The State Bank of India, the country’s largest bank, and its subsidiary banks blocked about 6.25 lakh debit cards of their customers after “suspicious” transactions spiked at third-party ATM machines.
Card holders were caught unawares as their cards were blocked without prior notice. The bank subsequently sent emails and SMSes to customers, alerting them to the blockage, and asked them to re-apply for new cards at their respective branches.
“About 0.25% of our cards have been blocked. We came to know that some of our customers have used them at some virus-infected ATMs. These were white label ATMs operated by Hitachi payment services,” said Shiv Kumar Bhasin, chief technology officer at SBI, without elaborating.
The bank reportedly blocked the cards to avoid misuse.
The total number of debit cards issued by the SBI alone till July-end was 20.27 crore. Of those, 0.25% or about 5.07 lakh cards have been blocked. Including those from SBI’s subsidiary banks — State Bank of Mysore, State Bank of Hyderabad, State Bank of Bikaner and Jaipur, State Bank of Travancore and State Bank of Patiala — about 25 crore debit cards were issued.
Across many circles
“In the past 3-4 days, we saw some unidentified and suspicious transactions at some ATMs and hence the cards were blocked immediately. The cards have been blocked across many circles,” a SBI branch manager in Mumbai said.
SBI customers appear not to be the only victims of this ATM scam. “The damage has been done to many other bank debit cards, including foreign and private banks. This happened a month ago and we saw some data of customers being compromised. With such large number of cards involved, we thought it was better to replace the cards entirely. Largely the cards were magnetic-based,” said an SBI general manager handling the cards portfolio.
Retired IAS officer CV Ananda Bose, a customer of the Federal Bank, claims to have lost about Rs 3 lakh from his account in the scam.
“When my son in the US tried to withdraw some money, he was informed that the account had insufficient funds. I immediately contacted my bank, Federal Bank, and MasterCard and I was told six transactions were made in last two days, emptying my account,” Bose said, adding that he filed a complaint with the bank and the US embassy.
The precautionary measures were taken by SBI in response to an advisory message by card network companies NPCI, MasterCard and Visa, wherein various banks in India were informed about a potential risk to some cards owing to a data breach.
“We’d like to emphasise that SBI’s systems have absolutely not been compromised and existing cardholders are not at any risk and can continue to use their cards. SBI is in the process of issuing new cards at no cost to those card holders whose cards have been blocked,” an SBI spokesperson said.
ATM frauds have led to most banks taking precautionary measures by periodically reminding customers to change their debit card personal identification number (PIN) or password on a regular basis (every month or in 3-6 months). Banks have also been asking their customers not to share the password with any other person, in order to avoid security breaches such as skimming and cloning of cards that could lead to data theft.
When police and forensic officials examined an ATM machine recently, they recovered a skimmer device hidden in the smoke detector on the ceiling. The chip in the card reader was also found removed and money was withdrawn from a number of branches in Mumbai. The police recovered video of three foreigners and arrested one of them from Mumbai.
The Reserve Bank of India has asked all banks to upgrade their debit cards into chip-based EMV cards, which have added layers of security. In a chip-based card, information is not validated by bank servers unless the correct PIN is used, whereas information on a magnetic strip is easily accessible.