State Bank of India, India’s largest commercial bank, on Wednesday said it had blocked debit cards of “certain customers”, and was issuing them new cards, in “precautionary” measures after being informed of potential risks to those cards.
In another case of security breach, Axis Bank said it has filed a preliminary report about a malware attack to the Reserve Bank of India and hired EY to carry out an investigation.
The issue was not specific to SBI, the bank said, indicating security breach could have spread to other banks as well. “Card network companies NPCI, Mastercard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach. Accordingly, SBI has taken precautionary measures and have blocked cards of certain customers identified by the networks,” SBI said in a statement.
The bank has blocked around 6 lakh debit cards following a malware related to security breach in a non-SBI ATM network.
“We’d like to emphasise that SBI’s systems have absolutely not been compromised and existing card holders are not at any risk and can continue to use their cards. SBI is in the process of issuing new cards at no cost to those card holders whose cards have been blocked. This is a cards industry incident (not only SBI),” SBI said. However, other banks are yet to make any announcement on the security breach.
However, customers said SBI branches told them the issue of new debit cards can take up to three weeks. “I was told a new debit card issue will take up to three weeks. This means I will have to go to the branch for cash requirements and I won’t be able to do anything online using the debit card for this period,” said a customer.
“Customers of other banks are also likely to be affected by security breach which occurred in an ATM network. Anybody using the affected ATM is at risk,” said a banking source.
Axis Bank said the malware attack was detected in time and was duly informed to the RBI. The bank’s internal monitoring mechanism identified such a threat recently and all steps have been undertaken to neutralise the same, it said. “We stay committed to our customers and it has always been our endeavour to ensure that our customers’ interests are always protected. There has been no loss to our customers,” Axis Bank said.
With online bank frauds on the rise, the RBI had recently proposed that a customer will not be liable to make the payment if the fraud or negligence is on part of the bank and the customer notifies the lender within three working days of receiving communication from the bank regarding unauthorised transaction by a third party.
If the customer’s own involvement is not clearly established, customer liability will be limited to a maximum of Rs 5,000 if he reports within 4 to 7 working days. A customer’s entitlement to zero liability shall arise where the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer for fraud/ negligence on the part of the bank, the RBI said in its draft norms in August 2016.