Co-operative Banks- A Cybersecurity disaster waiting to happen

May 18, 2020 0 comments

The covid-19 crisis has redefined how we work and communicate with each other. While technology has ensured business continuity, it has opened a pandora box of sorts. At one end, it has resulted in faster adoption of digital banking and other technologies, however, the at the other end, it has made us vulnerable to cyber-attacks and online fraud.

As India embraces online banking, the digital literacy of its masses has not kept pace. In a report released by Subex, a Bengaluru-based analytics firm, for April, May and June of 2019, India faced the most cyber-attacks in the world while the US was the most cyber-targeted nation in the year 2019.

India’s bank customers are particularly vulnerable to fraud. In fact, a review of the major cyber-attacks on India’s computer networks since 2010 demonstrates that the financial sector has been the most hit by unauthorised access and data breach. India ranks fourth in cyberattacks globally and in recent times this has only increased.

While RBI has made cybersecurity mandatory for banks and set up a protocol for security implementation and attack reporting as early as December 2019, the covid crisis has thrown caution to the wind.

 

The Ever-increasing cyber attack

State Bank of India, India’s largest nationalized bank, left one of their servers unprotected, possibly exposing the data of its 422 million customers to malicious hackers.  The server, situated in Mumbai, contained bank accounts numbers, bank balances and phones of customers.

Earlier in 2016 Hitachi Payment Services were hit by a malware attack, which resulted in losses worth Rs. 1.3 crores and forced 19 Indian banks to replace more than 30 lakh debit cards. In the same year, the Union Bank of India breach allowed hackers to siphon $170 million from its foreign-exchange account. A timely intervention by the bank successfully retrieved the stolen money. However, not all are as lucky as the Union Bank of India, the money was only partially recovered in the City Union Bank breach of 2018. Around the same time, Canara bank ATM servers were targeted and around Rs. 20 lakh was wiped off from various bank accounts.

The year 2018 started with a massive data breach of personal records of 1.1 Billion Indian Aadhaar cardholders. UIDAI revealed that around 210 Indian Government websites had leaked Aadhaar details. Data leaked included Aadhaar, PAN and mobile numbers, bank account numbers, IFSC codes and mostly every personal information of all individual cardholders. If it wasn’t enough, anonymous sellers were selling Aadhaar information of any person for Rs.500 over Whatsapp. Also, one could get any person’s Aadhaar car printout by paying an extra amount of Rs.300.

In another unrelated but equally grave incident, GroupIB, a Singapore-based cybersecurity company, found out that more than 1.3 million credit and debit card details from Indian banks were held for sale on the dark web! GroupIB has refused to reveal the names of the banks but has stated that the data breach has impacted the largest of Indian banks.

 

Co-operative banks, the dark side of the moon

If one goes by the above reported data on state of cyber preparedness of nationalised and private banks, it is only to be fearfully imagined the extent of cybersecurity readiness of the much inferior co-operative banks.

In late 2018, Cosmos Bank, India’s second largest co-operative bank, bore the brunt of weak cybersecurity measures, when hackers siphoned off over Rs. 94 crore through a malware attack on one of its servers.

Later in May 2019, a little-known cooperative bank called Urban Cooperative got hacked and as a result lost Rs. 68 lakhs from one of its biggest accounts. In December 2019, data leak from insiders led to the loss of Rs. 29 crores from Shamrao Vitthal Co-operative Bank. If that is not all, even a bank as small and lesser known as the Chembur Nagarik Sahakari bank, which has only 10 branches and serves customers located in the Chembur suburb of Mumbai has reported hackers trying to attack its servers.

The above isn’t an exhaustive picture of cybersecurity breaches in co-operative banks; a lot of incidents go unreported either because the banks don’t realize a data breach in the first place or fear reputation loss. And this just the tip of the iceberg.

According to RBI there are 1,544 urban co-operative banks and 96,248 rural co-operative banks in India. The latter account for 64.7% of the total assets of the co-operative sector.  The asset value of Urban Co-operatives banks itself exceed Rs 5632 billion.

RBI data shows that during the period 2008-17, banks in India faced 130,000 reported cases of cyber fraud involving an estimated Rs 700 crore. In comparison to the asset value held by the banks this is really small, however, a severe cyber-attack can result in bank failure even when no money is lost directly.

Moreover, the aforementioned incidents happened when there was no pandemic plaguing the world, when employees weren’t as vulnerable to attackers lurking in the shadows as they are now, when they have no other choice but to work on their personal devices over relatively unsecure home networks.

Although some of the co-operative banks may have begun complying with guidelines laid down by the Reserve Bank of India, the coronavirus outbreak has most certainly disrupted the existing cybersecurity measures ushering in a sense of urgency.

Author:

Shomiron Das Gupta, Founder and CEO, DNIF Nextgen Security Platform

With his extraordinary skill set as an intrusion analyst and immense passion for tech advancements, he has been building threat detection systems for close to two decades and has established partners in 14 countries across several industries like healthcare, insurance, transport, banking, and media.

Prior to founding and developing DNIF a product that delivers quality attack detection products and services to its customers, he worked with ICICI Infotech Ltd. as a Senior Consultant, where his core responsibility was to solve critical cybersecurity challenges faced by customers.

Shomiron, a TedX speaker, is also an eminent speaker at many industry events including DSCI (Data Security Council of India) and SACON (TheSecurity Architecture Conference).

He is an alumnus of St. Xavier’s college. Outside the tech world he is a trained mountaineer with expedition experience in the Himalayas.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.