This Blog is written By Mr. Kusmankar Student of Lloyd Law College, Greater Noida.
A type of fraud which
occurs when an ATM is compromised by
a skimming device, a card reader
which can be disguised to look like a part of the machine. The card reader
saves the users' card number and pin code, which is then replicated into a
counterfeit copy for theft.
This article deals
with steps taken by RBI in a chronological order to ensure secure and fool
proofing electronic transactions.
1.
Working group was
established by RBI in march 2011 to address the problem of Skimming
It was noted that Card Present (CP) Transactions (transactions at
ATM and POS delivery channels) constitute the major proportion of card-based
transactions in the country. Although a PIN validation is necessary for cash
withdrawal at ATMs, majority of the card transactions at POS are not enabled
for any additional authentication (other than signature). A majority of the
cards issued by banks in India are Magstripe cards and the data stored on such
cards are vulnerable to skimming and cloning.
The Group has noted that Aadhar biometric data would serve as a
secure the second factor of authentication even for Magnetic Stripe Cards obviating
the need mandating a switch over to EMV Chip and Pin card regime, which has
cost implications for the industry. The Group has recommended that the need for
a move to EMV Chip cards could be considered after 18 months depending on the
progress of Aadhar.
While the RBI is processing the report, we are aiming at a secure
2FA for all card-present transactions without being prescriptive about the
technology to be deployed for the purpose.
2.
Moving further the
Reserve Bank of India on 22nd Sep 2011, based on the report
submitted by the Working Group, directed to initiate immediate action for accomplishing
the following task within the time indicated.
Infrastructure/
Readiness for card acceptance
- Commercial readiness of
acquiring infrastructure to support PIN for POS transactions, POS infrastructure
to be ready for accepting EMV chip cards has to complete by June 30, 2013.
- Enablement of all POS terminals to accept debit card transactions with
PIN has to complete by June 30, 2013.
- Banks and other stakeholders were also ordered to be ready from a technical perspective to issue EMV cards by June 30, 2013. It is, however, clarified
that banks are free to migrate to EMV Chip and Pin based technology based on
their commercial judgment and decisions taken by their Boards.
3.
ON May 7, 2015, It was
further decided to completely Migrate to EMV chip and Pin cards from magnetic
strips only card within a given time frame.
- The Reserve Bank has adopted a phased manner of implementation of
security and risk mitigation measures in card transactions as evident from the
instructions issued from time to time. The acceptance infrastructure is getting
geared to accept EMV chip and pin cards.
- However, in the case of card issuance, while some banks have already
moved to EMV chip and pin cards issuance, a large number of banks continue to
issue Magnetic stripe cards.
- Thus, given the level of readiness of the card acceptance
infrastructure at the point of sale and also the implementation of PIN@POS for
debit cards, the time is appropriate to move further along the path to migrate
away from magnetic stripe only cards to chip and pin cards.
- Accordingly, banks are advised that with effect from September 01,
2015 all-new cards issued – debit and credit, domestic and international – by
banks shall be EMV chip and pin based cards.
- The migration plan for existing magnetic stripe only cards will be
framed in consultation with stakeholders and a timeline for the same will be
advised in due course.
4.
ATMs Security and Risk
Mitigation Measures for Card Present Transaction Aug27,2015
- While the POS terminal infrastructure in the country has been
enabled to accept and process EMV Chip and PIN cards, the ATM infrastructure,
on the whole, continues to process the card transactions based on data from the
magnetic stripe. As a result, the ATM card transactions remain vulnerable to
skimming, cloning, etc. frauds, even though the cards are EMV Chip and PIN-based. It has, therefore, become necessary to mandate EMV Chip and PIN card
acceptance and processing at ATMs also. Contact Chip processing of EMV Chip and
PIN cards at ATMs would not only enhance the safety and security of
transactions at ATMs but also facilitate preparedness of the banks for the
proposed “EMV Liability Shift” for ATM transactions, as and when it comes into effect.
- Banks in India and the White Label ATM operators are, therefore,
advised to ensure that all the existing ATMs installed/operated by them are
enabled for processing of EMV Chip and PIN cards by September 30, 2017. All-new
ATMs shall necessarily be enabled for EMV Chip and PIN processing from
inception. For the purpose of switching, clearing, and settlement of their ATM
transactions, banks with the approval of their Board, may join any authorized
ATM/Card network provider.
- Further, in order to ensure uniformity in card payments ecosystem,
banks shall also implement the above requirements at their micro-ATMs which are
enabled to handle card-based payments.
- A quarterly progress report should be sent the Chief General
Manager, Reserve Bank of India, Department of Payment and Settlement System,
Central Office, Mumbai in the appended format for the quarter ending
June/Sept/Dec/March by 15th of the month following the quarter-end.
5.
Control measures for
ATMs – Timeline for compliance- June 21, 2018
- The slow progress on the part of the banks in
addressing the issue of many ATMs running on an unsupported version of operating
system (Windows XP) has been viewed seriously by the RBI. The vulnerability
arising from the banks’ ATMs operating on an unsupported version of operating
system and non-implementation of other security measures, could potentially
affect the interests of the banks’ customers adversely, apart from such
occurrences, if any, impinging on the image of the bank.
- In order to address these issues in a time-bound
manner, banks and White-Label ATM Operators are advised to initiate immediate
action in this regard and implement the following control measures as per the
prescribed timelines indicated there against:
|
No.
|
Control Measures for the ATMs
|
To be completed by
|
|
a.
|
Implement security
measures such as BIOS password, disabling USB ports, disabling auto-run the facility, applying the latest patches of operating
system and other software,
terminal security solution, time-based admin accessed.
|
August 2018
|
|
b.
|
Implement
anti-skimming and whitelisting solutions.
|
March 2019
|
|
c.
|
Upgrade all the ATMs
with supported versions of the operating system. Such upgrades shall be carried
out in a phased manner to ensure that in respect of the existing ATMs running
on unsupported versions of
operating system,
|
|
|
i. Not less than 25%
of them shall be upgraded by
|
September 2018
|
|
ii. Not less than 50%
of them shall be upgraded by
|
December 2018
|
|
iii. Not less than 75%
of them shall be upgraded by
|
March 2019
|
|
iv. All of them shall
be upgraded by
|
June 2019
|
6.
Steps should be taken by
Customer in spotting a Skimmer
- All you need to do is check the ATM machine prior to using it.
- The
card reader section might be extended than usual on a machine that has been
tampered. If a keypad on the ATM seems to protrude oddly, check the keypad for
it might be a fake.
- Cover your ATM keypad whenever you enter the ATM pin.
- Register for SMS updates to stay up-to-date with your bank
transactions. This will help you get an alert when a suspicious transaction is
done using your card. In the case of fraud, it needs to be reported as soon as possible.
- The bank that has issued you the card will pay you back the money.
If prima facie it is established that you are a victim of skimming fraud, the
bank makes the payment upfront.
- According
to the RBI, the customer liability will be zero in a case where the unauthorized the transaction occurs in a third-party breach where the deficiency lies neither
with the bank nor with the customer, but elsewhere in the system and the
customer notifies the bank within three working days of receiving the
communication from the bank regarding the transaction.
Comments
Post a Comment