30 lakh debit cards under threat? What we know about the security breach so far


Around 30 lakh bank debit cards may have come under threat after an alleged security breach at Yes Bank’s ATM raised fears of potential fraud. A slew of banks  will either replace or ask customer to change the security codes.The move comes a day after India’s largest lender State Bank of India said that it had blocked cards of certain customers.

Where did the breach originate?

Several reports suggest that the breach is said to have originated in malware introduced in systems of Hitachi Payment Services, which has enabled fraudsters to steal information. Hitachi Payment Services manages the ATM network processing for Yes Bank. Other banks have reportedly been affected because YES Bank ATMs see third-party yransactions too.  According to bankers, the breach effected in such a way that anyone using the said bank’s ATMs in the region might stand to get affected.

Bankers said the problem was first discovered between May and July, and banks have resorted to recall the affected debit cards from September.

ALSO READ: Cyber attack: SBI to re-issue 6 lakh debit cards; Axis admits breach

“Data processes of one private bank was compromised which affected other banks’ customers well. Customers who used that bank’s ATM stand to get potentially affected,” a public sector banker was quoted as saying by PTI.

When asked about alleged lapses on its ATM network, an Yes Bank spokesperson said, “Proactively undertaken a comprehensive audit of ATMs, and there is no evidence of a breach or compromise on ATMs.

Banks that have suffered

An Economic Times report said the breach has affected State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank the most. The cards, as per the report, include 2.6 million of Visa and MasterCard and 6 lakh of RuPay cards.

Meanwhile, India’s largest bank State Bank of India and its subsidiary banks blocked around 6.25 lakh debit cards  after suspicious transactions spiked at third-party ATM machines. Card holders were unaware as their cards were blocked without prior notice. The bank subsequently sent emails and SMSes to customers, alerting them about the blockage.

While State Bank of India said it was re-issuing over 600,000 debit cards because of a potential security breach,  several others are taking pre-emptive  to thwart any potential troubles. HDFC Bank reportedly asked the customers to change their PINs and has also been asking them not to use any other banks’ ATMs as a precautionary measure.

ALSO READ: Security breach: Don’t ignore banks’ advice to change ATM PIN

What steps are being taken by banks

The steps taken by the bankers include asking customers to change the PINs of their ATM-cum-debit cards, which has now gone up one level to changing cards as well, if the customers do not comply.

Banks have also been asking their customers not to share the password with any other person in order to avoid security breaches such as skimming and cloning of cards.

The RBI view

A report in Hindu Business Line says the  Reserve Bank of India (RBI) has asked banks to replace debit cards whose security is suspected to have been compromised after being used in some ATMs.

With online bank frauds on the rise, the RBI had recently proposed that a customer will not be liable to make the payment if the fraud or negligence is on part of the bank and the customer notifies the lender within three working days of receiving communication from the bank regarding unauthorised transaction by a third party. In cases where the victim notifies the fraud between four and seven days, the liability will be capped at Rs 5,000. The proposed rules apply to all electronic transactions, including payments made remotely using net banking or cards and payments made in shops using cards or mobile wallets.