Millions of Indian debit cards 'compromised' in security breach

  • Published
File photo of people withdrawing moneyImage source, Getty Images
Image caption,

Indian banks have issued nearly 700 million debit cards

A number of major Indian banks are taking safety measures amid fears that the security of more than 3.2 million debit cards has been compromised.

Some of the affected banks have been asking their customers to change security codes. They are also blocking and replacing debit cards.

The breach is thought to have been caused by malware on an ATM network.

Some customers are complaining that large sums of money have been taken from their accounts.

Indian banks have issued nearly 700 million debit cards.

The National Payments Corporation of India (NPCI), which controls all retail payments systems in India, confirmed in a statement that there was a "possible compromise at one of the payment switch provider's systems".

Analysis: Shilpa Kannan, BBC business reporter

A security breach of this scale is likely to create a lot of negative sentiment among bank customers.

While the government is now investigating the incident and most people don't expect a big monetary impact, the reputation damage will be large.

Already, Indians are suspicious of electronic payments and the country is largely a cash economy. Most people use cash for most purchases - whether it's buying vegetables from the street vendor or buying gold jewellery in high end store.

According to a study by Visa, only 10 digital transactions per capita are carried out in India compared to 163 in Brazil or 429 in Sweden. This poses a huge financial burden on the economy and banks have been trying hard to wean Indians from cash.

But they haven't been very successful. Indian banks had issued 697 million debit cards as of July this year - a small number compared to many other countries.

But while the government has been trying to sell cards as a risk free method of payment compared to using physical money, not many are convinced that banks are taking enough cyber security measures.

Indian banks have reported close to 12,000 frauds related to credit and debit cards and net banking in 2015, the government told the Upper House of the parliament earlier this year.

All Indian Banks have cyber security protocols comparable to their international peers says Mohit Bahl, Head, Forensic Services at KPMG India.

"But they are not as robust in constantly monitoring and updating their security measures. This breach could have happened in anywhere in the world. Banking and financial services sector is particularly vulnerable.''

"All affected banks have been alerted by card networks that a total card base of about 3.2 million could have been possibly compromised," the NCPI statement said.

It added that a total of 13m rupees ($194,612;£159,031) have been withdrawn, mainly in China and the US, through fraudulent transactions so far, affecting 19 banks and 641 customers.

Image source, Reuters
Image caption,

The State Bank of India (SBI), the country's top lender, said it had found about 620,000 of its more than 200 million cards were "vulnerable"

The NPCI has urged customers "not to panic" because "corrective actions already have been taken".

"The advisory issued by NPCI to banks for re-cardification [reissuing of new cards] is more a preventive exercise," it said.

Payment platforms like Visa, Mastercard and RuPay said their own networks were not affected but they were helping Indian authorities in their investigation.

Several banks have also confirmed that they were taking measures to avoid fraudulent transactions.

The State Bank of India (SBI), the country's top lender, said it had found about 620,000 of its more than 200 million cards were "vulnerable". But Mrutyunjay Mahapatra, a deputy managing director at SBI, told the Reuters news agency that he did not expect any significant financial loss to take place.

Standard Chartered, Yes Bank, HDFC, ICICI and Axis bank have also taken similar "precautionary measures".