How did a server hack hit 3.2 million debit cards? Can it happen again?
How did this one server hack hit 90 ATMs and affect 3.2 million (and counting) cards of 19 Indian banks?
Do you catch yourself wondering if it is safe to withdraw cash from an ATM with your debit card? Do you wonder if your personal financial data is safe? You are not alone. The ongoing crisis has spawned an ATM phobia in the public.
The good news is that if you have not had a call from your bank, and your account balance is as it should be, you are — probably — safe. But it would not be a bad idea to change your card’s ATM pin right away.
But how did this one server hack hit 90 ATMs and affect 3.2 million (and counting) cards of 19 Indian banks?
How ATMs work
An automated teller machine or ATM is a digital interface with two input and four output devices that connects to, and communicate through, a host processor the same way as an Internet service provider. Nearly 99% of ATMs in India communicate through leased lines and the rest on dial-up systems.
ATM-makers such as NCR or Diebold Nixdorf provide the machine and the software for a bank at its preferred location. The bank the connects the machine to its servers.
The switch
Companies such as FSS, CMS and Hitachi Payment Services provide the ‘switch’ — a payment transfer engine that allows the ATM software to connect to interbank networks.
Most switches are in remote locations, not at the ATM itself. A bank branch that has an ATM is likely to managing its own switch, but the rest may be maintained by agencies such as Hitachi.
How infection spread
The 90 affected ATMs in the present case connected to the one infected server at one precise point in time. So the hackers got information of all the people who used those ATMs, and cloned their cards. Since customers often use non-home bank ATMs, the impact spread to 19 banks.
Really a hack?
“A few months back, there were reports of money being withdrawn in China and US from accounts of Indians not living there. This got NPCI, RBI and the banks probing. Soon they realised that the cause for this was a malware attack on a server of Hitachi Payment Services, a company that provides the software for ATMs,” an industry expert said.
Hitachi claims it was not hacked at all. “We had appointed an external audit agency certified by PCI in the first week of September, to check the security of our systems for any breach or compromise based on a few suspected transactions that were highlighted by banks for whom we manage ATM networks.
“The interim report published by the audit agency in September, does not suggest any breach/compromise in our systems. The final report is expected by mid-November.,” Loney Antony, MD, Hitachi Payment Services, has said.
Weak points
Most ATMs are basically PCs running on Windows XP, which makes them vulnerable as Microsoft itself has stopped support for the operating system.
Also, most ATMs work on XFS standard — a set of standardistion norms for ATM software — which is really old.
“XFS requires no authorisation for the commands it processes, meaning that any app installed or launched on the ATM can issue commands to any other ATM hardware units, including the card reader and cash dispenser,” said a spokesperson at Kaspersky Lab, an international software security group. “Should malware successfully infect an ATM, it receives almost unlimited (total) control over that ATM.”
How to stop hacks
Three main initiatives are recommended. One: ensure physical safety of the ATM, so that no virus can be planted physically.
Secondly, the XFS standard must be improved to help the software protect itself better.
Read | Amid debit card security breach, victims of ATM frauds tell their tales
Lastly, “authenticated dispensing” must be implemented to exclude attacks via ‘fake processing centres’ that imitate the bank software, and also encrypt all data transmitted between all hardware units and the PCs inside ATMs.