Despite the report of the ATM fraud/cyber attack on a couple of Indian banks a fortnight ago, India is still safer, compared to many other destinations, said an industry expert.
Even the US — the largest and most advanced economy in the world — still does not have two-factor authentication for credit card usage — a standard that has now become common in India.
Globally, fraud levels are around 4.76 basis points (100 basis points equals one percentage point) of total transactions while in India it is still a fraction — at just around 0.25 basis points, said Deepak Chandnani, CEO, Worldline (South Asia and Middle East). Worldline is a leading player in the digital payments and transaction services space in India. A significant portion of card swipes in the country goes through its IT networks.
“Fraud at ATMs in India have hitherto been extremely low, though this should not make us complacent,” he said.
Following the complaints from 641 customers about their card being misused/hacked, a forensic probe by SISA, a private information security auditor, is on and a report is expected in the next few days.
The exact nature of data compromise is not known yet. Given that fraudulent transactions have been conducted, at least the card-holder names, card numbers, validity dates, CVVs and/or ATM PINs could have been compromised.
Not fully secureDeepak cautions that while EMV chip with PIN and two-factor authentication are important steps towards making the payments network more secure, it does not mean that frauds are impossible.
A determined attacker with sufficient resources will still find ways to breach even the most sophisticated system; and so banks and processors need to be extremely vigilant, he said.
He said according to information available, the fraud was likely the result of the secure payment network (switch) of a third-party processor being infected by malware. This can negate the security provided by other precautions.
That said, issuers need to take steps to ensure that they and all their vendors strictly comply with all security standards. “Systems and processes need to be constantly evaluated to identify weaknesses and address them,” he added.
Asked about the learnings from this episode, Deepak provided what seemed a depressing assessment — that fraud and risk are an integral part of any payment and banking system in the world.
“Fraud has become an organised industry and fraudsters are constantly looking for ways to break into banking and payment systems,” he said. It’s very important to move quickly and decisively when a fraud has occurred, both to prevent further damage and also to restore confidence in the system, he added.
Customer educationHe said customers need to be educated so that they don’t part with sensitive information about their cards, bank accounts, etc., and are vigilant about transactions they do as well as pay attention to emails and messages from their banks.
This is especially important given the large number of new banks and the very large number of people who have recently become bank customers for the first time, he said.