Debit card data fraud: What waits ahead for the banks?

The Finance Ministry has asked various agencies, including the Reserve Bank of India, which are looking into the largest banking security breach involving over 32 lakh debit cards to submit their report in 10 days.

Updated: Oct 23, 2016, 23:43 PM IST
Debit card data fraud: What waits ahead for the banks?

Zee Media Bureau

The Finance Ministry has asked various agencies, including the Reserve Bank of India, which are looking into the largest banking security breach involving over 32 lakh debit cards to submit their report in 10 days.

"We expect result of the technical enquiry in the next 8-10 days. This will give us exact picture of the entire incidence. It will give us lead as to where hacking or compromise took place," Finance Ministry sources said.

Earlier this week, Finance Minister Arun Jaitley had said the government asked the RBI and banks to provide details of the data breach and also banks' preparedness to deal with cyber crimes. 

As many as 32.14 lakh debit cards of various public and private sector banks are feared to have been compromised by a cyber malware attack in some ATM systems.

Several banks, including state-owned SBI, have recalled a number of cards while many others blocked the ones suspected to have been compromised and asked their customers to change PIN (personal identification number) before use. 

Fraudulent withdrawals

Fraudulent withdrawals have been reported from 19 banks so far while complaints have been received from a few banks that their customers' cards were used fraudulently abroad, mainly in China and the US while the customers were in India. 

According to the National Payments Corporation of India, as many as 641 customers across 19 banks have been duped of Rs. 1.3 crore using stolen debit card data.

There are around 60 crore debit cards operational in India, of which 19 crore are indigenously developed by RuPay while the rest are Visa- and Master Card-enabled.

Of the debit cards affected, about 26.5 lakh are on Visa and MasterCard platforms while 6,00,000 are on RuPay. The breach reportedly involved some 90 ATMs.

The Hitachi ATMs deployed by many white label ATM players and Yes Bank were impacted by the malware while usage at other ATMs were completely secured.

While Visa and MasterCard have in separate statements stated that their own networks had not been compromised, Hitachi subsidiary Hitachi Payment Services, which manages some of the ATM network processing, was investigating the matter, including whether there was a malware problem. 

This is all your bank may do to save your money

While the banks, whose customer data was breached in September, have stepped up guard- taking preemptive measures for further theft from customers' accounts. However, you as a customer, should also know what the bank would do in case you face monetary loss as the bank's security is breached.

The bank shall ensure full security of the debit card. The security of the debit card shall be the responsibility of the bank and the losses incurred by any party on account of breach of security or failure of the security mechanism shall be borne by the bank, says RBI circular.

Banks shall keep for a sufficient period of time, internal records to enable operations to be traced and errors to be rectified (taking into account the law of limitation for the time barred cases). RBI has also proposed that banks should ensure that a complaint is resolved within 90 days and in case of debit card/bank account the customer does not lose out on interest. In case of credit card, banks should also ensure that the customer does not have to bear any additional burden of interest. 

Bank and customer

Each bank shall provide means whereby his customers may at any time of the day or night notify the loss, theft or copying of their payment devices, and on receipt of notification of the loss, theft or copying of the card, the bank shall take all action open to it to stop any further use of the card. 

According to the RBI, on being notified by the customer, the "bank should credit (shadow reversal)" the amount involved in the unauthorised electronic transaction to the customer's account within 10 working days. 

"The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank," RBI said in the draft. Customers have to show that the transaction was not effected by them and happened without authentication. 

You may not be compensated if you have not registered for SMS or phone alerts, despite being asked by the bank. As per RBI, banks must ask their customers to necessarily register for alerts.

Banks could also request you to change your personal identification number (PIN) as a precaution, which you must abide by. As per reports, SBI in September, asked its customers to change their PIN, but only 7 percent abided by the request. 

You will be issued a new card by your bank at no cost, and you can generate the PIN through SMS/IVRS/internet banking online or on phone, or request for home delivery by post.

(With PTI inputs)