Naavi.org has pointed out several times in the past the security risks in the Indian Banking system and how the customers are vulnerable. We have also pointed out the responsibility of RBI in this regard. It is therefore no surprise at all that we are now talking of 32 lakh card data having been compromised. The writing has been clear on the wall and only some people preferred not to see.
Conventional Media as always remained silent when they should have raised an alarm and are now focusing on the sensational part of the story. What we now need to focus on is on the “Negligence” of the Bankers and RBI besides the organizations meant to secure the Cyber space in India.
In the instant case, it is reported that a malware sneaked in through one brand of ATMs (namely Hitachi) in one of the Banks (namely Yes Bank) and then wormed its way to the ATM switch operated by NPCI. For over 3 months, the malware is said to have remained in the Switch and sniffed at the traffic. This means that the card data passing across the switch which could be not only of cards of Yes Bank but other banks were copied and sent by the malware to systems controlled by the perpetrators of the massive data breach. Some news papers have indicated that the data has been stolen by Chinese. If so, we are really talking of a “Cyber War”. However it is not clear if it is a state sponsored attack or simply a bigger crime syndicate attack.
If all data required for authenticating the payment passes through the switch, then all of it might have been stolen. This contains the data such as the name, card number, expiry date, CVV number etc which are sufficient to conduct an online transaction. It may also contain some data in hash/encrypted form such as the PIN.
The fraudsters can by observing the pattern of the data in multiple transactions can easily generate the decryption keys and break the encrypted data and compose the entire set of data regarding the Card that would enable them to use the card in both online and offline situations.
We can recall that in December-March 2013, over Rs 200 crores of cash were drawn from US ATMs in a few hours in which several cards cloned out of 12 stolen card data in a coordinated E-Robbery from an international criminal gang. The money belonged to customers of Bank of Muscat and Indian back end data processors were responsible for the breach.
Now we are staring at about 32 lakhs of data having been compromised. The potential loss that may befall on the public, this time customers of Indian Banks in India is unimaginable.
We must appreciate that SBI had been bold enough to recall its 6 lakh cards and disclose the data breach to the public without which the vulnerability and the breach would have been hidden longer.
Now if the adverse consequence of the breach needs to be mitigated and contained, there are some immediate actions that are required to be taken by the Banking system.
- First of all we need to ensure that no card owner would be liable for any loss arising out of misuse of cards. SBI has blocked its cards and other Banks who might have been exposed should also do the same. For this, we need to identify the date from which this particular malware could have started collection of data and all cards which have been processed through the same switch since then should be identified, blocked and replaced by the respective Banks.
- Any reportedly fraudulent transactions of such cards in the last two/three months since the malware was active should be cancelled without demur by the Banks and amounts credited to customers immediately without interest loss.
- RBI should open a special customer complaint center for this card frauds and collect public complaints in this regard since we cannot trust individual Banks to act
After these preliminary action we need to ask questions of those who were entrusted with the management of these systems.
- The supplier of Hitachi machines need to be investigated to understand how the vulnerability arose. If it is because of non patching of the operating software or such other fundamental security lapses, both the manufacturers as well as the Banks and the persons responsible for maintenance should be investigated for “Negligence” and penalties fixed. The penalties cannot be Rs 5 lakhs to 1 crore that RBI is talking of. It should be in the range of Rs 100 crores plus without which the Banks will never feel the pinch and take security steps for the future.
- The NPCI should explain how as manager of the switch it could not identify the malware and the diversion of data to unknown destinations whether in China or not. The vulnerabilities in this need to be identified, removed and responsibility fixed.
- Banks were subject to the new Cyber Security Framework (CSF-2016) regulations applicable from June 2, 2016 in which several new security measures including the data breach notification were introduced. It is time to review how many of the Banks were in breach of these regulations and fix responsibilities.
- Officers in RBI who failed to follow up non submission of data breach notifications and confirmations of compliance of the CSF-2016 should also be cooked for their negligence and apathy.
- IDRBT is the wing of RBI that is entrusted with its own responsibility of security and should have been a whistleblower much bigger than Naavi.org. But has it done its duty?… There should be an introspection at this organization. Failures should be made accountable.
- Similarly, CERT is also entrusted with its own responsibility of security at the national level and should have been a whistleblower much bigger than Naavi.org or IDRBT. But has it done its duty?… There should be an introspection at this organization. Failures should be made accountable.
I hope that we shall not rest with the satisfaction that only 1000 frauds were reported etc. If so we should thank our stars but proceed to secure our system that there would be no repetition of the incident in future.
There is a serious need to review the operations of NPCI from the security perspective and have a suitable oversight that prevents such mishaps in future when our neighbors in Pakistan and China are itching for a Cyber War which will like the Cross Border Terrorism be another asymmetric war in which India will be at the receiving end.
We closely observe how the Ministry of Home Affairs under Mr Rajnath Singh, and Ministry of IT under Mr Ravishankar Prasad and Ministry of Finance under Mr Arun Jaitely respond to this crisis. So far they donot seem to have stirred and so is Mr Urjit Patel, the Governor of RBI.
I look forward to a Press conference today in Mumbai by Mr Urjit Patel to explain the RBI stand and also a joint press conference in Delhi with the three ministries to explain their stand.
P.S: RBI and Ministry of Finance is reported to have called for “Reports”. Necessary first step…but not good enough as an emergent measure…