In another huge ATM heist reported from Thailand, it is reported that 12 million Baht equivalent approximately US$ 350,000 or Rs 2.38 crores were stolen by fraudsters.
In the past, ATM frauds have been committed with the use of skimming and cloned cards. In one other instance it has been committed with the creation of cloned cards by hacking into the back end card issue system.
But this Thailand fraud appears to have been committed with a new modus operandi with the use of a malware infection of the ATM machines by inserting cards infected with malware into the machine.
Fraudsters withdrew cash from multiple machines in multiple transactions in 21 ATM machines between August 1st and 8th. There must have been hundreds of transactions since it is indicated that the withdrawals were less than of 40000 baht per transaction.
What is important to note that when the card was inserted, it initiated electronic activities more than the expected process of reading of the card data which was not detected by the system.
Additionally, after the initial payments, the Bank failed to detect the frauds for 6 to 7 days by identifying an unusual pattern of excessive withdrawals from the ATMs.
This indicates a two fold failure of the information security system design.
While we can appreciate the inherent risks of technology as well as the ingenuity of fraudsters to find newer methods of committing a fraud, we must admit that our Bankers and the experts who design their Information Security Systems also should share the blame for major frauds such as these. If they had been alert and designed the system properly frauds such as these should have been detected at least at the end of day one and should not have continued for 6 to 7 days.
It is also important to note that many ATMs run on obsolete operating system software such as Windows XP and are unable to be patched for new exploits. (It is not known if this was one of the causes for this fraud).
Now that this fraud has been reported in Thailand the Indian Banks need to wake up and check their systems to see if this vulnerability can be exploited in India.
If I were the Governor of RBI, the first thing I would have done was to call the Thailand counterpart and find out the root cause analysis of the fraud. If necessary, I would depute some body like Mr Nandakumar Sarvade to take the next flight to Thailand and personally meet the forensic specialists of Thailand to understand the issues involved so that we can check how vulnerable is the Indian ATM system to such frauds.
Well, this is a dream and may not happen. What I however consider feasible is that there are a few private sector White Label ATM owners in India who might want to undertake a tour of Thailand for investigation and understanding of the modus operandi of the fraud so that corrective security measures can be taken in India.
At present there are around 20 such companies including many listed companies. Such companies include Tata Communications Payment Solutions Ltd., Prizm Payment Services Pvt. Ltd., Muthoot Finance Ltd., and Vakrangee Ltd, BTI Payments Pvt Ltd, Srei Infrastructure Finance Ltd, RiddhiSiddhi Bullions Ltd.
For these companies, (As well as all other Banks who manage ATMs) the news report about the Thailand ATM fraud is a “Risk Notice” and immediate action required is to analyze the information and initiate immediate action.
We are now about 36 days to the RBI deadline of for implementation of Cyber Security Framework 2016 and this ATM risk assessment and mitigation becomes an easily recognizable target for the information security team.
The Directors of these Banks and Companies need to therefore demand that in the next 48 hours, an emergency Board meeting may be called to appraise them about the vulnerability of their ATMs to this kind of frauds involving “Malware injection through the ATM Card”.
Will the Bank Directors shoot out an e-mail today to the Chairman to convene such a meeting and demand information?
CISOs in the meantime may try to gather a list of ATMs, the OS systems on which they operate, the risks of malware injection, ability to identify unusual pattern of transactions etc and present their plan of action to secure the Bank against such frauds.
Exciting days ahead for the CISOs….
P.S: My hunch is that Chip embedded cards are more vulnerable to malware injection attack rather than the old day magnetic stripe cards. Any opinion on this view?