Multiple blogs have been written on utility of tech in banking services. So much so, Citibank this year shut down 5% of its branches in India due to their under usage as a result of their customers’ access to home-bank ATMs and Brown label ATMs and usage of netbanking for making payments and fund transfers. ATMs serve as a huge support to all the working people who do not have time to visit their bank branches and withdraw money, so much so that an ATM machine and the hosting room are becoming the new payment gateways, which will further reduce the need to visit branches. We are in this day and age, witness to the phenomenon of machines taking over the work of humans. Yet we don’t mind it one bit, as it makes lives more convenient. More often than not we ignore the fallacies and risks associated with the same and choose not to mull over the safety of this phenomenon or how vulnerable it leaves us. Because that’s inconvenient! And soon enough a red flag has been raised with the recent Yes Bank ATMs’ software glitch which left 3.2 million card holders exposed to online fraud.
The scare spread like the bird flu and forced experts to analyse and ask the simple question: “How safe are our ATMs”? And as users, we realised the importance of the oft used business phrase ‘caveat emptor’. It’s the principle that the buyer alone is responsible for checking the quality and suitability of goods and service before the purchases are made.
Let’s understand as laymen what really happened with our ATM cards…
ATMs can be home-bank (managed by bank) or non Home-bank (or Brown label which is managed by third party). The software in the brown label ATMs are managed by service providers, which in this case was Hitachi Payment Services. The 90 affected ATMs in the present case connected to the infected server. So the hackers got information of all the people who used those ATMs, and cloned their cards. Since customers often use non home-bank ATMs the impact spread to 19 banks. The hack led to misuse of about Rs. 1.03 crores, where most of the cloned cards (about 641 in number) were used for transactions in China and USA, where OTP is not a mandate for card related transactions. (Hindustan Times, 24th Oct 2016)
While Hitachi claims no breach in service, the matter is under investigation. In fact, there are no stringent regulations for ATMs, debit and credit card services in RBI guidelines.
Solution to the hack…
No one knows. It can only be prevented, till the next smart hacker cracks the new code. Banks need to take over control of ATMs, which they outsource to third party as it may be too expensive to run ATM counters all over the country, even in places where they do not even have a bank branch. The outsourcing partners in the meanwhile need to be a lot more vigilant and ensure security control measures and reduce operational risks. As users of these cards, we need to keep changing our pin numbers frequently.
-Ms. Monica Mor, Sr. Faculty, INLEAD