Debit Card Compromise: A Call to ActionExperts Outline Immediate Recommendations for Bank CISOs, Long-Term Ideas for Industry
The recent compromise of details on more than 3.2 million debit cards in India should serve as a call to action for the banking industry to ramp up its security efforts, experts say.
Tough questions are being asked about the state of cybersecurity in banking. While investigations and audits are ongoing in the wake of the card data leakage incident and full reports awaited, experts recommend that the industry needs to invest in breach detection, improve threat information sharing and eliminate silos, and ensure basic security hygiene is enforced.
But in the long term, the financial services sector also needs to work together to create a secure banking framework with gradations for organizations of different sizes and different tolerances for risk, says Narenda Sahoo, director and founder of Vista InfoSec, an audit and consulting firm based in Mumbai.
Update on Malware Attack
Several Indian banks recently blocked and recalled more than 3.2 million debit cards fearing fraud due to data leakage caused by a malware infection at a third-party ATM switch used by one of the banks (see: 3.2 Million Indian Debit Cards at Risk).
In a statement, the National Payments Council of India confirmed on Oct. 20 that after preliminary investigations, affected Indian banks had been identified and advisories issued. Payment data on more than 3.2 million debit cards - including Visa, Mastercard and Indian RuPay cards - had potentially been compromised in the incident, reportedly between May and September 2016, NPCI said. The issue was brought into focus when increasing incidents of fraudulent withdrawals overseas started being reported to banks by customers, prompting an investigation by NPCI and others.
The NPCI, in a second public statement on Oct. 22, reiterated that only 641 customers have actually been affected by fraud and 3.2 million cards were blocked as a proactive measure to ensure no further fraud takes place
Although the banking industry in India has a reputation of being more mature than other sectors when it comes to security, the sector, nevertheless, apparently failed to promptly detect the coordinated pilferage of the debit card data.
Indian businesses may be massively underinvesting in technology to detect and respond to these kinds of attacks, says Bryce Bolan, CTO for Asia at security vendor FireEye. While banks and other businesses are making big investments in certifications and compliance, they're investing relatively little in proactive detection, he contends.
"As a result, many Indian business leaders mistakenly think their security and risk efforts are effective, but attacks can actually remain invisible and undetected for extended periods of time," he says.
The malware campaign also demonstrates the lack of effective cyber threat information sharing in the financial services industry, experts say. Robust information sharing could have helped banks pinpoint common fraud and threat trends across their networks and led to faster corrective action, they argue.
In the aftermath of the debit card data leakage incident, security experts are offering some best practices that banks should follow.
"Following basic cybersecurity hygiene for ATMs on both the banks and the customer's side will ensure a reasonable degree of protection," says K.K. Mookhey, founder and principal consultant at Mumbai-based NII consulting. The company is advising one of the banks affected by the leak.
To detect and remediate malware on ATMs, switches and point-of-sale devices, Mookhey recommends that security teams evaluate all executables that are running on sensitive infrastructure and validate that these haven't been tampered with. Practitioners should analyze each service that has been configured on these machines, especially those that are running in hidden mode, he adds.
A whitelisting approach - which involves ensuring that only authorized services and applications are installed and running - could also help with the timely detection of such malware incursions on sensitive networks, ATMs and ATM switches, Mookhey says.
Checking logs for the installation of any new service on the server and watching for multiple logins using service accounts and generic IDs will also help in pinpointing such anomalies, he adds.
He also advises practitioners to check the firewall rules that govern outgoing traffic and correlate this with traffic inflow to determine if any anomalous patterns are present. Unsupported operating systems, such as Windows 2003, need to be replaced as a top priority, Mookhey says (see: ATM Security: The Fundamental Flaws).
Over the long run, Sahoo of Vista InfoSec says, the financial services industry needs to form a panel of experts to help create a secure banking framework because existing documents and guidelines are only minimally effective.
And given the high degree of technology outsourcing at banks, mandating strict service-level agreement requirements for outsourcers is a must, he stresses. Banks need to conduct periodic audits through third-party agencies to hold these firms accountable and make them financially liable if negligence is proven, he adds.
He also argues that the time has come for India to mandate the disclosure of all data breaches (see: India's Banks Making Progress on Breach Notification).
Sahoo also believes the debit card leakage incident should serve as a wake-up call for the Reserve Bank of India and others to start effectively enforcing existing laws and guidelines. Banks need to stop passing the buck because the next attacks will get progressively worse, he warns.