India suffered its largest data breach last month that was exposed to public only on October 19th when State Bank of India (SBI) blocked 0.6 million debit cards. Later, the news broke that about 3.2 million debit cards across major banks that include ICICI, HDFC, AXIS and YES bank had been potentially breached by hackers.
The breach had occurred at the ATM machines serviced by the Hitachi Payment Services. As per media sources the breach happened because the respective ATM machines were infected by a malware. Who did this? Nobody knows as of now! But there are many who have reported unauthorized transactions from their accounts that have been traced to foreign countries.
A forensic investigation of the breach is underway and the details will be known only when the report is issued. Whether we (public) will come to know of the details of the breach will depend on the magnanimity of the government and the banks. This is because there is no breach disclosure law in India that mandates the banks to wilfully disclose information concerning all breaches, although the day is not far when such legislation will be enacted as it has become a norm in most cyber aware countries.
However, one learning that we need to take from this breach that neither government nor banks would share is that India would continue to be targeted by the hackers and the attacks are only going to increase and become more sophisticated in future. This is because the rise of digital economy is not serendipitous but rather an anticipated outcome of human advancement in science and technology.
A particular aspect of this change is the increasing number of cashless transactions that are taking place in Indian payment eco-system. People now like to purchase things from e-commerce websites, like to pay their bills online, carry debit/credit cards instead of cash; and as the dependency on technology advances, the cyber crime will also advance; become more frequent, complex and sophisticated.
There is little doubt that the life of an average consumer has become easy owing to the cashless services but what’s ignored by the banks and the consumers themselves is the negative fallout of a cashless economy. The financial institutions invest less on security of their assets and information than they spend getting more business to achieve the annual targets.
Similarly, the average consumer is hardly aware of the number of ways he/she can be scammed or robbed of his/her sensitive financial data, which in turn is used for stealing his/her identity or making fraudulent transactions. Even the banking staff is mostly unaware of the basic security threats and risk mitigation strategies they need to follow.
The primary reason behind such a state of security infrastructure of Indian financial system is the lack of cyber awareness and information sharing. The private sector is nowhere close to where it should be in cybersecurity because except by a very small number of banks, no information sharing is being done among the public and private sectors.
At the same time, the threat landscape is continuing to evolve with recent DDoS attacks on western networks, and spear phishing campaigns weaponized to deliver credential stealing malware, destructive malware and ransomware. Although Indian companies have not experienced it closely, in the past decade or so, the damage caused by cyber attacks has grown from brand reputations and account takeovers to brining down critical infrastructure to its knees.
As India marches on the path of development, it will face new challenges related to securing its infrastructure. The ask is simple – in such a high-risk environment, security teams need to be proactive.
It can be done by investing in information sharing and joining networks like Financial Services Information Sharing and Analysis Center (FS-ISAC) to share threat and vulnerability information with peer banks, conduct contingency planning exercises, and enhance collaboration among other banks and with other critical sectors, like telecommunication, power, and transportation, who financial sector depends on to run its operations.
Finally, situational awareness is the factor that is indispensable to resilience of the banking and payment eco-system. There is a growing consensus on making “cyber situational awareness” a sine qua non force for combating cybercrime.
In simple words it means empowering bank employees with events in cyberspace so that they can identify and detect the signs of cybercrime in real time and take effective steps to prevent, respond and contain it. Unless, these loose ends are fixed, the adversaries would continue to have a field day in breaching banks and stealing sensitive information.
(Disclaimer: This is a guest post submitted on Techstory by the mentioned authors. All the contents and images in the article have been provided to Techstory by the authors of the article. Techstory is not responsible or liable for any content in this article.)
Image Source: thequint.com
About The Author:
Anuj Goel is the co-founder of Cyware; a cybersecurity awareness platform with a mission of enhancing security culture by strengthening situational awareness and building a common, shared knowledge of cyber threats. Previously, Anuj worked at Citigroup in New York as the head of global strategy and planning covering information security and anti-money laundering. Anuj has several awards and accolades to his credit including Citi Dazzle Award in 2012 & 2014. He is a Senior Member of the IEEE and the Sigma Xi. He also served as an executive committee member of the Financial Services Sector Coordinating Council and has been cited in Who’s Who in Science and Engineering.