the RBI’s vision of a cashless economy. I think our payments system is robust.


So you might have heard what the authorities and experts are still claiming..

But, Don’t be fooled.. You are always at risk in Cashless Economy and you will never be the owner of your own wealth..

There are a lot more things you need to know about Cashless System which will really make you cashless.. We will disclose you all at “Arrested Development”.

More to come…!


Along with thanks and compliments to the sources for the shared data

Creative Commons Copyright © Arrested Developments 2015

%d bloggers like this: