Very recently it has been revealed that around 3.2 million Debit Cards have been compromised, belonging to Indian users. According to various reports, Debit card users of SBI, HDFC bank, ICICI, YES bank and Axis are the worst hit.
There are multiple ways in which Debit Card information can be stolen:
2: Skimming Devices
3: Compromising the Security of a Payment Processor
3.1 Malware/Virus Attack
a) ATM Malware
b) POS Malware
c) Trojan/Keylogger etc.
3.2 Hacking Attacks
In this case, according to the reports, it was Hitachi Payment Services which was compromised by a malware attack, which enabled the hackers to steal the card related information. Hitachi Payment Services provides ATM, Point of Sale (POS) terminals and other payment related services.
PHISHING related scams have been in existence since eons, however, these encompass not just the Debit Cards but also Credit Cards and the Logon Credentials. Numerous vendors have come up with some innovative solutions to mitigate such attempts at the gateway itself; however, some of the phishing attempts do end up entering into the user’s mail-box. In comparison to other attempts, Phishing related Debit Card scams can be ranked lower since the number of victims or the value of the attack can be considered miniscule when compared with other forms of attacks. The coverage of the phishing attack is limited either to a specific country or to a specific bank within a country.
SKIMMING DEVICES may be termed as devices which are attached to the ATM Machines and have the ability to capture the PINs and Card data. However when we look into the scope, it is limited to one single machine or the criminals may choose to attack a few other ATM machines. The reason being, Skimming requires additional hardware and the stolen data needs to be collected either by physically removing these devices or remote access, whose range is again limited by the geographical area.
Moreover, there is a certain cost involved in procuring / producing these devices, hence we have often seen a nexus between the manufacturer of such devices and criminals who actually implement these devices into ATM Systems.
Furthermore, Skimming and Phishing both require the Debit / Credit card to be cloned and there exists market places where such data is traded. Skimming is used when criminals are targeting a specific ATM machine or a couple of them. We are yet to see a wide spread Skimming attack on an entire city, which would result in Data Compromise of more than 100,000 customers from one campaign.
Compromising the Security of a Payment Processor
MALWARE AND HACKING has been taking precedence over each and every method used by cyber-criminals to steal data and majority of the data breaches have been contributed to them. Criminals either deploy a custom malware after hacking into the networks or they may utilize various other non-intrusive methods to ensure that the custom malware is implanted into the systems.
We have already seen a rise of the POS malware, which specifically target Point of Sale Terminals and we have also observed credentials of Hacked POS being traded in under-ground markets.
Some of the worst attacks on banks and financial institutions were the direct result of either being hacked or vide an attack on security-wise naïve employees. Cyber Criminals are always on a lookout for vulnerable Payment Processing Organizations, as they are considered the hub where all transactions converge; moreover, many of these payment processing organizations are also responsible for the upkeep of POS terminals and ATM machines.
An attack on such an organization will surely lead to the compromise of more than million records, and by any standards is considered to be the best bet when compared with Skimmers or Phishing. Way back in 2014 attack on Target, a multi-national organization in USA, proved that implementation of PCI-DSS standards was rattled to the core by a custom-malware which scrapped the RAM (memory) of the infected system.
Vendors and Banks alike have been issuing advisories to safeguard their customers from Skimming and Phishing attempts and even if one were to follow these advisories, there is no way for a consumer (sic. Card User) to detect the presence of malware in the ATM Machines they are using since it is the prerogative of the Bank to ensure that their systems are kept clean. However, when we look into the murkier details of the Target attack, we would be surprised to know that hackers had targeted a third party vendor to access the Target network.
Target is a retail giant, was attacked by POS malware, and approximately 40 million credit and debit card accounts may have been compromised in 2013.
We may also considering studying a similar attack carried out on Heartland Payment System way back in 2009, in which 130 million card details were stolen.
Numerous Organizations have been conducting Vulnerability Assessment Penetration Testing (VAPT) Audits, which is a positive trend, one might say. However, some of these VAPT audits are done using standard automated applications like Nessus. Applications like Nessus can be termed as reporting applications, which would simply scan the ports, extract the product version number and based on a known vulnerability database, and arrive at the conclusion.
Furthermore, Zero-Day vulnerabilities are very hard to detect using conventional mechanisms, coding horrors or mis-configurations are equally difficult to find. Hence, instead of relying solely on automated vulnerability assessment software to conduct audits, we have to approach this problem the way hackers do. Either the organizations should invest in bug-bounty programs or utilize the services of third-party organizations which will do their best to punch in holes on their systems. Although these measures wouldn’t stop a hack, it would at least ensure that you have upped the ante for enterprising hackers.
We are facing an increasing online future, wherein we have to realize that additional intelligence is required, innovative ways have to be found out when conducting VAPT. Organizations have to start asking serious questions about the audits, rather than finding solace in the All Green Reports generated by such applications.
What should a common person do in face of such unseen attacks? A little bit of common sense will go a long way in protecting users, wherever an attack may emanate from.
Advice from eScan
- If you are a prolific online buyer, change your PIN often. If you are not, still change your PIN often.
- Return back/Do not use credit-cards/debit-cards which do not support TFA (Two Factor Authentication). In simple terms, if a credit card does not give you an option of Online OTP (One Time Password), where every transaction needs you to input a 4/6 digit verification code, before the transaction is approved
For Banks, we would suggest implementing offline OTP, where in credit/debit cards swiped at merchant locations, also give instantaneous OTP on registered mobile numbers & unless this OTP is put (along side the PIN), transactions will not go through.