"Lakhs of debit cards have been hacked--should you be worried?" said the headline. This has been a common theme of newspaper articles after the apparent leak of some 32 lakh debit cards. Instead, I would have thought the right thing to ask would be, "Shouldn't you be angry?"
Consider what these banks and payment processors have been doing. For a period of six weeks, they have known that a breach took place. From what has come out so far, it seems that those weeks were spent in figuring out whether a breach took place, a process that was made difficult because the entities involved were focussed on denying--not just to others, but also to themselves--that any breach took place. Or that if it took place, it was not in their systems. Or if it really was in their systems then it was somebody else's fault. Or if it wasn't somebody else's fault then this was like an Act of God and no one could have done anything and we should all forget about it and keep it a secret.
The shocking part of this whole affair (well, one of the many shocking parts) is that during those six weeks, no thinking seems to have been done on causing the minimum possible inconvenience to customers. Basically, the six weeks have been spent in deciding on a scapegoat and cooking up a cock and bull story which still doesn't hang together. The internal contradictions in what customers have been told are ridiculous. For example, it's pretty clear that blocking millions of cards would not be done on the strength of 600 odd complaints amounting to a little over a crore of rupees. Debit card and netbanking fraud is rampant in India. Most of us personally know of half a dozen cases where a few lakhs of rupees have been pilfered. A crore's worth of fraud probably happens every day in India.
That's not all. As a bank insider pointed out to me, ATM fraud and online fraud generally don't mix. To a payment network that is transporting information between the ATMs or point-of-sales machines and the bank's backend, only the card number and the PIN are exposed, but not the CVV (the three digit number on the back) or the expiry. In contrast, to an online payment processor, the card number, the CVV and the expiry is exposed, but not the PIN. A breach from an ATM processor can be exploited only by manufacturing counterfeit cards and using them physically in ATMs or shops, while a breach from an online transaction processor can only be exploited by making online transactions. So were the 600 fraudulent transactions physical ones based on counterfeit cards? If they were, then this breach is a far more serious affair than the banks are letting on. And if they were online ones, then this is an even more serious affair because it indicates a breach in banks' back-end systems.
The most disappointing part is that this breach appears to have come as a complete surprise to the banks. Data breaches and card leaks have now been happening around the world regularly. Banks, the RBI and payments processors should have a rehearsed set of actions on what to do and how to deal with them from the customer's perspective. This should extend down to the bank employees in branches who have to deal with customers. Instead, the branch-level bank officials know as little as customers and are thrashing around trying to deal with panicked and irate customers. Meanwhile, the only thing the top brass seem to have rehearsed is passing the buck.
At the root of this is the fact that the senior executives and board members of banks have no skin in the game. They seem confident that they can get away with routine e-fraud as well as events like this with their jobs intact. The banks themselves won't have to compensate or pay fines on a scale that has a measurable effect on their bottomlines or stock prices. Unless this is changed by the government or the regulator, e-fraud will not stop.
There are dozens of things that banks could have done in the years past to mitigate such breaches when they take place. Here are just a few examples that some card issuers around the world are actually doing: Put geographical limits (city, state or country) on card usage, separately for physical and online, combined with separate amount limits. Aggressively promote disposable (single-use, amount-limited) card numbers for online. Allow 'cardless' use of ATMs and PoS, in combination with the above features. Except for small amounts, use two-factor authentication for ATM and PoS use. Use pre-authorisation to effectively retrofit 2FA to foreign processors that don't have it. Allow rapid change of geographical, usage or amount limits through apps. (My bank does this but takes 24 hours, which is a joke).
There are literally dozens of such ideas which can be used to limit and mitigate customers' pain when (not if) the next breach takes place. The reason it won't happen is that there is no incentive for banks to spend money on these things. Instead, every time I use my bank app, I get a notification about a deal with a nearby pizza place or coffee shop.
As long as banks' managements are focussed on using digital enablement to earn a few paise commission out of your next cup of coffee, they won't get the time to think of your card security. If the Modi government is serious about a cashless, universal banking future, it needs to fix these attitudes fast.