Next time you swipe your debit card, make sure bank has strict cyber security measures

The number of online transactions is growing every day and banks need to have stringent cyber security measures.

The need for broader security system increased after salary accounts of at least two dozen Infosys employees were hacked last month in May.

Experts and company executives said told Economic Times that the hacking highlighted broader cyber security challenges for domestic banks.

At least Rs 2 lakh were siphoned off from half a dozen salary accounts of Infosys employees hacked by a still unidentified person, two people familiar with the development told the financial daily.

ICICI Bank refunded salaries to affected employees immediately, given its longstanding relationship with Infosys, executives told ET.

An ICICI spokesperson told ET that the impacted customers got their debit cards prior to December 2013 and as per the rules at the time the cards were activated for international transactions. "However, the customers had the choice of blocking international transactions on their debit cards," the spokesperson said.

Since December 2013, the spokesperson informed, the bank has been issuing EMV chip debit cards to customers who make international transactions, besides giving all customers the choice to opt for cards with this global security standard.

"The bank did not issue EMV chip cards to these customers as they neither transacted internationally nor did they opt for the EMV chip cards," the spokesperson told the financial daily.

"This was a case of card skimming, wherein debit card information was used by the fraudsters for conducting unauthorised transactions. Debit card information may have leaked at point of sale machine or through some other channel and this led to the incident," a top executive at ICICI Bank told ET on the condition of anonymity.

Meanwhile, this episode has highlighted how current online security measures in most of the public and private sector banks are inadequate to counter new-age threats.

"Incidents of skimming happen because banks continue to ask simplistic questions on customer's date of birth, address, mother's maiden name, name of spouse, etc. Such information is freely and publicly available on Facebook, LinkedIn and job search portals. So fraudsters have easy access to such information. In essence, that is leading to a number of frauds; some get reported while the others don't," Sivarama Krishnan, a partner at PricewaterhouseCoopers, told ET.

Meanwhile, few banks like HSBC often issue fast tokens to customers where the personal identification number changes every 30 seconds depending on the frequency that the bank sets up.

Customers are then required to use a one-time password sent to their phones. A number of banks have still not enabled such a system, which drastically reduces the vulnerability of security systems, experts told ET.

But Infosys was not the first case. In 2013, the Axis Bank salary accounts of 15 police officers in Mumbai were hacked and money was withdrawn from those accounts through ATMs in Greece. Axis Bank later refunded the amount to the affected officers.

"Customers often give the debit card/ card details to petrol pump attendant, hotel waiter or to salesperson. Such negligent behaviour causes risks," said the chief information security officer of a leading private sector bank.

Experts told ET most banks need to implement Adaptive Access systems, a new-age security solution that uses tools like analytics to thwart cyber attacks. A number of banks such as HDFC, Axis Bank and Punjab National Bank have already deployed such systems.

(Image: Thinkstock)