It is shameful to even reconcile to the fact that it has happened because of such an issue—outdated systems in the most basic infrastructure of banking ecosystems: ATM
Just before the festive season, Indian consumers were hit with the news of a widespread breach with their debit cards, involving possibly 19 banks, though none is sure what the actual number could be. While a figure of 3.2 million cards was reported by media as having been impacted, National Payment Corporation of India clarified that “the figure of 3.2 million cards is a proactively identified base of customers who have transacted in the set of suspected ATMs in the recent past.” In other words, they could possibly have been impacted but only “641bank customers have complained about fraudulent activity to banks.”
RBI, NPCI and banks have been at pains to reiterate that only 641 customers have complained and only INR 1.3 crore (yes, in this context that is a small number) has been compromised.
The logic seems to be: it is a ‘small’ matter and the hue and cry is disproportionate to the actual incident. That is an extremely dangerous position to take.
What needs to be studied, on the other hand, is how ‘big’ or ‘small’ is the reason behind the breach and hence how a similar incident could impact in the future.
There are few things that need to be noted.
First is the fact that the breach has not happened because of a sophisticated attack. It has been carried out by exploiting a malware in the ATMs. That means even the basic security system is not in place. While the RBI gave a detailed cyber security guideline to banks in last June, that has addressed many advanced issues, this breach is a reminder that when your basic infra and outlets are not secure, advanced practices cannot secure you.
Two, it has been pointed out by Kaspersky and others that the ATMs use outdated software, including Windows XP as operating system, that is not supported anymore by its maker and hence no security updates are carried out. A quick inquiry by me with two PSU banks revealed that it is true. That means potentially, they are softer targets. There are more than 2,15,000 ATMs in India, out of which two-third belong to PSU banks.
Three, many Indian users still do not use sophisticated payment systems but still use cards to withdraw cash from ATM and since the breach source seems to be ATMs, the faith in the system could be shattered. One just hopes that does not lead to a backlash. Banks are the basic building blocks of digital society and a lack of trust in security of banks will impact Digital India plans severely.
Finally, it is shameful to even reconcile to the fact that it has happened because of such an issue—outdated systems in the most basic infrastructure of banking ecosystems: ATM.
The broader message for all tech fraternity is: not updating your systems in time does not just make your business inefficient; it makes it vulnerable. Those who sit on deciding budgets should be delivered the message unambiguously.