Banking regulator Reserve bank of India’s move to use ethical hacking experts to check cyber security vulnerabilities of banks has exposed chinks in the armour of four state-owned banks, sources involved with the operation said.
Reserve Bank of India decided to ethically break into the IT systems of banks. In the first phase, the focus will be on PSU banks because they have more vulnerable systems than private banks.
There are 27 state-owned, 30 private and 40 foreign banks in India. The RBI did not respond to an email seeking its response for this story.
“RBI is looking at international standards when it comes to protecting itself and banks from cyber-attacks. The regulator is planning a mix of ethical hacking, planned and unplanned audits of banks’ security systems to ensure that best practices are followed strictly ,“ a person who is involved with the matter said.
In the last couple of months, RBI has put together a small team which looks into cyber vulnerabilities of Indian banks. The team consists of young ethical hackers and some former senior police officers.
The team would be headed by Nandkumar Sarvade, a retired IPS officer and an expert in bank fraud and terrorism cases. RBI has sought outside help from experts on several occasions earlier too.
The top 51 banks in India have lost Rs 485 crore from April 2013 to November 2016, finance ministry data showed. Of this, 56% was lost due to net-banking thefts and card cloning. As per estimates, there are at least 15 ransomware attacks per hour in India and one in three Indians fall prey to it.
“Knowing spends of Indian banks on cyber security versus their US counterparts, we still have a long way to go when it comes to being equally mature against sophisticated cyber-attacks. Banks, however are the more matured among other industries like manufacturing, hospitality and healthcare where the focus on cyber security is still extremely low,“ said Saket Modi, CEO of Lucideus Tech.
Modi and a dozen techies at Lucideus, the company he co-founded, worked with the RBI in the past for protecting Unified Payments Interface (UPI) from hackers.