India's top banks are asking customers to change PIN codes and recalling millions of debit cards following reports of a malware-based security breach at a number of unspecified ATMs across the country.
State Bank of India, HDFC Bank, ICICI Bank, Yes Bank and Axis Bank have all issued advisories concerning the breach, which may impact up to 3.2 million debit cards. Earlier this week, State Bank of India blocked and recalled over 600,000 cards, while other banks have instructed some customers to alter their PINs and avoid using ATMs that are not on their network.
In a statement, SBI says: "Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by the networks."
Shiv Kumar Bhasin, SBI's chief technology officer (CTO), told the Times of India newspaper: "A few ATMs have been affected by a malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised."
A P Hota, chief executive of National Payments Corp of India (NPCI) that runs RuPay, told the CNBC TV18 television channel that cards were possibly compromised by suspected security breaches involving as many as 90 ATMs throughout the country. Of the debit cards affected, 2.65 million are on Visa and MasterCard platforms, while 600,000 are on RuPay.
Hota speculates that the infection spread from a compromised gateway switch. Banking industry sources contacted by Reuters pointed the finger at Hitachi Payment Services, which manages ATM network processing for Yes Bank.
Kspersky Lab, which last month informed Axis Bank of a breach of its servers by an offshore hacker, says ATMs are terrifyingly easy to hack. "Looting an ATM is a trivial task, and banks are losing big," says the firm.
Update National Payments Corporation of India says that the PCI Council governing international security standards for card-based transactions is conducting a forensic audit of the payments switch of one bank "which is likely to be the source of the compromise". Cases of illegal withdrawals have so far been limited to 641 customers of 19 banks, and the total amount involved was 13 million rupees ($194,600), according to the statement.