Cyber security


Breach of accounts’ details of customers in about a score of Indian banks that has led to more than 3.2 million debit cards being blocked or recalled should act as a wake-up call for the banking industry. This should also act as an eye-opener for the banking industry in India, which has been the target of the hackers and those criminals which want to not only steal data of the banks but also cash in on the money involved in it. Moreover, the banks also have to realise that they have to increase their monitoring level in the interest of the public money they hold and confidence of the clients they service. While the actual number of complaints received so far, 600, and the sum of money that appears to have been fraudulently withdrawn, Rs 1.3 crore, are both small relative to the scale of the potential data theft, it is disconcerting that it has taken almost six months for the system to officially acknowledge the incidents and initiate steps to address them. In fact, it is unfortunate that it took the banks more than six months to realise what had happened when experts in the field have been issuing warnings to the financial institutions. It is all the more tragic since the Reserve Bank of India and its top officials have been urging bankers for quite some time to accord urgent priority to cyber security. A private bank appears to have been a point of entry for the data criminals who, according to reports, may have infiltrated using malware at ATMs operated by a third-party payment services vendor. Apart from this, there is also a suspicion that some hacker may have used some other form of method for breaching into the banking data from some other source which has remained unidentified so far. The National Payments Corporation of India has been coordinating investigations into the incident, and a forensic audit is expected to reveal preliminary findings soon. The banks in coordination with each should try to curb the menace of misuse of sources which are outside the facilities of the banks’ control. For the government and the banking regulator, much is at stake as the two have sought to move in concert to harness the digital revolution to advance socio-economic policy objectives. It is also important that monitoring should be increased and action should be initiated immediately on the receipt of the first complaint from the clients in order to pre-empt the further hacking by the criminals of the data. It is also to be borne in mind that outsourced centres of the banking should be brought under control in view of the fact that majority of frauds have been committed in the past pointed to the involvement of employees and officials, who were charged with the responsibility of maintaining data of the card users. The central bank in India has been warning the banks and their data repositories to be aware of the intentions of the criminals in the [present digital age. In this context, former RBI Governor Raghuram Rajan’s comment at a recent banking technology conference is instructive: “Payment systems are the plumbing of the financial system; so long as there is no leakage or clogging, we are unaware of their functioning. But when they do back up, the situation becomes catastrophic quickly.” With banks in India having embraced technological change, the onus is on them to integrate inter-generational legacy systems across branches, ATMs and online banking networks into one seamless and secure whole. The Carbank cyber gang’s coordinated and widespread attack, which is estimated to have cost about 100 financial institutions worldwide $1 billion, revealed that today’s criminals are using more and more sophisticated tools to access computer systems at banks. As these may gestate for several months before manifesting themselves, banks can ill-afford to be complacent and approach incidents such as the latest debit card data breach with band-aid solutions. Top managements at lenders should reappraise their cyber culture, heed warnings and alerts promptly, and address shortcomings.