A bank customer withdraws money from an ATM counter in New Delhi. Photo credit: PRAKASH SINGH/AFP/GettyImages
A bank customer withdraws money from an ATM counter in New Delhi. Photo credit: PRAKASH SINGH/AFP/GettyImages 
Business

Cyber Attack On ATMs; Debit Cards Highlight Vulnerability Of Our Financial System

ByR Jagannathan

Our mad rush towards a digital future will be seriously damaged by a lackadaisical attitude towards cyber security.

While we cannot know who else apart from China, Russia, the US and Pakistan may be interested in discovering our cyber vulnerabilities, there is little doubt that we have to be super-vigilant against both China and Pakistan.

For a country racing towards the adoption of the most sophisticated payments system in the world and the gradual abolition of cash, India seems particularly cavalier about cyber security. Recent news reports, that 30 million debit cards issued by the biggest banks in India – State Bank of India (SBI), HDFC Bank, ICICI Bank, Axis Bank and Yes Bank – may have been compromised through malware introduced into ATM systems show how quickly confidence in technology-based systems can fall.

That banks knew about this some weeks ago and are still wary about quickly moving in to contain the damage is worrisome. The problem seems to have originated in the Hitachi Payments System, which manages ATMs, point-of-sale machines and other bank services. While SBI has recalled lakhs of debit cards, Axis Bank has engaged multinational professional services firm EY to check if its main servers have been impacted. Yes Bank has said there has been no breach of its network, but is still looking into it. Axis Bank was apparently unaware of a breach, till a Kaspersky Lab official tipped off the bank. The card payment systems impacted include Visa, MasterCard and RuPay. Some of the card accounts hacked were apparently used from China.

India’s banking is substantially done through ATMs, debit cards and credit cards, and now, increasingly by mobiles. As we adopt the Unified Payments Interface, the need for all-round security awareness will be greater, for skimming data from unprotected smartphones will be infinitely easier, especially when user awareness about safe practices and anti-virus protection for mobiles are practically non-existent.

While the short-term answer to the breaches in banks’ security systems is to reissue debit cards, clean up servers and build more firewalls (individuals can change their PINs through internet banking), in the longer term there is no getting away from the fact that India has to invest more in cyber security and anti-hacking capabilities. It must also build capabilities to do this kind of damage to systems in China, Pakistan and elsewhere. In the business of cyber warfare, defence cannot be the only option.

In the digital world of the future, wars will be fought as much in cyberspace as on borders. Future insurgencies will target networks as much as army establishments. With China and Russia investing huge resources in building cyber warfare capabilities – one of the contentious issues in the ongoing US presidential election is the alleged Russian hacking of Democratic Party candidate Hillary Clinton’s emails – India must take up cyber security investments on a war-footing.

Till last year, government officials were still using public email services offered by Gmail and Yahoo, and it was only after Modi came to power that use of these email services was banned for official work. But barely a few months after the ban, The Times of India reported that the website of the Principal Comptroller of Defence Accounts had been hacked. The site had details of officers’ salary accounts among other things. But the website also contained details that would be of interest to our enemies: the exact areas of personnel postings, the units they belong to, their PAN card and bank account details. An Economic Times report notes that the Chinese have been snooping on Indian defence agencies for over a decade.

While we cannot know who else apart from China, Russia, the US and Pakistan may be interested in discovering our cyber vulnerabilities, there is little doubt that we have to be super-vigilant against both China and Pakistan.

Consider the damage China can cause if, in the midst of a conflict with Pakistan, it can immobilise large parts of our banking and payments system. A domestic crisis of confidence in the financial system is not the challenge we need when we are fighting terrorists and its state sponsors.

Cyber awareness should not only cover breaches in software, but also hardware. Hardware, after all, is nothing but software embedded in chips and circuit boards. Consider the biggest vulnerability of them all: our extraordinary dependence on Chinese hardware for our laptops, telecom equipment and mobile smartphones. The Chinese are now close to dominating all these sectors, and it would take very little effort for them to slip in malware into hardware that can be activated remotely when they need to immobilise us. At the very least, we need more checks on the kind of hardware China is dumping here.

We buy Chinese hardware because they are ultra-cheap, but they will compromise us severely whenever we face an eyeball-to-eyeball with either Pakistan or China. As for the US, it may not try to damage our defences, but it will surely be privy to all our economic vulnerabilities and negotiating positions in advance, if it is able to access classified information. It is worth noting that the US FBI has been able to hack into all email everywhere, and also the highly-encrypted Apple iPhone. Remember Stuxnet, the malware introduced into Iranian computers through a joint US-Israeli effort to delay its nuclear weapons programme? Why would the US not do the same to make an existing defence system made in India in order to coax us to buy American?

The cyber world is the last frontier of warfare, and India needs to yank itself out of its complacency in this area.

Our mad rush towards a digital future will be seriously damaged by a lackadaisical attitude towards cyber security.