The recent fraud in which Rs 94 crores were siphoned off the Cosmos Bank system on August 11th and 13th through over 14800 ATM withdrawals has once again highlighted that for fraudsters it makes no difference if the money comes from a Cooperative bank or an SBI . They seek to attack the systems where the security is weak .
If a Bank like Cosmos Bank of Pune thinks it is big enough to offer cards and ATM facility to its customers and implement a CBS system over multiple branches, it must understand the risk of expanding the vulnerability of the systems and it requires adequate security measures to be in place.
A few years Bank (2013) the Bank of Muscat Fraud was carried out in which about Rs 250 crores were fraudulently drawn out from the Bank through about 40000 ATM transactions carried out in 27 different countries in two bursts each of which lasted only a few hours. The fraud was carried out by hacking into the back end systems of the card data processors in India. The second and the larger burst of this fraud occurred three months after the first indicating that the vulnerability was not recognized and corrected when the first burst of withdrawals took place.
Subsequently RBI has been warning the Banks to ensure that adequate security measures are taken by the Banks. But at the same time, RBI has been pushing co-operative Banks to the use of technology without providing them adequate support and time in terms of introducing security measures. In the meantime some of the Co-operative Banks have grown big and introduced innovative technology based services without adequately covering the risks.
The Cosmos Bank episode is indicative of this negligence as the method of withdrawal of the money by fraudsters is similar to the Bank of Muscat fraud…namely cloned cards used to withdraw money from ATMs in foreign centers. But the modus operandi appears more sophisticated.
In the Bank of Muscat incident, the systems of the card processing companies were hacked and the information of about two dozen pre paid cards were changed. In the Cosmos Bank case, it appears that the fraudsters created a proxy server to approve the ATM transactions and bypassed the real CBS system to fool the ATMs into believing that the transactions were approved by the Bank. They also cloned debit cards both VISA and Rupay cards and withdrew money in 28 different countries. One of the contributory factors was that the ATMs were using Windows XP system which some time back was also the cause of ransomware attack on some Indian Banks.
Though NPCI has indicated that there was a malware attack in the Bank that created a proxy authentication system, NPCI cannot wash its hands off because there could be several security measures which it may be able to implement at the Switch level to prevent frauds of this nature.
For example, it is not clear why the ATM switch operated by NPCI should allow any ATMs anywhere in the world to connect to it if such ATM is running on a Windows XP system. It would have been prudent that NPCI stops servicing such outdated and proven to be fraud prone systems even if such systems are from abroad.
Also a question needs to be asked, if there is an ATM withdrawal request (and thousands of them in quick succession) from a Co-operative Bank customer/s from abroad, does it not automatically indicate a “Risk” since we donot expect customers of Cooperative Banks to be globe trotting executives?
It is our view that such transactions should have been stopped and flagged at the switch itself before being transferred to the Bank’s server.
I am sure that NPCI will frown if we say that they are responsible the breach of security in Cosmos Bank but we need to ponder if they could have by upgrading their own risk identification and management measures have prevented the Cosmos Bank fraud.
But unless we accept that the ATM, the Switch and the Bank’s server all parts of an integrated financial authentication system and secure the transaction in its totality, the customers of the Banks and the owners of the Banks will be exposed to risks that will ultimately fall on individuals who trusted the system.
From the legal perspective, it is the Bank which engages the services of the Switch and the ATM to provide services to its customers and has to ensure through contractual agreements that the intermediaries provide secure service. It is a presumption that if Windows XP systems in ATMs are considered as obsolete, they should not be used by the ATM operators and the Switch should refuse services to such ATM machines.
The Switch operators cannot be dumb routers of transactions but should implement and manage their own security systems to detect suspicious transactions.
In particular, approving transactions from abroad which are outside the legal jurisdiction of India for further investigations should be subjected to a greater level of security prescriptions.
It does not matter if a stray individual is unable to draw money from an ATM while he is on a tour of Thailand or Turkey, and complains of bad service, but it is essential that in order to score a brownie point that the Bank can issue globally acceptable debit cards, the security of the Bank itself is not jeopardised.
RBI should therefore immediately instruct NPCI to impose restrictions that any ATM debit transaction request coming from outside the country is flagged as a special case and subjected to better security measures even while the Banks are also required to do so. It is however possible that it may be only at the switch that the transaction can be better identified as coming from abroad.
Additionally, the switch should maintain the digital signature of all ATMs installed in India and should be able to instantly identify whether the call is from an Indian ATM or from abroad and initiate necessary security procedures as required.
The Switch should identify any abnormal pattern of withdrawals and take immediate action to block the suspicious ATMs, or Cards to prevent continuance of the fraud over an extended time.
Probably frauds will continue to happen even in an increased security preparedness of the Switch but it would make the life of the fraudster difficult and reduce the incidence of frauds.
Look forward to comments from security specialists on the above.
One of the alert readers of the post has suggested some corrections to what is stated above and I am happy to add the clarifications:
- Within India,
- an ATM of a particular Bank connects to the switch operated by the respective Bank when the transaction relates to the Bank itself.
- In respect of Inter Bank transactions, the authentication call is routed through NPCI
- In the case of foreign transactions, it may be routed through the payment gateway of VISA or an agent of Rupay which could be an aquiring Bank in that country which being an interbank transaction may go through NPCI switch.
- In all cases some information such as IP address, ATM ID, Aquiring Bank transaction ID etc., is collected. The OS details may not be presently collected.
- NPCI Switch comes into play in InterBank requests and not in inter-bank debit card transactions.
I thank the reader for the clarifications. NPCI may try to check if it can re-define the parameters that the ATM request should contain and how it can be expanded if required so that at least transactions from abroad are filtered effectively.
Transactions in India can be tracked further since RBI insists on the CCTV in ATM and some remedy against the mules is possible.
In case of withdrawals from abroad, the hands of the law enforcement are tied. Consultants like us insist insist that they register FIRs and they are uncomfortable since it is a dead end of investigation any way.
Further Add on:
RBI has indicated that by default cards should not be payable outside India. Banks should ensure that only at the specific request of the customer card should be payable abroad. If therefore a request comes from outside India, the Switch as well as the Bank’s Server should recognize that it is an exceptional transaction and has to be subjected to some kind of secondary verification. The ATM transactions in India, The online transactions and the International transactions should be recognized as different levels of transactions and subjected to the differential levels of authentication. Responsibility for this has to be taken by all the stake holders since the objective is to make the system more secure.
Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.