Security firm Sisa issues alert over malware breach of bank payment server
TNN|
Dec 20, 2017, 10.39 AM IST
MUMBAI: Payment security firm Sisa has issued an advisory to all banks and payment processors after it discovered that hackers had managed to insert malicious software into the payment switch server of an unnamed bank. The advisory is in the nature of a warning to other banks to reset passwords for employees with access to payment servers and to use two-factor authentication for providing access.
A Sisa spokesperson said that a malicious script (software code) has been injected into the payment switch application server — the hub which communicates with payment networks. This malicious software is capable of collecting payment card data (including card number, expiry date, CVV and other customer information). The hacker can then use this information to clone cards and conduct transactions. The malicious software also enables transactions by sending fake response to the payment network in respect of the card. The fake responses ensures that no details of the incoming transaction request or outgoing transaction response are logged in the switch application logs.
While the malicious software has been identified, it is not yet clear whether customer accounts have been compromised.
SISA is the payment forensic investigator which investigated India's largest debit card breach last year — which forced one of the biggest debit card reissuance in the country. "We have released this advisory in the interest of proactively securing the payment card industry based on recent findings by SISA PFI (Payment card industry Forensic Investigation) Lab," said a company spokesperson.
In India, banks are not bound to disclose to either the public or their customers about data breach. Lenders do not even report data breaches to peer banks. However, two years ago the RBI had made it mandatory to report such breaches. Also, the central bank, without using names, issues a warning to other banks. The RBI also mandates banks to adopt global payment card industry data security standards (PCIDSS). SISA, which audits the PCI-DSS compliance of banks, has said that some banks are using simple passwords for employees to log into payment servers and has called for two-factor authentication.
A Sisa spokesperson said that a malicious script (software code) has been injected into the payment switch application server — the hub which communicates with payment networks. This malicious software is capable of collecting payment card data (including card number, expiry date, CVV and other customer information). The hacker can then use this information to clone cards and conduct transactions. The malicious software also enables transactions by sending fake response to the payment network in respect of the card. The fake responses ensures that no details of the incoming transaction request or outgoing transaction response are logged in the switch application logs.
While the malicious software has been identified, it is not yet clear whether customer accounts have been compromised.
SISA is the payment forensic investigator which investigated India's largest debit card breach last year — which forced one of the biggest debit card reissuance in the country. "We have released this advisory in the interest of proactively securing the payment card industry based on recent findings by SISA PFI (Payment card industry Forensic Investigation) Lab," said a company spokesperson.
In India, banks are not bound to disclose to either the public or their customers about data breach. Lenders do not even report data breaches to peer banks. However, two years ago the RBI had made it mandatory to report such breaches. Also, the central bank, without using names, issues a warning to other banks. The RBI also mandates banks to adopt global payment card industry data security standards (PCIDSS). SISA, which audits the PCI-DSS compliance of banks, has said that some banks are using simple passwords for employees to log into payment servers and has called for two-factor authentication.
(This article was originally published in The Times of India)
