Security firm Sisa alerts banks on malware attack

Mumbai: Payment security firm

Sisa

has issued an advisory to all banks and payment processors after it discovered that hackers had managed to insert malicious software into the payment switch server of an unnamed bank. The advisory is in the nature of a warning to other banks to reset passwords for employees with access to payment servers and to use two-factor authentication for providing access.

Speaking to TOI, a Sisa spokesperson said that a malicious script (software code) has been injected into the payment switch application server — the hub which communicates with payment networks. This malicious software is capable of collecting payment card data (including

card number

, expiry date,

CVV

and other customer information). The hacker can then use this information to clone cards and conduct transactions. The malicious software also enables transactions by sending fake response to the payment network in respect of the card. The fake responses ensures that no details of the incoming transaction request or outgoing transaction response are logged in the switch application logs.

While the malicious software has been identified, it is not yet clear whether customer accounts have been compromised.

SISA is the payment forensic investigator which investigated India’s largest debit card breach last year — which forced one of the biggest debit card reissuance in the country. “We have released this advisory in the interest of proactively securing the payment card industry based on recent findings by SISA PFI (Payment card industry Forensic Investigation) Lab,” said a company spokesperson.

In India, banks are not bound to disclose to either the public or their customers about data breach. Lenders do not even report data breaches to peer banks. However, two years ago the RBI had made it mandatory to report such breaches. Also, the central bank, without using names, issues a warning to other banks. The RBI also mandates banks to adopt global payment card industry data security standards (PCI-DSS). SISA, which audits the

PCI-DSS

compliance of banks, has said that some banks are using simple passwords for employees to log into payment servers and has called for two-factor authentication.

“In the light of the recent finding, SISA suggests to the industry to implement internationally renowned Security Standards like PCI-DSS and PA (payment application)-DSS. SISA also urge Regulators and Government of India to mandate these security standard to be followed religiously,” the statement said.