Some 3.2 million debit cards issued by India’s biggest banks may be exposed to a malware-induced security breakdown, the Economic Times newspaper reported on Oct. 20. Most of these cards belong to State Bank of India (SBI), HDFC Bank, Yes Bank and ICICI Bank.
Recently various State Bank of India’s debit card holders got surprised when their ATMs were blocked despite no apparent misconduct on their part at all. Of course, their concern was justified as it was something out of the ordinary. However, it was later revealed that the blocking was part of the country’s biggest card blocking and reissuing spree conducted by the State Bank of India (SBI). This involved re-issuing of roughly 600,000 debit cards (pdf).
The SBI had blocked such an enormous number of debit cards after it got information about a security breach caused by malware in some non-SBI ATM network(s). The bank did inform other branches regarding blocking of the debit cards and requested to immediately re-issue new cards to customers.
A Pune-based branch manager confirmed that the debit cards of their customers have been blocked and SMSs have been sent to notify them about re-issuing of new cards.
According to chief technology officer at SBI, Shiv Kumar Bhasin, the security breach was not identified in any of the SBI systems but other banks have observed breach since a long time. Therefore, customers who have used SBI ATMs need not be concerned. Bhasin further added that:
“A few ATMs have been affected by a malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised.”
Bhasin has a message for the customers as well, which is as follows:
“Customers need not panic. They can either approach their branch, call up phone banking or use the internet for “re-carding.” They can also set their PINs from their homes using internet banking.”
The SBI doesn’t require banks to notify their customers regarding the probability of security breach on their networks. Bhasin stated that:
“Banks whose ATMs have been infected must come forward and declare those infected ATMs. The onus is on them to stop this.”
The SBI hasn’t yet named the banks involved in the security breach but Bhasin believes that until the situation becomes clear and the problem gets resolved, the affected banks will be considered at risk. On the other hand, Mastercard has also released a statement denying that their system was hacked.
“We are aware of the data compromise event. To be clear, Mastercard’s own systems have not been breached. At Mastercard, safety and security of payments is a top priority for us and we are working on the investigations with the regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation.”