Anyone Can Be a Victim of Cybertheft: Are Our Banks Prepared?
(Excerpted with permission from Breach, authored by Nirmal John and published by the Penguin Random House.)
Atul Gupta had a flight to Mumbai the next morning and was trying to sleep earlier than usual. It was a pleasant Saturday autumn night in the national capital region. He had almost drifted off when his phone vibrated. The hazy blue light of the display filled the darkness of his bedroom. It was the short, snappy buzz that indicated a text message. Gupta contemplated whether he should break his sleep to take a quick glance at the phone.
It is difficult for most folk to resist the temptation to sneak a peek at their phone once it starts buzzing. A ringing phone has to be answered, doesn’t it? The arrival of a notification means something is happening, that somebody is reaching out.
Debit Card Fraud
Gupta took the phone and unlocked it. It was one of those transaction alert messages from his bank. He clicked on it to open the text. Money had been debited from his account for some transaction made through his debit card. He wondered which transaction this was. Then he remembered having used his card earlier in the evening. Maybe the alert for that transaction was being re-sent because of some technical glitch, or so he thought.
That theory went out of the window soon enough. The phone buzzed with a second message, and not too long afterwards, with a third. Every few minutes there was a transaction alert from the bank. This was no technical glitch in the bank’s notification system. There was something afoot. This certainly wasn’t him withdrawing money. Someone was stealing money from his account. Gupta was wide awake now and more than a bit concerned. He quickly dialled the bank’s customer care number and had a chat with an executive about the messages and the transactions that were apparently happening on his account through his debit card.
The woman on the line told him that the bank’s systems had already raised a red flag because of the frequency of the transactions and the unusual locations they were happening from, and had blocked the card temporarily.
Internal Investigation by the Bank
That was a relief. It meant that whoever was stealing from his account would not be able to use the card any more. Getting back the money that had been debited— stolen, to be precise—would prove trickier, though. He called the bank again the next morning. It was a leading private sector bank and Gupta was a premium customer. There was nothing in his transaction history that would point to any foul play from his side.
The bank readily agreed to transfer the money that had been debited back into his account within forty-eight hours as the first step towards resolution of his complaint. The catch was that it would not be available to him immediately. He would have access to the money only once the bank had investigated his claim and found that he was in the right. The bank said they would need sixty days to conclude the investigation.
Data Breach among Financial Services
Gupta also had to go to the police and get a first information report (FIR) filed. That proved to be a difficult experience. The cops asked him questions like ‘why did you share your PIN number with other people?’, and ‘if you didn’t share the PIN, how did people steal the money from your account?’
They tried to make it difficult for him by listing out technicalities – the complaint had to be filed in the police station under whose jurisdiction the money was taken out rather than in Gurgaon where he was staying, and he first had to make a complaint at the bank, and so on. This conversation with the cops, he says, went on for a while, but he finally convinced them to accept his complaint and took the copy of the FIR to his bank. Gupta got his money back from the bank after they had completed their internal investigation. It wasn’t that difficult to know what had gone wrong.
Indeed, he wasn’t alone at the receiving end of a banking fraud. The news was soon going to be all over the media.
Gupta was the victim of one of the largest breaches ever in India’s financial services and banking sector – a breach that the media at the time claimed had resulted in 3.2 million debit card numbers being potentially compromised across multiple banks. It was a breach that stunned India’s financial services and banking industry, which prides itself on operating at the cutting edge of security.
What makes the instance surreal and somewhat ironical is that Gupta is no stranger to breaches. He makes a living investigating breaches and protecting companies. He is partner at the consulting firm KPMG and the leader of their cybersecurity practice. He has, over the years, advised multiple companies and led investigations into breaches of all sorts, including in the financial services industry.
Tough to Crack Digital Thefts
No one, absolutely no one is safe from being a victim of theft of banking and financial data breaches in the digital age. Gupta is one of the most informed professionals in the country when it comes to using his debit card securely. But for no fault of his he had to go through the harrowing experience of feeling helpless even as somebody sitting in some corner of the world took money away from his account, one transaction at a time.
This is the reality of banking today. Anyone can lose money and fall victim to a breach in the security perimeter built around their money by their bank, even when they, in their individual capacity, follow the best practices. The banks and other financial institutions are trying hard, but they are pummelled by cyberattacks eyeing data and vulnerabilities that will lead the attackers to hard currency.
To give credit to the banks and their sizeable investments in cybersecurity, they have built systems that are repelling the vast majority of these attacks. But it takes only that one attack that sneaks through to bust the trust that banks have nurtured among their customers over many years. This was one such attack. It is not unlike the situation in the past when thieves would steal money through bank heists.
But the crucial difference is that in the digital age the thieves could be sitting anywhere in the world, and there is little that can be done to catch them. Dye packs –radio-controlled devices that mark notes that have been stolen with permanent ink –are used by banks in the West to foil thieves. But they are of little use in a world where money is evolving into a digital idea.
Repelling Cyber Attacks
News of heists weren’t that common back in the day, but today the financial services industry, security researchers nod in agreement, endures hostile attacks every single day.
A KPMG report points out that:
DDoS attacks take down servers by overwhelming them with Internet traffic, while phishing attacks try and extract information, often by installing malware in computers.
Indian banks and financial regulators have been repelling attacks in large numbers. Many in the financial services industry say that India’s financial sector has been one of the most proactive when it comes to fighting off such attacks. It is a sector in the country that prides itself as being ahead of the curve, compared with the counterparts in other nations, when it comes to data security preparedness. Most banks in India, especially private banks, take cybersecurity very seriously. They invest crores in it every year, and although an exact number is hard to come by, officials say that this number is growing fast.
A security researcher who works with almost all the private banks says that government banks are exceptions, which give cybersecurity contracts to the lowest bidder. ‘It is difficult for them to come out of that ambit. They are also doing the best they can within their power. The question is, how much security is enough? Who decides how much is enough?’
(We Indians have much to talk about these days. But what would you tell India if you had the chance? Pick up the phone and write or record your Letter To India. Don’t be silent, tell her how you feel. Mail us your letter at email@example.com. We’ll make sure India gets your message)