Unauthorized Transactions Card Services: Fill & Download for Free

The question have following assumptions which are not true:Encryption is a silver bullet for all security related problems. WRONG. It is not.All the banking credit and debit cards were affected. WRONG. The chunk was large i.e. 3.2 M but it is only a subset of total pool.Let’s first understand what happened:According to reports, ATMs of Yes bank maintained by Hitachi Payment Services were infected with malware. So, the ATM itself was compromised. Hence, any magnetic strip based card used on infected ATM was cloned and entered PIN was also recorded by the malware which enabled hackers to clone the card and make the transactions.Such transactions were reported to be made in China. But, banks stopped all this very quickly and the total amount stolen was capped on 1.2 Crore INR (which is very less when we are considering a breach in the bank’s network itself).As we know, Indian banks have made two factor authentication mandatory for all transactions so even after stealing the card details, the only way to use that information was to create a fake card and then use it on a POS (Point of Sale) or an ATM. However, in order to use it online one must know the OTP or Visa/Mastercard secure passcode (and CVV), which was not known to hacker (and pretty much impossible to guess in limited attempts). So, internet based transactions were not possible.So, how encryption was not able to prevent the theft?Encryption can provide the transit and storage security i.e. data while transmitting or in while in rest.In this case, the ATM details and PIN were nor stored on the ATMs neither they were stolen from the bank databases. So, the encryption/access controls responsible for safe storage of these details are not to blame.However, when the user used his card and PIN on the machine, the malware which was monitoring everything, sniffed the details/information. Now, here I don’t think they ever considered the “compromised ATM” scenario while designing the system. So, obviously the system was relying on the ATM to be safe and details entered were not properly protected against the snooping by the ATM itself. So, the problem was not with the encryption but with the threat model used to design the system.Having said that, one might think that a little tweaking of the keypad (to enter PIN) to encrypt/hash the PIN while transmitting to the backend server (which will validate the information) can save the day. As the ATM’s OS will not be able to check the information rendering such malware useless.Yes, the thinking is probably right and it might have worked for this specific case. But, you basically transferred the trust from full ATM machine to a small part of it. And, this defensive modification will also be rendered useless if attacker somehow corrupts/infects the keyboard.So, the baseline is that while designing the system you have to place your trust in some part (for now). If that part is compromised, encryption will not save you.What need to be done to avoid any unauthorized transactions?Banks already asked most of the customers to change the ATM PIN. Without knowing the right PIN, no one can make the transaction. If you have changed you PIN then you are safe. However, even if any transactions are already made on your card and if you inform bank immediately (or at least in 7 days), bank is liable to pay the damages (refund stolen money), as it is a mistake on their end. RBI has rightly asked banks to bear the loss if any and resolve the complaints in 90 days.Will banks return your money, government seeks report; all you need to know about ATM card fraudBanks are also replacing the debit cards which they think might be affected.Apart from that , there is nothing that you can do (except keeping check on your account for any unauthorized transactions).Also, the case of saving credit/debit card details on 3rd party websites (e.g. Makemytrip, paytm)Ashutosh Pandey has mentioned that saving information on such 3rd party websites may lead to card compromise if these services are hacked and hacker somehow got these details. I don’t agree with his views. I am not saying hackers can’t get these details from website’s DB, it is difficult but possible. But, if you have noticed, they never save all of the information, to be specific they only save your name, card number and expiry date but not the CVV. So, this is the first line of defense. Second line of defense is the OTP or Visa/Mastercard secure which will never be in hacked DBs. In case of credit cards, the third line of defense is their monitoring and fraud department. Not sure about all, but most of credit card providers, keep track of sources of transactions and can detect anomalies (sudden large value transaction from China on an Indian card). Even if they don’t do that and if you notify them about the transaction (in 24 hours I guess), they will refund your money under their fraud protection service/scheme. So, unless you give away all of the other details, your card is safe even after the data breach.Don’t worry a lot. The banks and financial institutions mess up some time but they are not lame ducks when it comes to user security. You just need to play your part right and leave rest to them. :pFeel free to point out my mistakes, discuss more or to ask doubts in the comments section. :)Edit:Thanks for showing so much appreciation guys. In order to make more out of it, I am going to update this answer with any useful discussion happened in the comments section.Doubt: As you’ve said “the total amount stolen was capped on 1.2 Crore INR” and we also know as you’ve mentioned “two factor authentication mandatory for all transactions” and some other secure methods to prevent hackers from stealing. Then how was “1.2 Crore INR” stolen?Answer: At that time the PIN was not changed for those cards. So, hackers had both factors of two factor auth i.e. cloned card (what you have) and PIN (what you know).Doubt: OTP is not required if they use the cards on websites which don’t fall under Indian norms.Answer: Yes. I verified the claim and it is true. But, still as per RBI’s guidelines, all debit cards by default are limited to domestic use (only to be used in India). If you want to make international payments you have to ask you bank to allow international use in which case bank will replace your card with EMV card if you current card is only a magnetic strip based one. So, if you haven’t activated international usage on your card, you are still safe.EMV cards: EMV - WikipediaMagnetic card: Magnetic stripe card - WikipediaNow, lets talk about not having OTP on international websites. In its guidelines released in 2013, RBI asked all Indian banks to enforce OTP on all international websites but unfortunately there were complexities in doing so. Hence, there was no clear deadline for doing this and apparently it is still not done. Refer to the following links:Article: RBI Issues Fresh Guidelines For Debit & Credit Cards, Online Money TransfersOfficial circular: Reserve Bank of IndiaBut, CVV is still unknown to hackers (malware operators) and no one can make online transactions without that.What is a CVV Number and How Do I Find It?Thanks for raising doubts. :)Edit 2:John McAfee, founder of MaAfee antivirus and a respected security guy in his interview suggested that contrary to popular belief that this attack was carried by Chinese hackers, the probability of it being an inside job is higher. He also added that bank infrastructure is not state of art when it comes to deal with such breaches. You can read more here: McAfee says, look within to track Indian bank hack - The Economic TimesThanks for 500+ upvotes. If you liked this answer then there is a good chance that you will also find the following questions (and answers) informative.How can I check what people are surfing using my WiFi?Which security measures should I take to not being hacked while using public WiFi?I am using an unsecured Wifi from a neighbor. Can they discover my log in name & password? What about my IP, can they track me with Gmap Location using IP?How can I check what someone is doing if I am sharing my phone hotspot WiFi?If ssl is implemented then sending password without hash/encryt is safe?Which can be the most toughest 6 digit numerical password to crack?Why is amazon.in homepage not encrypted with SSL Digital Certificate?Upvote if you like the answer and follow me for more answers related to WiFi security, Cryptography, IoT security and Cyber Forensics.

