In what is being described as one of the biggest ever breaches of financial data in India, approximately 32 lakh debit cards in India are said to have been affected as customers reported unauthorised usage from locations in China.
The banks worst hit from the cybersecurity attack are reported to be State Bank of India, Yes Bank, ICICI Bank and Axis Bank, among many others. The data breach appears to have affected international card issuers such as MasterCard and Visa, along with India’s RuPay, which together make up for the bulk of 697 million debit cards issued in the country.
As banks investigate the breach on facing the music from the government and the Reserve Bank of India, they are requesting customers to either replace their debit cards or change their ATM passcodes – depending on the vulnerability of each card holder.
While the card breach seems to be the tip of the iceberg of the technological vulnerabilities in the digital banking ecosystem as banks like Yes Bank, Axis Bank and ICICI Bank started requesting customers to change their ATM password in the past few weeks – indicating a problem that was recognised much earlier than it was reported or disclosed in the public domain by the banks.
Meanwhile, authorities suspect more vulnerabilities in the system and have begun to investigate the breach through a forensic audit ordered by the Payments Council of India on the whole server and network infrastructure of the banking system in the country.
“We have received complaints from banks about debit cards being used in China which aroused suspicion,” AP Hota, Chairman of the National Payments Corporation of India told the Economic Times earlier this week. The entire network is being audited for security threats, Hota was quoted as saying.
“Though most of the suspected fraudulent transactions happened in the Visa and MasterCard network, we thought a whole a forensic audit of the entire network will help us find out where the compromise happened,” Hota said.
Even as banks investigate the breach and decide how to compensate the affected consumers, here’s what you can do immediately to make sure that your banking account is safe and secure.
- Change your ATM password: While many banks have urged customers to change their ATM pins by sending out text messages saying that their withdrawal limit will be curtailed till the time they change their passcodes, others have blocked transactions entirely until customers changed their ATM pins. Even if you didn’t receive any such communication from your bank, it will be a good idea to immediately go to the nearest ATM and change your debit card passcode to ensure that you are safe from the data leak, the true extent of which is unknown as of now.
- Don’t ignore communications from your bank: According to the Reserve Bank of India guidelines, banks are supposed to email and text customers about each and every transaction happening from their cards and hence, it is important that you don’t ignore those emails or text messages and read them carefully to make sure that these indeed are authentic transactions.
- Limit transactions temporarily: Banks like the State Bank of India often allow people to set financial and geographical limits on their card transactions. Those fearing the worst might want to contact their bank to set a temporary limit on the transaction size from their card and geographically limit the transactions, and disable international transactions.
- Do not just throw away ATM receipts: They contain clues to your bank account details and should either be completely shredded before throwing or kept safe.
- Change pass-codes regularly: Since this is a cyber security breach, it is another reminder that ATM and net-banking facilities aren’t fully secure so changing passwords on regular intervals is a must – every month is a good idea to mitigate future threats.
- Don’t use the same passcode for multiple cards: Many people – for the fear of forgetting their ATM pins – end up using the same passcode for all their cards which increases their vulnerability as those who get access to their personal data can wipe out money from multiple accounts.
- Be on the lookout for fraudsters over phone and email: Banks aren’t supposed to ask customers for their personal details such as account numbers or passwords. This data breach could be seen as an opportune moment by fraudsters to trick you into revealing your account details. In case of any doubt, check with your bank.