Customers at the Cosmos Bank’s Gohkale Nagar branch on Tuesday. (Arul Horizon)
In possibly the first of its kind coordinated digital attack on an Indian bank, about Rs 94 crore was illegally withdrawn using cloned debit cards of Pune-based Cosmos Bank through thousands of ATM transactions across the globe within a period of seven hours on Saturday.
About Rs 78 crore was withdrawn in more than 12,000 ATM transactions in 28 countries between 3 pm and 10 pm, India time, on Saturday, Cosmos Bank said. Another 2,800 transactions were made in different places within India, amounting to about Rs 2.5 crore, during the same period. On Monday, Rs 13.5 crore was transferred to a Hong Kong-based entity using the Society for Worldwide Interbank Telecommunications (SWIFT) facility.
Milind Kale, chairman of the 112-year-old cooperative bank, said the illegal withdrawals were enabled by a malware attack which authenticated debit card transactions bypassing the bank’s computerised core banking system (CBS). This would have been preceded by another cyber attack, resulting in data theft of hundreds of the bank’s debit cards. The information on these debit cards would then have been cloned on to fake cards used in physical withdrawal of cash from ATMs across the world.
However, the money illegally withdrawn has not gone out from the individual accounts of the bank’s customers, Kale claimed. Instead, it has gone out from the bank’s corpus.
Kale said the malware had attacked the computer system that allows banks to settle cash dispensation requests raised at ATMs. Once a request is raised by swiping of the card at an ATM, it is transferred to the CBS of the bank using a “switching system”. After checking the available credit in the individual account, the CBS either allows or turns down the request, which is again transmitted to payment systems via the “switching system”.
Kale said the malware created a proxy switching system, which had bypassed the need for validation by the CBS of the bank. The operation of switching systems involves a variety of agencies, including the banks, which participate in the complex yet lightning fast process of dispensing money from the teller machine.
Managing Director of the bank Suhas Gokhale registered an FIR with Chatushrungi police station on Tuesday. The case was later transferred to the Cyber Crime and Economic Offences Wing of the city police. “It is primarily a case of a malware attack on a key system of the bank. Our investigation has begun and legal course of action will follow,” Jyotipriya Singh, deputy commissioner (Cyber and EOW) said.
Kale said the attack seemed to have originated in Canada and ATM transactions were carried out in 28 other countries which he refused to identify. He said the bank became aware of the attack when it noticed unusual and repeated transactions on its VISA and Rupay card payment systems. The bank immediately suspended its VISA and Rupay debit card payments to stop further damage, he said.
The CBS of the bank, which houses all the data of its customers, has remained untouched in the attack, the bank said. Also, internet and mobile banking payment systems of the banks were not attacked, but they have been suspended being to pre-empt further attacks. “Our physical branches will be dispensing cash and ample provisions have been made to ensure that day-to-day business of our customers do not get affected,” Kale said.
“As per our contract with VISA, settlement is done a day after the transaction and thus on Monday we have transferred Rs 78 crore to the company,” Kale said. The settlement, however, is open to rectification, he said. Kale said instructions had also been issued to freeze the Rs 13.5 crore amount which was transferred by the SWIFT mode. The bank has appointed an independent professional forensic agency to investigate the attack.
A senior police officer said, “All observations of bank officials have been recorded. A key starting point for the investigation will be a cyber forensic analysis of these transactions. Withdrawals that have taken place India will possibly provide important clues to us.”