How did one server hack compromise 3.2 m debit cards? And can it happen again?
NEW DELHI: Do you catch yourself wondering if it is safe to withdraw cashfromanATMwithyourdebit card? Do you wonder if your personal financial data is safe? You are not alone. The ongoing crisis has spawned an ATM phobia in the public.
The good news is that if you have not had a call from your bank, and your account balance is asitshouldbe,youare—probably — safe. But it would not be a bad idea to change your card’s ATM pin right away.
But how did this one server hackhit90ATMsandaffect3.2million (and counting) cards of 19 Indian banks?
An automated teller machine or ATMisadigitalinterfacewithtwo input and four output devices that connects to, and communicate through,ahostprocessorthesame way as an Internet service provider.Nearly99%ofATMsinIndia communicatethroughleasedlines and the rest on dial-up systems.
ATM-makers such as NCR or Diebold Nixdorf provide the machine and the software for a bank at its preferred location. The bank the connects the machine to its servers.
Companies such as FSS, CMS and HitachiPaymentServicesprovide the ‘switch’ — a payment transfer engine that allows the ATM software to connect to interbank networks.
Most switches are in remote locations, not at the ATM itself. A bank branch that has an ATM is likely to managing its own switch, but the rest may be maintained by agencies such as Hitachi.
The 90 affected ATMs in the present case connected to the one infectedserveratoneprecisepoint in time. So the hackers got information of all the people who used those ATMs, and cloned their cards. Since customers often use non-homebankATMs,theimpact spread to 19 banks.
“A few months back, there were reportsofmoneybeingwithdrawn in China and US from accounts of Indians not living there. This got NPCI, RBI and the banks probing. Soon they realised that the cause for this was a malware attack on a server of Hitachi Payment Services, a company that provides the software for ATMs,” an industry expert said.
Hitachi claims it was not hacked at all. “We had appointed an external audit agency certified by PCI in the first week of September, to check the security of our systemsforanybreachorcompromise based on a few suspected transactions that were highlighted by banks for whom we manage ATM networks.
“The interim report published by the audit agency in September, does not suggest any breach/compromise in our systems. The final report is expected by mid-November.,” Loney Antony, MD, Hitachi Payment Services, has said.
MostATMsarebasicallyPCsrunning on Windows XP, which makes them vulnerable as Microsoft itself has stopped support for the operating system.
Also, most ATMs work on XFS standard — a set of standardistion normsforATMsoftware— which is really old.
“XFSrequiresnoauthorisation for the commands it processes, meaning that any app installed or launched on the ATM can issue commands to any other ATM hardware units, including the card reader and cash dispenser,” said a top spokesperson at KasperskyLab,aninternationalsoftware security group. “Should malware successfully infect an ATM, it receives almost unlimited (total) control over that ATM.”
Three main initiatives are recommended. One: ensure physical safety of the ATM, so that no virus can be planted physically.
Secondly, the XFS standard must be improved to help the software protect itself better.
Lastly,“authenticateddispensing” must be implemented to exclude attacks via ‘fake processing centres’ that imitate the bank software, and also encrypt all data transmittedbetweenallhardware units and the PCs inside ATMs.