Jagoinvestor
October 21, 2016
6.5 million Debit Cards compromised in India – Was your card one of them?
Around 6.5 million Indian Debit Cards have been compromised recently which is one of the biggest security breaches our country has seen to date.
Around 641 customers of 19 different banks have reported frauds worth Rs 1.3 crores in total as of now and after that, all banks started investigating the matter. Some of the banks that are worst affected are SBI bank, ICICI bank, HDFC bank, and Axis bank.
Here is a real incident reported by Vishal Sharma on this article below in the comments section
My card got cloned and my account was wiped out on 5th Sept 2016 by cash withdrawals from china . I immediately informed my bank Standard chartered who then blocked my card. It took 10 days and a lot of following up before they gave me a temporary credit.
SBI alone has reported that it has blocked around 6 lacs debit cards and going to issue new cards soon. This is done as a precautionary measure so that no frauds are done on these 6 lacs cards.
As per the following video, these compromised debit cards were used in the US and China while the debit card owners were in India.
How did this all start?
Around Sept start, various customers started complaining to banks about the fraudulent transactions, and that when banks started reaching out to National Payments Corporation of India (NPCI), which found out that it was a malware-related security breach in various ATM’s and Points of sale systems which were managed by Hitachi Payment Services.
That’s when the banks asked its customers to change their PIN. Banks also blocked cards and started providing the new cards to its users.
The banks are saying that this security breach has happened outside the bank’s network, but still, the investigation is going on right now and more details will come up in coming times.
How did the security breach happen & What got Hacked?
As per the above video from NDTV, almost every detail of the card was hacked like
- Name on the card
- Expiry Number
- Card Number
- CVV number
When you use your card at an ATM or a point of sale (in some shop), the data first goes to a central server (central server switch) and that further sends the data to your bank to check if you have balance in your account or not. This central server had the malware sitting and the data was compromised at that point.
Can you take some precautions?
The only thing you can do right now is either change your PIN. Most of the security measures are already taken by the banks, so you can’t do much from your side now other than getting your card blocked (not recommended). You can read more details about this news here
Do you know anyone who faced the card fraud? Can you share that?
What do you think about this issue? What are your views?
Hi, great article.
Unfortunately I am a victim of low cibil score and was looking measures to improve it as I also wanted to avail a personal loan to renovate my house. Please suggest me as the banks keep cibil score as the fundamental factor in giving loans
Here is a guide for that – http://jagoinvestor.dev.diginnovators.site/2016/08/correct-cibil-report.html
Whether i could able to block my debit and credit card international usage/?
Yes you can
Is it really 65 lakhs or 30 lakhs?
The issue has happened because of the lackadaisical attitude of all banks irrespective of numerous RBI notifications to issue chip based cards rather than magnetic ones which can easily be cloned.
And also most of the ATMs are having inadequate security and no security audits are done even monthly.
They are having:
1. Outdated Windows XP(why can’t they use Linux)
2. USB support in all machines
3. Software’s like Teamviewer which allows remote control via web
The updated numbers were 65 lacs
Hi Manish,
Good article.For me, nothing happened. But for the precautionary action, i have changed the PIN for all the cards.
Glad to know that ashok ..
We had a card hacked a few years ago. I am based in the United States. The credit card company saw charges that were being made at locations hundreds of miles from where I live and after a few of them they immediately cancelled the card and refunded me my money. They also sent an updated card. I was pleased with how Discover handled this. Interesting article!
Thanks for your comment PatientWealth
We give away Xerox copies of PAN Card, Passport, Voter ID etc. to Mobile Stores, Insurance Agents and to many people/institutions due to various reasons. Anybody can make further multiple xerox copies from 1 xerox copy. It’s that easy to commit fraud. Background verification needs to be more stringent to avoid such fraud. But companies are more interested in increasing customer base than ensure security of personal data.
I believe best way to avoid (only till an extent) is whenever you are providing any of your document like PAN card, Passport copy to any of the service provider, write on top of the copy :
1. Purpose of the copy provide
2. Date of issue
3. Service provider name
Thats a good point
Are chip based cards secure compared to normal ones
Yes
Chip based card means?
Its a new kind of card which does not have magnetic strip . Read on google
Chip based card hold a SIM like cheap in addition to magnetic strip
Thanks for your comment Goutam G.
What about having iris-scan or finger print scan etc for every transaction at ATMs
In international transactions, PIN has no role
All you need is card no , name and cvv.even OTP is not needed. It is here banks have to work .
Thanks for your comment Pankaj
I have disabled my international usage via INB
My card got cloned and my account was wiped out on 5th Sept 2016 by cash withdrawals from china . I immediately informed my bank Standard chartered who then blocked my card. It took 10 days and a lot of following up before they gave me a temporary credit.
Did the bank reimburse ur lost money?
I am not sure on that, But seems like YES, they will compensate to customers as its not customer fault , but the system issue
Thanks for sharing this with us Vishal ! .. SO you are one of the victims of this fraud !
Internet is one way making our life easy and in other way exposing us to such attacks. I think every transaction should be linked with mobile phone now a days through OTP. If required ATM withdrawal also.
Thanks Manish for sharing this update.
OTP system gives us a false sense of security. In reality, it’s not safe at all. Infact I would say it’s one of the easiest ways to steal someone’s money. How? When was the last time you lost your SIM card? If you did, you would know that all it takes is a phone call to customer care to block your number within 2 mins. There is barely any verification. They may just ask for your DOB. Once blocked, you can go to an authorized mobile outlet of the telecom provider and provide a xerox copy of any identity card to get a new SIM activated with the same number within 30 minutes. It’s easy enough to get a Xerox copy of someone’s identity card since we carelessly give it away all the time.
Now tell me where is the security? If intelligent hackers can crack sophisticated ATM systems, OTP will be child’s play.
Very true…
Hmm…will hackers be able to get sim cards of everyone?
At least OTP will avoid mass hacking incidents like these.
Thanks for sharing that Anjan
When I go with any id card , wont they check it with the name which is already registered for the card ?
Yes, they will. You are not going with just any random person’s ID card, you are going with the Xerox copy of the ID card of the person whose SIM number you want to steal. Getting a xerox copy ain’t very difficult these days, partly due to our own callousness.
ok got your point. YES, if someone is irresponsible enough to leave his PAN xerox etc available to others, then they are open to this kind of fraud chances.
Dear Anjan,
You have very valid point. Here telecom companies can come to rescue. I have re-issued my Airtel SIM card due to lost cell phone. After all documents I received new SIM card but was tols that “SMS facility will not be available for next 48 hours”.
Someone should smart enough if he lost his SIM card or number de-activated due to any reason to immediately contact telecom service providers. Obviously many times they are not supportive but this is one way which can be improved.
Thanks for your comment Santanu