Cybersecurity has been a major concern across sectors, more so in the banking and financial sector, as it puts ones money at risk. India just tasted such an incident last week where 3.2 million debit cards have been compromised. Reports show that debit card users of SBI, HDFC Bank, ICICI, YES Bank and Axis are the worst hit. In this case, Hitachi Payment Services was compromised by a malware attack, which allowed hackers to steal the card details. Hitachi provides services related to ATM and point of sale (PoS) terminals. Among all the banks, State Bank of India (SBI) was the first to initiate precautionary measures and block cards of the customers identified by the networks. This was aimed at protecting its customers from any potential fraud. Worst attacks on banks and financial institutions were either through hacking or an attack on security naive employees. Cyber criminals are constantly on the lookout for payment processing organisations that are vulnerable, as all transactions converge there, and many such organisations are also responsible for the upkeep of PoS terminals and ATM machines. An attack on such an organisation will surely lead to more damage and is considered to be the best bet for cyber criminals when compared with skimming or phishing.
Phishing-related scams, which have been happening globally, encompass not just the debit cards but also credit cards and login credentials. Several vendors have developed innovative solutions to mitigate such attempts at the gateways. However, some of the phishing attempts do end up entering into the user’s mailbox. Skimming devices, which are attached to ATM machines, have the ability to capture PINs and card data. Skimming requires advanced hardware. And the stolen data need to be collected by physically removing these devices or through remote access, whose range is again limited by the geographical area. Malware and hacking are being increasingly used by cyber criminals to steal data. Criminals either deploy a custom malware after hacking into payment networks or apply non-intrusive means to ensure that the malware is implanted into the systems. Vendors and banks have been alerting their customers to skimming and phishing attempts. But if payment services organisations are attacked, customers will remain clueless. Several organisations are conducting vulnerability assessment penetration testing (VAPT) audits, using standard automated applications. But, instead of relying solely on the automated vulnerability assessment software to conduct these audits, we have to approach the problem the way hackers do. Organisations should invest in bug-bounty programes or utilise the services of third-party organisations, which will hack the hackers. It’s time for a comprehensive new approach to deal with cyber frauds.