Lenders need to raise firewalls to protect customer information
MUMBAI: Following the security breach that led to data of almost 3.2 million debit cards getting compromised, banks need to adopt multi- ple- level authentication, install improved firewalls and employ only a fixed number of software sat their ATMs, experts said.
The cards belonged to 19 banks, including top ones such as State Bank of India, ICICI Bank, HDFC Bank, Axis Bank and Yes Bank. Over 640 customers have so far complained of being affected with fraudulent withdrawals, which till October 20 totalled ₹1.3 crore. Banking sources said the amount could rise as many transactions may not have been reported.
While banks—both stateowned and private—did not want to comment on the issue, all of them are looking to strengthen security procedures to prevent such frauds, said people connected with the issue.
In an interaction with HT, AP Hot a, managing director and CEO ofNPCI,anumbrellaorganisation for all retail payments system in India, said: “We have global standardsofcompliancethatneedtobe followed by all banks.”
According to the former country head of ATM management at Yes Bank, Aspy Engineer: “Banks muststrengthensecuritysystems first. We can introduce 2-3 or 4 factorauthentication,betterfirewalls attheATMs,updatedanti-viruses and white list the ATMs where only 4-5 softwares can be inserted in a machine and any attempt to
Every year in January, we get a compliance report from all banks and we usually take it on face value. Now, in order to be extra vigilant, we need to be more rigorous and ensure compliance is there AP HOTA, managing director, NPCI
infect the ATM with another software will be rejected.”
ATMs run using a CPU similar tothoseemployedonnormalcomputers, White listing restricts the number of softwares that can be installed on an ATM’s CPU, if an unrecognisedsoftwareattemptsto install on such an ATM, it automaticallysendsanalerttothecompany.
NPCI’s Hota said it must be made mandatory to link all bank accounts and core banking solutions to cellphone of the customer tohelpbanksreachoutcustomers faster.
Itissuspectedthatanunauthorised entry was done at the switch level that is certified by the PCIDSS(PaymentCardIndustryData Security Standard). The switch helps transmit information from and to ATMs. PCI Council, the international body which sets standards on for PCI–DSS, is conducting a forensic study on the issue. “Additionally, switch-providing companies should also be broughtundersupervisionframework,” Hota added.