Aneesh Bhargav
January 18, 2014


Card breaches have been the central discussion point of many a portal on the "interwebs". RAK Bank in the UAE reported a credit card fraud amounting to about $45 million on their prepaid cards. The story became viral almost as soon as it was known. Sometime in February another bank from the middle east, Bank Muscat had a similar breach of about $40 million on their prepaid cards. What's interesting here is that both these banks had their breaches traced back to India. BankMuscat utilized a company called "enStage" based in Bangalore for their processing their payments and managing/setting up their payment systems. Similarly, RAKBank utilised ElectraCard in Pune for similar services. This is common in the world of payments and card data. These companies that provide services are called "Third Party Processors". These breaches have gained notoriety and have been identified for their similarity in terms of a single attribute. Their processing and software products/services being delivered in India, by Indian companies. This has become a big problem for Indian software and will become a more pernicious in days to come, if it goes unchecked.

Indian companies have been major players in the space of payments and payment processing. I have been working with card security for about 6 years now and I see several banks in the APAC region and the ME region utilising Indian card processing products and services. Indian card processing products and services have been known to be highly functional and detail oriented. However, security may be something that many of these companies have to seriously look into. With some details emerging from both these breaches, it seems that in all likelihood that these attacks might have stemmed from vulnerable applications and/or infrastructure maintained by the Indian software companies managing the payments infrastructure of these two banks.

Application attacks are not uncommon. Since 2009 attackers have constantly targeted web based applications and online applications. The reason is simple. "Economies of Scale". Payment Applications handle millions of card transactions on a daily basis. They are closest to the data. Hence, they become extremely valuable to an attacker. All the attacker must do is to compromise a single critical application, and he/she has access to millions of cardholder data records. Since the year 2005, with the CardSystems breach (another payment processor in the US was hacked due to weak applications) and the 2009 Heartland Security Breach (200 million cards stolen due to application attack on payment processor), application attacks have been the weapons of choice for attackers. The attacker uses this compromised data to regenerate fake cards and eventually go on a withdrawal/shopping spree. Applications have also been a weak link for most organisation. Research by several bodies all over the world shows that about 60-70% of web applications deployed are vulnerable to serious application attacks. The worst part of the story is organisations still don't have much of an idea with respect to application security and its adequacy in their products/services.

Web and mobile based applications are becoming the new reality for the world of payments. There are several software product and services companies developing sophisticated applications around payments and payment processing. However, in my own experience, I find that most of these companies have very little expertise with reference to security, specifically to web application security. Indian Software and Software Product companies must invest time, energy and resources into gaining deep insight into application security expertise. They must ensure that their software products and services is constantly subject to validation and monitoring for data leaks and other security issues.

This is a wake-up call to Indian Software Product and Services companies. They must demonstrate and constantly maintain security capabilities and vigilance on par with the best in the west. Otherwise, I fear that such security breaches would trigger a wave of fear and distrust among users and buyers of these software products, that may be extremely competent with functionality, but lose out due to lack of security.