After the recent attack on debit cards exposed the gaps in their security systems, banks are getting serious about data privacy. reports Nupur Anand.
Illustration: Uttam Ghosh/Rediff.com
The biggest cyber security breach in recent times that saw data of over 3.5 million debit cards being stolen last month has sent shock waves through the country.
The incident first came to light in late September when card network providers received complaints from banks that their clients' cards had been used to carry out transactions in China and the US even as they were in India.
As service providers swung into action, it soon became evident that the scale of the intrusion went beyond just a few cards: 19 banks were affected by the data breach with SBI, HDFC, Yes Bank, ICICI and Axis being the worst hit.
As people come to terms with what appeared to be a systemic risk, for banks, the challenge now is to prevent the next data breach.
Banks, along with network providers, are mulling over ways to keep intruders out even as they accept that no security measure will ever safeguard them against fraud completely, given that technology is a double-edged sword.
In the recent case, it is believed there was a possible compromise in Hitachi's system that operates several of YES Bank's Automated Teller Machines.
Shikha Sharma, managing director, Axis Bank, says banks will have to be quick-footed to reduce the risks.
"There are crooks who work in the physical world and some who work in the digital world," says Sharma. "Some of them are very smart minds. So, banks have to keep looking at response strategy, how to detect and respond quickly. Look at where fraud comes from and how we are going to improve our systems to detect, control and respond to data breaches. We cannot wish away this issue."
Experts say Indian banks are woefully ill-equipped to deal with such data thefts and instances of fraud on a large scale.
In fact, a recent report by Skybox, a security firm, shows that several companies across the world are not ready to handle cyber frauds or attacks.
'Organisations are least automated (and least confident) in areas related to (a) collecting data about virtual and cloud-based systems and applications and (b) analysing and remediating firewall rules that violate policies and regulations,' says the report.
What is worrying is that most incidents of data breaches are not made public.
This is particularly the case with thefts where financial losses to banks are small; even otherwise, banks are generally slow to respond to such incidents.
In the latest case, it took six weeks for banks and other stakeholders to come out and accept that there indeed had been a data breach.
"Not only banks but even other financial institutions see these attacks largely in terms of loss of brand value for their companies and so they abstain from reporting such incidents," says a consultant who works with banks on cyber security issues.
Unlike the attacks on the central bank of Bangladesh, which led to a loss of $81 million, or in the case of Bank of Japan's $13 million loss in credit card fraud, in the security breach in India, the financial liability has been minuscule.
The total loss has so far been limited to Rs 1.3 crore (Rs 13 million).
Often, banks respond by playing down such incidents.
YES Bank at a press conference after the data breach said, 'YES Bank has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on YES Bank ATMs.'
Hitachi Payment Services has also claimed that an external audit on its ATM networks that it manages for banks has not seen any breach of its systems.
However, third-party vendors can sometimes prove to be a weak link.
Anurag Jain, assistant vice-president (market development, South Asia risk business), Thomson Reuters, says it becomes difficult for banks to ascertain the security level of their third party vendors and this can prove to be a problem area.
As the reputation of vendors is based on the security of their data services, they often do not share details of their systems with banks.
"We have seen that when we ask for visibility to asses or analyse, 99 per cent of the time the general answer is that the logs are either insufficient or only available during a certain period of time," says Karthik Shinde, Partner, EY.
Even though vendors have the intention to prevent security breaches, he adds there ends up being a number of missing elements in their system.
However, after the recent case, banks and vendors are coming together to fight cyber fraud jointly as an industry.
They are also thinking hard on how to address consumer concerns after a cyber-attack has happened.
"Banks have been reassuring their own customers, but they also need to go and assure the customers that the entire network is safe. That degree of comfort would have been more reassuring and is required to ensure customers do not perceive it as a network threat," says Nitin Chugh, country head (digital banking), HDFC Bank.
A united front against cyber fraud has also become more important to ensure the success of mobile wallet players as they start to roll out their services.
Visits to bank branches have just begun to show a decline in urban areas as customers move to digital banking and replace cash with card. Privacy concerns could easily reverse this trend.
Already, digital wallet players are worried the incident could impact the number of transactions on their network.
"At least in the short run," says a private sector banker who does not want to be named, "the data breach will make consumers wary of using digital transactions."
