Kotak Defrauded Using Unissued Credit CardsInvestigators Probe Curious Case of Fraud at Kotak Mahindra Bank
A curious case of fraud has come to light at Kotak Mahindra Bank, where fraudsters misused credit cards that the bank says it never issued. According to information reported in a Times of India account, the fake cards used in the scheme were created using stolen data of newly-created, unissued cards.
See Also: 2016 Social Engineering Report
Using this stolen information, fraudsters were able to fabricate 580 credit cards within Kotak Mahindra Banks's Bank Identification Number or BIN range - The first four or six digits of the card number, which link a credit card to the issuing entity. The fraudsters then reportedly went on a spending spree, raking up around 1730 transactions on these cards in seven countries to the tune of 2.84 Crore of rupees.
According to a police complaint filed with Bandra-Kurla Complex police station in Mumbai by KMB, the bank had recently generated and registered three new BIN ranges for the unissued cards, and the bank's product team had raised an order with a Gurgaon-based vendor for creating the cards. The fraud was discovered when the high-volume transactions that were not being settled were flagged for the Bank's internal risk team. KMB declined to directly comment on this story.
Who is Responsible?
According to sources close to the bank, KMB says that the data stolen to fabricate these cards cannot have gone from the bank's network, as the DLP technology in use would have caught the exfiltration of card data. With investigations ongoing, the bank says it is not liable in this case, and that the data was compromised either at a third-party or because of some technical/integration oversight in the payment card infrastructure, beyond the bank's purview.
However, some experts believe that the ultimate responsibility for governing the third-parties and the associated liability is sure to come back to KMB. (Also read: India Needs New Laws to Fight Fraud)
Information security strategist and ex-banking CISO Dr. Onkar Nath highlights two salient facts: Cards were not issued by the bank, but were active and transactions were authorized. He says banks are known to activate BIN ranges in bulk, but with chip cards the norm is to send the customer a deactivated card that they then activate. "The software package, or the CBS at the particular bank's end, has to activate the card before the common payment switch - used by all banks - allows any transaction to go through," Nath says. (Also read: Target Rolls Out Chip & PIN Cards)
Furthermore, if the bank insists that the breach did not happen at its end, per PCI DSS compliance norms, even card data stored with third-parties at any location needs to be encrypted. Given the facts, he believes the investigation might reveal that either the bank was not in compliance, or there was some insider involvement.
The Vendor Risk Angle
If the compromise of the data was at a vendor's or third-party's side, does this mean that Kotak has no liability at all? Experts wonder if such fraud would be covered under Kotak's existing fraud insurance, as the cards used for the fraud were unissued.
Mumbai-based Dinesh Bareja, COO - Open Security Alliance, Founder India Watch and thought leader, is outspoken. "The whole thing smacks of lack of diligence from a vendor risk management perspective," he says.
He believes the liability should be KMB's since the cards are the banks. "Just because you are insured for card fraud doesn't mean that you brush it off and say that we have adequate security internally," he says.
It has been a known issue that banks have cut corners when it comes to third-party due diligence, he says. While things such as PCI DSS and ISO complaints are considered the norm these days - especially if you are handling payment card data - reality is an eye opener, experts say. Bareja cites an example of some Indian banks where the business units have sent out card details in plain text to third-parties via Dropbox. "CISOs were helpless to prevent the business people from sending out this information in the clear," he says. "This was rampant in the industry 3-4 years ago back and might still be case."
Nitin Bhatnagar, Head- Business Development APAC and EMEA at Bengaluru-based SISA, a compliance services and training provider, strongly believes that the trouble may not be at the bank's end. Speculating on the possible circumstances, Bhatnagar shares three possible scenarios. One is that the there was a foul up at the bank and payment processor integration level, which is where the compromise happened, he says. This would be limited to Kotak Mahindra Bank.
But there are two possibilities where other institutions might be affected too. One is if the payment switch has been compromised, in which case cards of other banks may also be affected, Bhatnagar says. Industry sources say that some fingers are being pointed at MasterCard, citing alleged issues with their internal coding process.
But it also could it be that there is an as yet undiscovered gap in the card infrastructure, which may lead to more such incidents involving other banks.
The investigation's findings are awaited for a better picture of how this case played out. Until then, this remains a most curious case. As one of the sources says in conclusion, "Given the many variables in this case KMB might not be at fault, But events like these highlight that it is high time Indian Banks reviewed their governance and vendor management processes."