1 of 2

http://www.business-standard.com/article/printer-friendly-version?arti...

30 lakh debit cards under threat? What we know

about the security breach so far
Bankers said the problem was first discovered between May and July.
BS Web Desk | New Delhi October 20, 2016 Last Updated at 11:06 IST

Around 30 lakh bank debit cards may have come under threat after an alleged security breach at Yes
Bank's ATM raised fears of potential fraud. A slew of banks will either replace or ask customer to change
the security codes.The move comes a day after India's largest lender State Bank of India said that it had
blocked cards of certain customers.
Where did the breach originate?
Several reports suggest that the breach is said to have originated in malware introduced in systems of
Hitachi Payment Services, which has enabled fraudsters to steal information. Hitachi Payment Services
manages the ATM network processing for Yes Bank. Other banks have reportedly been affected because
YES Bank ATMs see third-party yransactions too. According to bankers, the breach effected in such a
way that anyone using the said bank's ATMs in the region might stand to get affected.
Bankers said the problem was first discovered between May and July, and banks have resorted to recall
the affected debit cards from September.

20-Oct-2016 11:51 AM

2 of 2

http://www.business-standard.com/article/printer-friendly-version?arti...

ALSO READ: Cyber attack: SBI to re-issue 6 lakh debit cards; Axis admits breach
"Data processes of one private bank was compromised which affected other banks' customers well.
Customers who used that bank's ATM stand to get potentially affected," a public sector banker was quoted
as saying by PTI.
When asked about alleged lapses on its ATM network, an Yes Bank spokesperson said, "Proactively
undertaken a comprehensive audit of ATMs, and there is no evidence of a breach or compromise on
ATMs.
Banks that have suffered
An Economic Times report said the breach has affected State Bank of India, HDFC Bank, ICICI Bank,
YES Bank and Axis Bank the most. The cards, as per the report, include 2.6 million of Visa and
MasterCard and 6 lakh of RuPay cards.
Meanwhile, India's largest bank State Bank of India and its subsidiary banks blocked around 6.25 lakh
debit cards after suspicious transactions spiked at third-party ATM machines. Card holders were unaware
as their cards were blocked without prior notice. The bank subsequently sent emails and SMSes to
customers, alerting them about the blockage.
While State Bank of India said it was re-issuing over 600,000 debit cards because of a potential security
breach, several others are taking pre-emptive to thwart any potential troubles. HDFC Bank reportedly
asked the customers to change their PINs and has also been asking them not to use any other banks' ATMs
as a precautionary measure.
ALSO READ: Security breach: Don't ignore banks' advice to change ATM PIN
What steps are being taken by banks
The steps taken by the bankers include asking customers to change the PINs of their ATM-cum-debit
cards, which has now gone up one level to changing cards as well, if the customers do not comply.
Banks have also been asking their customers not to share the password with any other person in order to
avoid security breaches such as skimming and cloning of cards.
The RBI view
A report in Hindu Business Line says the Reserve Bank of India (RBI) has asked banks to replace debit
cards whose security is suspected to have been compromised after being used in some ATMs.
With online bank frauds on the rise, the RBI had recently proposed that a customer will not be liable to
make the payment if the fraud or negligence is on part of the bank and the customer notifies the lender
within three working days of receiving communication from the bank regarding unauthorised transaction
by a third party. In cases where the victim notifies the fraud between four and seven days, the liability will
be capped at Rs 5,000. The proposed rules apply to all electronic transactions, including payments made
remotely using net banking or cards and payments made in shops using cards or mobile wallets.
With inputs from Agencies

20-Oct-2016 11:51 AM