If you have received an alert from your bank over the past week asking you to change your PIN, don’t dismiss it as a routine warning. Do it promptly. Even if you have not received any such alert, change your PIN as a precautionary measure.
According to newspaper reports, banks like HDFC Bank, Yes Bank, Federal Bank and DBS have issued warnings to their customers.
“The reason for the warning is the likelihood of a fraud having taken place due to leakage of data from the ATM of a private sector bank,” says Sivarama Krishnan, leader-cyber security services, PWC India.
“Both Visa and MasterCard have confirmed that the Hardware Security Module (HSM) was compromised due to mis-configuration. That led to leakage of PIN numbers, not only of cardholders of that particular bank, but even those of other banks who used that bank’s ATM. So, there is fear of your PIN being compromised, which can lead to a financial loss if your card gets cloned,” says Krishnan.
When we set our card’s PIN, it gets stored in two places: on the card and on the HSM. It is not possible to extract data from the HSM, it can only be verified.
This is what makes it more secure than normal databases, where an administrator can access the data. In the latest incident, it is this security that has been breached, explains Krishnan.
Since many of us tend to have the same PIN for multiple uses like credit card, mobile etc, access of the debit card PIN could allow fraudsters to access credit cards or mobile phones as well.
Customers regard using a debit card at an ATM as a safe transaction since the ATM is supposedly monitored by the bank. This is not always the case. About 70 per cent of ATMs in India are running on outdated operating systems (OS), which makes it easier for fraudsters to crack them.
“Microsoft withdrew all support to Windows XP about two years back, but many ATMs still run on this OS, which makes them vulnerable to malware and frauds,” points out Harshil Doshi, strategic security solutions consultant, Forcepoint, a data privacy and security company.
Banks also use ATM machines of different vendors due to which standardisation of networks and technology is not possible. This too opens up the system to possible fraud, says Doshi.
ATMs in remote locations are not necessarily monitored by the bank. “In India banks don’t manage the ATMs themselves. They outsource the task to independent companies which in turn outsource it to others. Often, a background check of the third-party service providers is not done. Sometimes security personnel at ATMs could be responsible for the loss,” says Krishnan.
Sometimes, fraudsters insert a small drive into the ATM, which then copies and saves any data entered by the customer, like ATM PIN and account number. Then the card is cloned and used to withdraw money. Use the pointers provided in the box to protect yourself against frauds.
Photograph: Danish Siddiqui/Reuters