Twice, and both times it happened at an Apple store (two different stores). The first time, an associate took my card to a backroom just for a moment. By the time I got home, there was a red flag on my account. Someone was spending an unholy amount of money on iTunes purchases, so the bank blocked it. Second time, I never lost sight of my card, so I don’t know how they pulled it, but shortly after my trip to the store the bank called to ask if I just spent $700 at Lowes. I did not.With Internet purchases, all you need is snap a photo of the back of someone’s card, and if a website has not implemented proper validation rules (e.g. zip code match, which is a must these days), the data might be sufficient to make a purchase. Be extra careful if you buy something with a delivery service, because they would know your zip code. If they put the correct zip code online, your bank might not catch the fraud right away.The worst fraud? When they know your address. They would make a purchase and order it to be delivered to your address. They will monitor your location and pick up the delivery at your doorstep. It is very common in certain industries. In wine retail, for example, there is a large black market for expensive champagne. Thugs would purchase multiple cases of champagne with a postal delivery to an office location where a doorman or concierge would sign for the delivery, then they pick up the cases and skedaddle. It is quite difficult for the credit card owner to prove they had nothing to do with the purchase, unless they have an excellent credit history.

I looked at this question in some detail for a project I am working on. Here is what I learned:Summary:Basic functionality: PayPal is global an supports credit/debit cards and ACH/bank transfers. Dwolla supports bank transfers only.P2P use cases: You can do everything youcan do with Dwolla with PayPal via bank transfer and it is free (justclick "personal" in the description).Commercial use cases: Dwolla is cheaper in almost all commercial use cases, but has an extremely limited user base, takes 2-3 days to transfer money into the system and is US only. The frictions from the small user base and slow transfer time make it most attractive for large dollar transactions or in transaction types that are not supported by other payment providers (e.g., Bitcoin)===========================================Details:Fees:PayPal: 1.9-2.9% + 30 cents; personal transfers by echeck are free; separate rate for micropaymentsDwolla: 25 cents - transactions under $10 freeCoverage:PayPal: Global (almost every economically relevant country)Dwolla: US onlyUsers:PayPal: 100MM+Dwolla: 80K+Payment options:PayPal: Credit cards, debit cards, ACH (echeck), local bank transfer (many markets), local card networks, GreenDot MoneyPakDwolla: ACH (echeck), or "instant" (short term loan program)Deposit protection:PayPal: FDIC pass-through insured for US accountsDwolla: NoneProtection against unauthorized transaction:PayPal: Zero liability for unauthorized transactions that are reported within 60 daysDwolla: None specifiedRegulation:PayPal: Licensed by 40+ US states, FinCEN, EU banking regulators, Austrialian banking regulators, and several other international regulatorsDwolla: Claims it is is exempt from regulation "because of its investors" but waives hands in providing as to any detail as to why.Customer servicePayPal: Lots of complaints - see paypalsucks.comDwolla: Lots of complaints - see .bit.ly/xyngshTop use cases (by payment dollar volume)PayPal: eCommerce (diversified), eBay transactions, Apple iTunes, SkypeDwolla: Bitcoin currency exchange (Mtgox.com $~5 Million/month), large value B2B, rent paymentsDeposit time:PayPal: Instant for Credit card or Instant Transfer (both free to payor), 2-3 days for echeckDwolla: 2-3 days, instant short term loan up to $500 available to payor for $3/month