The Great E Bank Robbery in which US$ 45 million (Rs 250 crores) was drawn in cash in about 40000 fraudulent withdrawals spread over 12 and half hours on two different days, across 27 countries is an eye opener to the Cyber Security world on how well the underground Cyber Criminal gang is organized.
The investigations so far have revealed that the information on certain cards were obtained through the hacking of the systems in the data processing companies and were used to clone the cards. But it required a group of individuals who had to go to individual ATMs one after another and draw the cash, stash them in their bags and run to the next ATM etc until they exhausted the cash in all ATMs around them or until they received a “Stop” note from their boss.
We need to note that without the assistance of these “End Point Fraudsters” whom we some times call as “Mules”, the fraud could not have succeeded. It is these end point fraudsters who took the risk of being caught and punished. The hackers who remained in the back felt a lot safer since it is difficult to identify, capture and prosecute them. Similarly even behind these hackers who actually downloaded the card data and increased/removed the card limits, there were others who dropped a Trojan or conducted a Social Engineering attack to steal the access credentials for the sensitive data. There is also a possibility of an existing or past employee of the organization in which the data breach occurred who might have caused the breach either out of financial lure or out of vengeance. The possibility of negligence without malice of such an employee also cannot be ruled out.
At this time it is difficult to say with certainty if the data breach occurred only at the two card processing companies which are in the center of the investigation. If the card data was not effectively encrypted then it would be a serious issue of negligence. It is reported that these card processing companies were “PCI Compliant”.
In this context, it is also necessary for us to focus on the general status of Information Security in the IT Sector and in particular the BPO sector all over India and more so in Bangalore, Pune and Gurgaon. We need to initiate such action as would silence the India bashers in US who have already started their campaign against outsourcing. This can hurt the Indian economy seriously.
We need to recognize that what has happened today to Banks in Gulf and at ATMs in New York or elsewhere can happen or will happen to banks in India and the ATMs in India. Hence Indian Banks as well as RBI should start a campaign to ensure that such “Bank Heists” donot occur in India where Indian Customers will be left to fight with the Bankers in long drawn legal battles. We know that the cases of S.Umashankar Vs ICICI bank has dragged on now for 5 years despite a favourable verdict from the Adjudicator of Tamil Nadu and several more cases are pending with adjudicators for more than 2-3 years. Banks will be happy to take all cases to judicial processes since they can regenerate the lost money within 3 years while the customer is kept waiting for justice.
Now it is time for RBI to immediately constitute an expert committee to ensure that its regulations are strictly followed by banks in letter and spirit. One of the requirements that need to be tightened is the CCTV camera system in ATMs. It is necessary to ensure that the CCTV cameras used are of high resolution and are always functioning. If CCTV cameras are dysfunctional, the ATM should stop cash dispensation. We should also encourage customers to register “Face Recognition Authentication” systems so that there is no way a third party can withdrawn money from the customer’s account. Since some customers are in the habit of allowing their relatives to withdraw the amount on their behalf, they should be properly educated and encouraged to obtain multiple ATM cards for their authorized kith and kin whom they want to authorize withdrawals and have their face recognition built into the system.
We also need to further tighten the KYC system and penalize the Banks heavily when KYC failure leads to frauds. Banks should undertake a security audit of all their outsource partners including those who conduct KYC. I have observed that for genuine customers like me Banks have posed problems in KYC while many fraudsters have been able to open and operate accounts without any problem. This indicates that some times KYC is followed in letter but not in spirit. This has to be corrected.
It is also necessary for Banks to use “Adaptive Authentication” and raise the bar when stakes are higher. This requires a close monitoring of customer behaviour and if Banks are not doing this already, it is a criminal negligence that needs to be punished. Current RBI guidelines suggest such systems to be in place by June 30, 2013 and we need to watch how Banks react to the latest guidelines.
If “End Point Fraudsters” are eliminated through the Face Recognition system at ATMs, better KYC at Banks and adaptive authentication, security can be enhanced by several notches and we can break the back of these Cyber Frauds.
Overall we need to re-evaluate the security of our Banking systems in the light of the Great E Banking Robbery and ensure a Safe E Banking environment.
Naavi
It is reported that the PCI certification issued to Electracard has been withdrawn.
http://economictimes.indiatimes.com/tech/ites/electracard-loses-security-certification-post-45-mn-global-atm-heist/articleshow/20020572.cms