Over 3.2 million debit cards from several banks in India were hit over the last two months following an ATM security breach through malware infestation.
The issue was highlighted after SBI, India’s largest commercial bank, on Wednesday said that it had blocked 6 lakh debit cards to ward off security threat , “Card network companies NPCI, Mastercard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach. Accordingly, SBI has taken precautionary measures and have blocked cards of certain customers identified by the networks,” SBI said in a statement.
The issue was not specific to SBI. Several other banks, such as Axis Bank, HDFC Bank and ICICI Bank, have also admitted being hit by similar cyber attacks. This is one of the biggest security breaches in India.
Here is a short guide to on how the breach might have happened along with some dos and don’ts that you should keep in mind while using your debit cards.
The fraudster jams the ‘Enter’ and ‘Cancel’ buttons with glue or by inserting a pin or blade at the buttons’ edge. A customer trying to press the ‘Enter/OK’ button after entering the PIN, does not succeed, and thinks the machine is not working. An attempt to ‘Cancel’ the transaction fails as well. In many cases, the customer leaves — and is quickly replaced at the machine by the fraudster. A transaction is active for around 30 seconds (20 seconds in some cases), and he is able to remove the glue or pin from the ‘Enter’ button to go ahead with the withdrawal. The loss to the cardholder is, however, limited by the ceiling on withdrawals, and the fact that only one transaction is possible without swiping the card again and re-entering the PIN. Commonsense advice: do not seek the help of a stranger to withdraw cash, and do not leave the ATM box until the transaction has been cancelled. Banks do not take responsibility for such a fraud, which they put down to negligence on the part of the cardholder.
Sometimes, when a customer uses his debit card at a merchant establishment, the fraudster (who could be a fuel pump attendant or a restaurant waiter, etc.) will make a note of the PIN that is keyed in and, while returning the card, swap it with an identical dummy from a store of several cards he keeps. With both card and PIN, the fraudster can then withdraw cash until the cardholder is able to block the card. Banks advise customers to make sure their card is always in sight, to check if it is indeed theirs when an attendant hands it back, and to not ask him to punch in the PIN at the ‘point of sale’ terminal. In cases of card swapping fraud too, banks do not accept liability.
Watch what else is making news
This kind of fraud is more sophisticated. A small skimming device is planted in the ATM’s debit card slot, which is able to read the information on the card’s magnetic tape. The information, once copied, can be reproduced on any card, which can be subsequently used to withdraw cash. The customer’s PIN is captured by a small camera that the fraudster installs in the ATM kiosk. Banks generally take the liability for skimming frauds and make good the customer’s loss. However, the customer must block the card after the first instance of misuse.
While using debit card…
Never let anyone see you entering PIN
Always wait for ‘Welcome’ screen to be displayed after completing transaction
Ensure bank has your current mobile number so you get alerts for transactions
Watch out for suspicious movements of people around the ATM or strangers trying to engage you in conversation
Check if the card given to you by the merchant after completion of the transaction is yours
Look if there are any visible extra devices attached to the ATM
Inform the bank immediately in case your ATM/Debit card is lost or stolen, or if you notice a transaction you didn’t do
Check transaction alert SMSes and bank statements frequently
…AND DO NOT
WRITE your PIN on the card; memorise it
TAKE help from strangers or hand your card to anyone else
DISCLOSE your PIN to anyone, including bank employees and family members
ALLOW card to go out of your sight
SPEAK on the mobile while transacting; it distracts you