Today in New Delhi, India
Nov 18, 2018-Sunday
New Delhi
  • Humidity
  • Wind

How did a server hack hit 3.2 million debit cards? Can it happen again?

How did this one server hack hit 90 ATMs and affect 3.2 million (and counting) cards of 19 Indian banks?

business Updated: Oct 24, 2016 08:19 IST
Anirban Ghoshal
Anirban Ghoshal
Hindustan Times
Debit card owners,ATM server hack,ATMs
Several banks, including state-owned State Bank of India, have recalled a number of cards while many others blocked the ones suspected to have been compromised and asked their customers to change their PINs.(Shutterstock/Representative image)

Do you catch yourself wondering if it is safe to withdraw cash from an ATM with your debit card? Do you wonder if your personal financial data is safe? You are not alone. The ongoing crisis has spawned an ATM phobia in the public.

The good news is that if you have not had a call from your bank, and your account balance is as it should be, you are — probably — safe. But it would not be a bad idea to change your card’s ATM pin right away.

But how did this one server hack hit 90 ATMs and affect 3.2 million (and counting) cards of 19 Indian banks?

How ATMs work

An automated teller machine or ATM is a digital interface with two input and four output devices that connects to, and communicate through, a host processor the same way as an Internet service provider. Nearly 99% of ATMs in India communicate through leased lines and the rest on dial-up systems.

ATM-makers such as NCR or Diebold Nixdorf provide the machine and the software for a bank at its preferred location. The bank the connects the machine to its servers.

The switch

Companies such as FSS, CMS and Hitachi Payment Services provide the ‘switch’ — a payment transfer engine that allows the ATM software to connect to interbank networks.

Most switches are in remote locations, not at the ATM itself. A bank branch that has an ATM is likely to managing its own switch, but the rest may be maintained by agencies such as Hitachi.

How infection spread

The 90 affected ATMs in the present case connected to the one infected server at one precise point in time. So the hackers got information of all the people who used those ATMs, and cloned their cards. Since customers often use non-home bank ATMs, the impact spread to 19 banks.

Really a hack?

“A few months back, there were reports of money being withdrawn in China and US from accounts of Indians not living there. This got NPCI, RBI and the banks probing. Soon they realised that the cause for this was a malware attack on a server of Hitachi Payment Services, a company that provides the software for ATMs,” an industry expert said.

Hitachi claims it was not hacked at all. “We had appointed an external audit agency certified by PCI in the first week of September, to check the security of our systems for any breach or compromise based on a few suspected transactions that were highlighted by banks for whom we manage ATM networks.

“The interim report published by the audit agency in September, does not suggest any breach/compromise in our systems. The final report is expected by mid-November.,” Loney Antony, MD, Hitachi Payment Services, has said.

Weak points

Most ATMs are basically PCs running on Windows XP, which makes them vulnerable as Microsoft itself has stopped support for the operating system.

Also, most ATMs work on XFS standard — a set of standardistion norms for ATM software — which is really old.

“XFS requires no authorisation for the commands it processes, meaning that any app installed or launched on the ATM can issue commands to any other ATM hardware units, including the card reader and cash dispenser,” said a spokesperson at Kaspersky Lab, an international software security group. “Should malware successfully infect an ATM, it receives almost unlimited (total) control over that ATM.”

How to stop hacks

Three main initiatives are recommended. One: ensure physical safety of the ATM, so that no virus can be planted physically.

Secondly, the XFS standard must be improved to help the software protect itself better.

Read | Amid debit card security breach, victims of ATM frauds tell their tales

Lastly, “authenticated dispensing” must be implemented to exclude attacks via ‘fake processing centres’ that imitate the bank software, and also encrypt all data transmitted between all hardware units and the PCs inside ATMs.

First Published: Oct 24, 2016 07:44 IST