India’s Biggest Debit Card Breach: How Prepared Are Banks?

A debit card breach that impacted 3.2 m customers raises questions about bank preparedness

An elderly woman walks by a Yes Bank Ltd. automated teller machine (ATM) branch in Mumbai, India (Photographer: Kuni Takahashi/Bloomberg)
An elderly woman walks by a Yes Bank Ltd. automated teller machine (ATM) branch in Mumbai, India (Photographer: Kuni Takahashi/Bloomberg)

India with its burgeoning millennial population and mobile explosion has adopted ‘Digital’ faster than most economies. This rush to gain market share has come at a price. Indian banks are fully aware of the risks and have technologically equipped themselves. It is easy to use a credit card in a place like the U.S., but in India, there is a checkpoint in the form of an OTP (one time password) or another level of validation. As such, Indian banks have been conservative and careful from a process and technology standpoint.

However, what is also true is that malware related risks, such as the one that has impacted Visa, MasterCard and RuPay cardholders, are very real.

Worldwide 10 new strains of malware come out every second

That essentially means 10 potential new zero-day attacks that have never been seen before and may be completely undetectable.

Considering that more than 80 percent of these malware attacks are delivered through browsers, let’s recognise that there is no such thing as ‘perfect protection’. Even so, there are a few things that Indian banks can do over and above what they are already doing.

One such change is a shift in the mindset from ‘Detect and Respond’ to ‘Predict and Prevent’. Today, we have technology that can do this for browsers by isolating malware threats outside the IT perimeter of a business and thereby ensuring near 100 percent malware-free internet usage within a corporation. The ‘Predict, Isolate and Prevent’ is becoming a primary premise for security transformation within banks in the U.S. and UK.

A second important step is for banks to build a culture of security education, not just among their employees but also their consumers, especially the non-millennial demographic segment of their customer base. This is the customer segment which is naive and prone to such attacks and security lapses. They may sometimes even be unaware of a lapse and loss that has happened in their accounts. This needs to be an ongoing habit and not a one-time exercise.

Have Similar Breaches Happened In Other Countries?

There have been several such breaches across the world. Two examples of significant breaches include the 2013 breach at U.S. retailer Target Corp and the SWIFT breach that led to Bangladesh Bank losing over $81 million.

Lets look at the Target breach first. Though it happened a couple of years ago, it was very significant. The personal and financial information of approximately 110 million people, comprising 11 GB of data, was stolen in a compromise during the Christmas shopping season. The attack, attributed to a cyber-criminal in Ukraine, was undetected for almost 2 weeks. It was a malware attack, and at the time, none of the anti-virus solutions in the market would have or did detect the malware.

Another significant breach took place in Bangladesh where hackers compromised the SWIFT network and managed to steal $81 million. This was done using a Trojan Horse. The attack happened through ‘spear-phishing actions’ against bank employees, who inadvertently infect their company’s systems with the malware when opening contaminated digital media files. The malware can then go into bank computers and disguise fraudulent requests for money so that SWIFT sends them along without raising red flags.

Need For A Coordinated Response

One of the best ways to respond, other than imposing universal standards, is to improve authentication tools and to use analytics that detect patterns of spends and transfers. This will help catch abnormal behaviour and bring any breaches to the surface quickly.

There are a number of professionals across the industry who are responsible for tracking such breaches and responding to them. They simply need to be equipped better to respond faster.

Samir Shah is chief executive officer at Aurionpro, a technology products and solutions provider.

The views expressed here are those of the author’s and do not necessarily represent the views of BloombergQuint or its editorial team.