The Expert's View with Dinesh Bareja

Card Not Present Fraud , Governance & Risk Management , Incident & Breach Response

India's Largest Card Compromise: Has The Dust Settled?

A Hot Potato a Week Ago, the Industry Seems to Have Moved on
India's Largest Card Compromise: Has The Dust Settled?
Dinesh Bareja, COO, OpenSecurity Alliance, Founder, IndiaWatch

A week before Diwali, we witnessed a whodunit in the Indian Infosec space which I'd like to call "the immaculate conception of a malware attack" - an incident that has caused the biggest payment card data compromise in the history of Indian banking. And yet no one seems to be responsible (see: 3.2 Million Indian Debit Cards at Risk).

See Also: New Priorities for IT Operations: Be Ready for Whatever Comes Next

I say "immaculate conception" because every bank known to be at risk claimed they were not the source of the compromise. Everyone seems to have the best and most secure systems.

The 3.2 million question here is: Where this compromise - that has unseated the entire industry - originated? No one has been fired, and I await the award season to see who will be crowned Top CISO/CIO. 

The 3.2 million question here is: Where this compromise - that has unseated the entire industry - originated? No one has been fired, and I await the award season to see who will be crowned Top CISO/CIO.

Business leaders are clueless and unwilling to see reality, being primarily interested in budget cuts. Effectively, the cyber/information security function is still considered a pain by them all. But now that the consequences have come home to roost, everyone is hurting (see: Debit Card Compromise: A Call to Action).

Law Enforcement Absent

It seems to me that Indian banks consider themselves above the law. Take the Axis bank case: A public announcement was made by them just a day before this debit card furore - Oct. 19 - that they have been hacked. They were reportedly informed by Kaspersky Labs of a leak that they decided merited further investigation. They informed the Reserve Bank of India and appointed E&Y as investigators.

However, no one, including their Big Four consultant, seems to have told Axis that a breach is a crime and the systems cannot be touched until law enforcement has been brought into the picture. There was a whisper from the corridors of the LEA that they are going to join the investigation. But no further information is available.

The fact is that this is a criminal issue and not an internal systems issue, as it is usually painted out to be. Unless an FIR is filed and law enforcement involved, irrespective of whether the investigations commissioned by the banks find the culprits, the report findings will not be admissible in the court of law.

I will say, however, that a public announcement by a bank is a good precedent and must have taken guts. But news of this debit card compromise seems to have broken just in time to save the bank's proverbial bacon.

This hack is very different from the debit card issue, and Axis or EY must issue an advisory. Bank investors and account holders need to know how good their security posture is and what has happened.

Where are the Ombudsmen?

Amidst this uproar, it is strange to find CERT, NCIIPC, NCSC all maintaining silence. The Finance Ministry issued a statement assuring consumers to not worry, which is ironic, considering that this disaster probably gave bank chairmen sleepless nights.

But I am not surprised. NPCI's official statement said customers of only 19 banks and only 641 cards out of the 3.2 million tranche were affected by fraud to the tune of Rs 1.3 crore. Bear in mind that these institutions are used to seeing Rs 7500 crores fly out of the country and still say "all is well".

What I find surprising and suspicious is that the big guns - Finance ministry, RBI, et al - have come out in the television, print and online media trying to assure citizens over what is a relatively minuscule figure in the scheme of things - certainly not 7500 crores!.

So to me there is more to this than is being said or shared. Is that why no police complaint has been filed, because if they do then they have to make a more detailed statement? The cardinal rule of crisis management is having a single honest and credible point of contact. In my opinion, the claims and statements out there right now stink and need to be called out by someone in authority.

Breach Disclosure is Need of the Hour

The dust has settled and also seems to have been brushed under the carpet. It would demonstrate some maturity in crisis management if RBI issued a weekly or daily update. However, after the last press release the regulator just asked all banks to shut up, so, now no one is talking.

Does this silence mean that everything is under control? Have the bankers justified the expense for replacement of 3.2 million cards? Have the 641 accounts been compensated? What is the RBI now doing about their magnanimous September circular? Sad to say this seems to be the stuff that comprises the ethos of governance, risk and compliance in these hallowed chambers.

It is disheartening to see the veil of secrecy around everything that banks, government or regulators are doing. While I am not saying that every bit of information should be disclosed in public, this total vacuum is impeding the industry as a whole.

Every threat or vulnerability that is built into your system or learning today is based on the free and open information shared by individuals/entities. If information on new attacks is not shared, how will these vectors be added to this body of knowledge? How will industry learn about unique attacks in their sectors? In short, you are stunting the growth of the ecosystem.

All these years, no high and mighty CxO has needed to disclose breaches. Incidents are hidden and not talked about, and losses are quietly covered. This is tantamount to abetment to a crime, and the banks/institutional officers are as much culpable as the criminal who has perpetrated the crime.

In such cases, RBI, SEBI, IBA, IDRBT and other agencies could be considered complicit in hiding crimes committed against these national institutions. The government must enact legislation to make data breach disclosure mandatory ASAP.

Enterprises must accept that a data breach is a crime, and a disaster like any other - not an internal issue. And there is no reason to be ashamed. No one seems to have suffered a reputation loss - whether it was Target or SONY or Axis or SBI. You can check their earnings and stock prices to be convinced. Reputation loss cannot be an excuse anymore and platitudes won't suffice.

Views expressed are the author's own.

About the Author

Dinesh Bareja

Dinesh Bareja

Principal Advisor, Pyramid Cyber Security & Forensics, Dubai & India

Bareja has been a practicing Information Security and Management professional for the past decade. He is a security and infrastructure specialist with experience in the government and enterprise domain for security audit, architecture, strategy, policy definition, planning, and optimization. He has been engaged with Jharkhand State Police - Cyber Defense Research Centre as cyber surveillance advisor and with other organizations like Bombay Stock Exchange as Technical Member - IGRC; Founder of Indian Honeynet Project; Mentor and Advisor with Ground Zero Security Conference and Cyber Peace Foundation. He is a regular speaker at cybersecurity events and has delivered lectures on security, governance, policies, and infrastructure issues at various security conferences including iSafe Dubai and to closed security groups in government. Dinesh is a member of ISACA, India-InfoSec Group, DSCI, National Anti-Hacking Group, ACFE, PRIMA, OWASP, NULL, Information Sharing & Research Association (ISRA), ClubHack, Cyber Peace Foundation and others.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.