Hi­tachi Hack­ers Cashed in on Se­cu­rity Gaps

In­ge­nu­ity of at­tack shows in­volve­ment of mas­ter­minds, hints foren­sic au­dit re­port

The Economic Times - - Front Page - Su­gata.Ghosh @times­group.com

Il­lus­tra­tion: ANIR­BAN BORA

Mum­bai: From late May to end July of 2016, In­dia was struck by what till now is the worst cy­ber breach to com­pro­mise the coun­try’s pay­ments net­work. Bank cus­tomers, in­clud­ing sev­eral for­eign trav­ellers, us­ing as many as 3.2 mil­lion debit cards feared that their ac­counts had been hacked. Weeks af­ter the panic — by when thou­sands had lost money — it sur­faced that hack­ers had pen­e­trated the net­work of Hi­tachi to which some banks had out­sourced their ATM trans­ac­tion pro­cess­ing. RBI sent out a flurry of dos and don’ts to banks, held meet­ings with pay­ments com­pa­nies such as VISA, MasterCard and Na­tional Pay­ments Cor­po­ra­tion of In­dia; and Hi­tachi hired a Ben­galu­rubased pay­ments se­cu­rity firm to carry out a foren­sic au­dit.

The au­dit re­port, which was sub­mit­ted to the reg­u­la­tor last week, brings out an un­com­fort­able truth that most In­dian banks and cor­po­rates will now have to deal with: anti-virus and anti-mal­ware de­vices they have in­stalled are no match for tar­geted cy­ber at­tacks. What this means is that if the code of a mal­ware, floated by the hacker, is writ­ten in a clever way, it can over­come most anti-mal­ware walls.

The foren­sic team, stunned by the level of so­phis­ti­ca­tion and in­ge­nu­ity of hack­ers who tar­geted Hi­tachi, has found that the mal­ware (which is noth­ing but a soft­ware) was so in­gen­u­ously writ­ten that it could spread within the Hi­tachi sys­tem at an alarm­ing rate. This was de­spite Hi­tachi us­ing some of the best se­cu­rity de­vices.

ET learns that the hack­ers cre­ated a ‘dummy code book’ within the Hi­tachi sys­tem — cap­tur­ing all pos­si­ble four-digit num­bers from 0000 to 9999 — to steal the PINs (per­sonal iden­ti­fi­ca­tion num­bers) of cus­tomers as and when they used their cards to with­draw money from ATMs of a pri­vate bank in In­dia.

Ex­perts say sim­i­lar at­tacks can hap­pen to any pay­ment en­vi­ron­ment — banks, wal­let firms, UPI, IMPS or re­tail­ers

In Oc­to­ber 2016, Tata Sons ap­pointed Ralf Speth and N Chan­drasekaran as ad­di­tional di­rec­tors.

“This is the first time in many years that the Tata Sons board has more out­siders than rep­re­sen­ta­tion from within the group,” the sec­ond per­son quoted above said. “Tra­di­tion­ally, the board had a com­bi­na­tion of out­siders, in­sid­ers and in­sid­ers like out­siders.’’

In the past, em­i­nent ju­rists Nani Palkhivala and SR Vakil were out­siders but were seen as in­sid­ers in Bom­bay House, the head­quar­ters of the con­glom­er­ate. Other prom­i­nent mem- bers of the board in­cluded Pal­lonji Mistry, who owned 18.4% stake in Tata Sons, Dar­bari Seth, FC Kohli, Mul­gaonkar, JJ Irani and R Gopalakr­ish­nan.

Some share­holder ac­tivists in­sist on the need for in­sider rep­re­sen­ta­tion.

“Tata Sons board should have an ideal struc­ture of 60% out­siders and rest from op­er­at­ing com­pa­nies,’’ says Anil Singhvi, founder, Ican In­vest­ments Ad­vi­sors, a proxy share­holder ad­vi­sory firm. “The board can­not just have mem­bers who have no stake in the sys­tem. It should have mem­bers who are di­rectly in­volved in the group busi­nesses and can bring that per­spec­tive to the ta­ble.”

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.