Several banks in India will either reissue or institute a PIN reset on 3.2 million debit cards that attackers likely compromised in a malware campaign.
Individuals with knowledge of the incident report that malware affected the systems of Hitachi Payment Services, a provider of ATM terminals, point-of-sale (POS) terminals, and other systems. They say the attack went undetected for six weeks, which means the malware compromised all customer transactions on the Hitachi network during that period.
It’s believed the malware affected a total of 3.2 million debit cards, including 2.6 VISA and MasterCard cards originally issued by the State Bank of India, HDFC Bank, ICICI Bank, Yes Bank, and Axis Bank, and a number of other financial institutions.
Some of those organizations are warning their customers to be careful about what ATMs they use and to practice good ATM security. As a spokesperson for HDFC told The Economic Times:
“Besides advising those customers who we know have used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN, we are advising our customers to use only HDFC Bank ATMs as we believe security controls at some of the other bank ATMs may not be at par with HDFC Bank ATMs. We take this opportunity to reiterate that it’s always prudent to change ATM PINs from time to time. It prevents misuse.”
At the same time, the National Payments Council of India has ordered an audit to determine what led to the attack and whether actors are abusing customers’ compromised cards.
Fraudsters might already be at work. According to NPCI Managing Director AP Hota:
“We have received complaints from banks about debit cards being used in China which aroused suspicion.
“Though most of the suspected fraudulent transactions happened in the Visa and MasterCard network, we thought a whole a forensic audit of the entire network will help us find out where the compromise happened.”
Indian cardholders who used the Hitachi network over the past two months should pay close attention to their statements for signs of fraud. If they see anything suspicious, they should tell their bank so that those institutions can issue them another card.
News of this breach follows several months after attackers created fraudulent messages using the Society for Worldwide Interbank Financial Telecommunications (SWIFT) network to steal approximately $81 million from the Bangladesh Bank.