The revelation of security breaches leading to leakage of data on some 3.2 million debit cards has come at a time Indians are finally beginning to use plastic money — more extensively. The revelation has the potential to slow the country’s march towards a cashless economy. To be fair to the affected banks, they moved fairly swiftly to protect cardholders from fraudulent transactions by advising all to change the personal identification number (PIN) associated with their card and even replacing the cards where required. They have also made good losses to customers wherever fraud could be established.

This, however, is post facto restitution. This is not the first instance of data theft in the Indian banking sector. Security breaches of different magnitude have been recurring over the past few years and there will be many more in the future if banks and cardholders do not take adequate precautionary measures. Most of these fall within the purview of the level of the banks issuing credit/debit cards and installing ATMs. The onus is on the banks to build systems that are difficult to break into — and it means adding more layers of security and superior encryption of data to protect the customer. For instance, transactions above a certain value need additional validation by the card holder to prevent data theft. Credit card issuers usually call up their clients to verify unusual high value transactions. Other measures such as installing a cheap plastic cover above the key pad of ATM machines to prevent a camera capture of PIN is also useful, particularly for machines installed in public places such as markets and commercial complexes. Replacing ordinary swipe-based ATM/debit cards with chip-based ones should also be speeded up. Above all, the Reserve Bank of India, as a regulator for the banking system, needs to lay down strict security protocols that must be followed by all banks, and make periodic forensic audits mandatory. The RBI should ensure that financial information shared with e-commerce platforms and others accepting online payments are also protected.

Card holders too need to take some steps to shield themselves from data theft. ATM/debit card PIN should be changed periodically; it may be useful if the ATM machine were to provide prompts at a predefined interval. Actively using one-time passwords for all online transactions and enabling notification for all transactions are steps in the right direction. Customers must be wary of clicking on links that come through emails that appear to come from the bank. Most importantly, the RBI and the banks need to conduct awareness programmes on ATM/debit card safety.

comment COMMENT NOW