Banks need to raise firewalls to protect debit cards
Following the security breach that led to data of almost 3.2 million debit cards getting compromised, banks need to adopt multiple-level authentication, install improved firewalls and employ only a fixed number of softwares at their ATMs, experts said.business Updated: Oct 22, 2016 13:30 IST
Following the security breach that led to data of almost 3.2 million debit cards getting compromised, banks need to adopt multiple-level authentication, install improved firewalls and employ only a fixed number of softwares at their ATMs, experts said.
The cards belonged to 19 banks, including top ones such as State Bank of India, ICICI Bank, HDFC Bank, Axis Bank and Yes Bank. Over 640 customers have so far complained of being affected with fraudulent withdrawals, which till October 20 totalled ₹1.3 crore. Banking sources said the amount could rise as many transactions may not have been reported.
While banks— both state-owned and private — did not want to comment on the issue, all of them are looking to strengthen security procedures to prevent such frauds, said people connected with the issue.
In an interaction with HT, AP Hota, managing director and CEO of NPCI, an umbrella organisation for all retail payments system in India, said: “We have global standards of compliance that need to be followed by all banks.”
According to the former country head of ATM management at Yes Bank, Aspy Engineer: “Banks must strengthen security systems first. We can introduce 2-3 or 4 factor authentication, better firewalls at the ATMs, updated anti-viruses and white list the ATMs where only 4-5 softwares can be inserted in a machine and any attempt to infect the ATM with another software will be rejected.”
ATMs run using a CPU similar to those employed on normal computers, White listing restricts the number of softwares that can be installed on an ATM’s CPU, if an unrecognised software attempts to install on such an ATM, it automatically sends an alert to the company.
NPCI’s Hota said it must be made mandatory to link all bank accounts and core banking solutions to cellphone of the customer to help banks reach out customers faster.
It is suspected that an unauthorised entry was done at the switch level that is certified by the PCI-DSS (Payment Card Industry Data Security Standard). The switch helps transmit information from and to ATMs. PCI Council, the international body which sets standards on for PCI–DSS, is conducting a forensic study on the issue. “Additionally, switch-providing companies should also be brought under supervision framework,” Hota added.