In the midst of fear due to security breach of over 32 lakh debit cards of various banks, Finance Ministry on Thursday sought to calm people down by saying that they constitute only a small number of the total such cards which are "completely safe" and there was no need to panic.
"Only about 0.5 per cent of total debit card details were compromised while remaining 99.5 cards are completely safe and bank customers should not panic," Department of Financial Services Additional Secretary G C Murmu told PTI.
There are around 60 crore debit cards operational in India, of which 19 crore are indigenously developed RuPay cards while the rest are Visa and Master Card enabled.
Since the data compromise has taken place from specific machine and specific time period, so it is just a limited issue and banks have asked their affected customers to replace their card or change PIN, he said, adding that other cards are not affected at all.
A Canara Bank message to a customer said: "In view of security reasons...Please change the ATM pin immediately. In case not adhered to, we will be blocking the existing card on 21-OCT-2016."
Murmu said data of the users who have transacted from ATM machines of Hitachi have been compromised during the month of May, June and July.
The Hitachi ATMs, he added, deployed by many White Label ATM players and Yes Bank were impacted by the malware while usage at other ATMs were completely secured.
As far as financial loss is concerned, there is minimum impact as reports on losses due to this is being collated.
The genesis of problem was receipt of complaints from few banks that their customer's cards were used fraudulently mainly in China and USA while customers were in India, NPCI said in a statement.
Apprehending that this could be a case of card data compromise, all the ATMs / PoS terminals in India and three card networks – RuPay, Visa and MasterCard worked in a collaborative manner in the month of September 2016.
It was established through the analysis post such frauds were reported that there was a possible compromise at one of the payment switch provider’s system. Based on the analysis, NPCI and other schemes identified the period of compromise and the possible card numbers which could have been compromised during that period.
Though there were no complaints from any of the RuPay cardholders, NPCI as a domestic utility for ATM payments has taken the lead role for proactive steps in discussing the matter with various banks and card networks.
The complaints of fraudulent withdrawals are limited to cards of 19 banks and 641 customers, NPCI statement said, adding that the total amount involved is Rs 1.3 crore as reported by various affected banks.
Cards of all these complainants are related to other card schemes and there is no RuPay cardholder who had lodged any complaint for such fraudulent usage, it said.
Murmu said all the affected banks have been alerted by all card networks that a total card base of about 32.14 lakh could have been possibly compromised. Out of this, 6 lakh are RuPay cards.
"It was suspected that a compromise was at switch level which is PCI-DSS certified. Hence, subsequently PCI Council (the international body which sets standards on for PCI–DSS) was persuaded to conduct a forensic audit of the switch of one bank which is likely to be the point of compromise. The forensic study is in progress and NPCI is in touch with relevant stakeholders," he said.
NPCI is closely working with all stakeholders and once the forensic investigation is over and the root cause is identified, we will issue a further set of recommendations as precautionary measures to member banks, he added.
According to Yes Bank statement, it has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on the bank's ATMs.
"We would like to inform that the possible breach of information of debit cards has taken place in the ATM network of another bank. As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed. This has been done in order to protect our customers from any potential fraudulent transaction," ICICI Bank said.
Even HDFC Bank said the bank's systems detected a potential compromise of debit cards arising from usage at a non-home ATM network a few weeks ago.
"We immediately notified customers who we knew had used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN. We take this opportunity to stress that all our customers use HDFC Bank ATMs only and also change ATM PINs from time to time to prevent misuse," the bank said in a statement.
(With inputs from PTI)