SBI recalls 600,000 debit cards as questions linger about after-effects

Following reports of security breaches, top banks, including SBI, ICICI Bank, HDFC Bank, have initiated actions to address the issue at the earliest.

While SBI has re-called around 600,000 cards, Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have replaced their debit cards, as a pre-emptive measure. ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM PIN numbers.

“About 0.25% (6.25 lakh) of our total cards (2.5 million) has been blocked. We came to know that some of our customers have used them at some virus-infected ATMs. These were white-label ATMs operated by Hitachi payment services,” said Shiv Kumar Bhasin, chief technology officer at SBI.

But what happens in case a fraud has already been conducted and the customer has already lost a substantial amount of money?

According to Reserve Bank of India (RBI), banks are responsible for security of the debit cards they issue. “Hence, in case of any monetary loss on account of breach of security or failure of the security, the bank is liable to bear the loss,” RBI said in a circular on debit cards issued in June last year.

In a recent draft circular on customer protection, RBI said a customer will not be liable where fraud or negligence is on the part of the bank or for a third-party breach where the customer notifies the bank within three working days of receiving a communication from the bank on any unauthorised transaction.

“For a security breach of such nature, in case a customer loses money, banks will take their complaints and look at the nature of the transaction if it was conducted from the bank’s side or the customer’s side,” said Manju Agarwal, deputy managing director and chief operating officer, SBI. “Depending on the proof of the error, banks will take a call on refunding the amount.”

Transactions worth R219,165 crore are done through debit cards at ATMs on a monthly basis, according to RBI. This averages to around R7,069.83 crore worth of daily transactions conducted through ATMs.

There are currently 201,861 ATMs in the country as of June 30, 2016. Hitachi Payment Systems, where the malware is said to have originated, operates 50,000 ATMs across the country.

SBI has sent emails and SMSes to customers, alerting them about the blockage, and asked them to re-apply for new cards at their respective branches, call up phone banking or use the internet for ‘re-carding’, the bank said.

An ICICI Bank spokesperson said: “The possible breach of information of debit cards has taken place in the ATM network of another bank. As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed.”

“Our systems detected a potential compromise of debit cards arising from usage at a non-HDFC Bank ATM network a few weeks ago. We immediately notified customers to change (their) ATM PIN,” an HDFC Bank spokesperson said.

“This is the first time it has happened to this extent in India. However, the loss is miniscule and banks will have to individually deal with it. Though the error is nothing to do with banks but there has been a glitch in what is called a ‘switch’ in the backend. It is a combination of hardware and software. It can take place with any operator from any region not just US or China. In this case, Hitachi Payment systems have seen the “switch” getting infected with malware. Hitachi is yet to respond on the measures being taken,” A senior NPCI official said.

“The outsourcing partners also need a lot of vigilance and security control to make sure that they don’t endanger the delivery and system risk and there is fair amount of policing as far as outsourcing is concerned and they could sometimes intensify into high operational risks as well,” said Rana Kapoor, MD and CEO of Yes Bank.