Malware attacks Current Affairs - 2019
Category Wise PDF Compilations available at This Link
The Union Government has announced that total of 29 lakh debit cards were subjected to malware attack in through ATMs that were connected with the switch of Hitachi.
It was announced by Union Minister of State (MoS) for Finance Santosh Kumar Gangwar in a written reply to the Lok Sabha.
The reply mentioned that the malware-induced security breach between May and July 2016 had compromised only 3,291 cards as reported by banks to the RBI.
Measures taken after security breach
- The Hitachi Payment Services (HPS) had appointed SISA Infosec for The Payment Card Industry (PCI) forensic investigation. NPCI had not carried out independent investigation.
- The forensic report suggested that the only ATM infrastructure of HPS was breached and not the POS (point of sale) infrastructure.
- RBI had advised banks to improve and maintain customer awareness and education with regard to cyber security risks.
- RBI also has set up a Cyber Security and IT Examination (CSITE) Cell within its Department of Banking Supervision in 2015.
- The central bank also had issued a comprehensive circular in June 2016 covering best practices pertaining to various aspects of cyber security.
- It had instructions on banks cyber-security framework, asking them to put in place a board-approved cyber security policy, make arrangement for continuous surveillance and prepare a cyber-crisis management plan.
Malware is short form of malicious software. It is any software used to disrupt computer or mobile operations, gain access to private computer systems, gather sensitive information, or display unwanted advertising. Before the term malware was coined by Yisrael Radai in 1990, malware was referred to as computer viruses.
The premier cyber security agency CERT-In has cautioned bankers, customers and traders against skimming and malware attacks on micro ATMs and Point of Sale (POS) terminals.
The move comes as usage of POS and micro-ATMs counters have witnessed a sharp surge post demonetisation. It has asked to adopt high-end encryption to plug possible breaches.
In this regard, CERT-In has issued two specific advisories for micro-Automated Teller Machines and POS terminals.
What are potential threats?
- Skimming: It is the theft of classified credit/debit card data. Using this method, a hacker (thief) can obtain the victim’s card number using a small electronic device near the card acceptance slot and store hundreds of card details at a time.
- Social engineering attack: It can be engineered at these banking and POS facilities, by gaining trust of the card owner as the fraudster poses as a member of staff.
What the CERT-In advisory says?
- Micro-ATMs security features must be strong and updated in order to check attempts by hackers who stealthily plan to steal private customer and bank data.
- Point to Point Encryption (P2PE) should be used to minimise this risk as it will encrypt the card data and keep it encrypted to the maximum extent throughout its life.
- Banks and micro ATM operators must use some counter-measures to thwart cyberattacks.
- Micro ATM must not transmit any confidential data unencrypted on the network. It must automatically log out the operator and lock itself after a period of inactivity.
- Operators must keep all micro ATM software, application, anti-virus regularly updated and educate the customer about basic functionalities and security best practises.
- Customers must render due diligence of securing their PIN and not sharing vital details with strangers.
Micro ATM: It work with minimal power and connect to central banking servers through a GPRS network. It enables the un-banked rural population to access banking services in their villages or towns. It offers facilities of deposit, withdrawal, balance enquiry, issuance of mini-statement and funds transfer.
CERT-In (Indian Computer Emergency Response Team): It is the nodal agency that deals with cyber security threats like hacking and phishing. It is government organisation under Union Ministry of Electronics and Information Technology. It aims to strengthen security-related defence of the Indian Internet domain.