Major Indian bank debit cards hit by malware, banks play it cool

Close on the heels of RBI's slamming banks on not reporting cyberattacks, reports emerge that the Indian banking industry has been hit by a massive 32 lakh debit card breach.

A month since The Reserve Bank of India issued an ultimatum to Indian banks that all cyber crimes must be reported immediately, Indian banks are waking up to this nightmare. 
In what might be the biggest financial breach to hit the Indian finance sector, reports of a massive breach of 32 lakh debit cards have hit the industry. 
An Economic Times report said that several Indian banks have been hit, whereas cards issued by State Bank of India, ICICI Bank, YES Bank, Axis Bank and HDFC Bank are reportedly the worst hit. The report said that banks in India will ask its customers to either replace or change the security codes of over 32 lakh debit cards. Of these, 26 lakh run on the MasterCard and Visa platform and 6 lakh are RuPay cards. 
Interestingly, The State Bank of India has officially acknowledged the breach. The bank announced that it has taken precautionary measures and blocked cards of certain customers. "Card network companies NPCI, MasterCard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach," said SBI.
Media reports suggest the breach occurred between May and July, when a malware targeted Hitachi Payment Services that affected the ATMs of a bank. 
In a move that confirms the breach, HDFC bank sent out messages to customers requesting them to change their PINs. 
However, some banks maintain that their ATM networks have not been breached. This is an expected response, as admitting to a financial security breach carries a massive blow for the organisation’s reputation.
Are banks universally cagey about cyber attacks?
A recent Reuters report called into light British banks’ unwillingness to report cyber breaches. Loss of reputation prevents them from disclosing breaches, the report said. 
When it comes to a cyber-attack, experts often warn it’s not a matter of if, but when. But the central banking agency in India is all geared up to fight the war against cybercrime and has asked banks to take the vulnerabilities and attackers seriously. 
CIO India spoke to Vidit Baxi, director technology, Lucideus, a cyber security services company. Baxi observed, "It’s not all bad news for the industry, when it comes to taking measures to cyber security, the financial organizations today in India are very matured, especially the banks. You will see them proactively list security do’s and dont’s on their website.” 
Baxi looks at reports of banks sending alerts to their customers to change their ATM pins as a powerful move. “Though it is a reactive step, but if you look at it the other way, the cyber- security was strong enough to detect a possible fraud which made the bank take required measures like blocking the cards. It is a bold step to take for any bank, imagine the amount of business that might have been affected,” he said. 
But what cannot be ignored is the timing of the whole thing. This comes on the heels of RBI’s strict missive to banks that directs them to report all cyber attacks. The origins of the malware and the attackers behind the breach will continue to unfold in the coming days. But SBI’s move to block cards and HDFC’s alerts to change passwords has certainly set the tone.
“There have been speculations but no strong evidence that a malware could have gotten access to the HSM (hardware security module) card. Now if this is actually true, the bank might need to do an entire IT infrastructure scan to be sure of the way forward and to also report if the speculations are true,” said Vidit.  
The media frenzy has begun, but we must also watch out for how the banks decide to deal with it. 
“Most malwares in principal have the capacity to spread on the network, if coded that way. So depending upon the coder, the malware can do multiple things. Many malwares also do not react immediately, they take years and years to finally react and cause a havoc.  So we will really have to wait and see to understand what kind of malware had hit and what it was expected to do,” he said.