The Kerala Police have taken three persons into custody in connection with an ATM fraud that allegedly preyed into the “compromised cybersecurity system” of the Kerala Bank.
Three days after the recently formed scheduled State cooperative bank alerted the police of an ATM loot of at least ₹2.4 lakh, the Cyber Crime police nabbed two Kasaragod natives from Tirupur in Tamil Nadu late Wednesday and another from Kozhikode on Thursday. The police remained on the lookout for the involvement of more hands in the case, sources said.
Officials involved in the investigation said the bank raised an alert after finding large sums of cash missing from its ATMs in some districts, including Thiruvananthapuram and Kasaragod, on Monday. In Thiruvananthapuram, the fraud is suspected to have taken place from two ATMs, in East Fort and Nedumangad.
Software drawbacks
The gang is suspected to have exploited the failure of the Kerala Bank to evolve a common software for its banking network. Despite amalgamating the district cooperative banks in the State around two years ago, the bank continued to run on separate softwares in each district. This anomaly could have been factored in by the gang while hatching the conspiracy.
A senior police officer said ATMs usually relied on a switch application server to communicate with the core banking system to validate the user’s bank account details for a requested transaction.
In India, the National Payments Corporation of India (NPCI) facilitates the core banking operations of financial institutions, while its National Financial Switch (NFS) links ATM networks across the country. Normally, the ATM software accepts or declines transactions after receiving information from the NPCI through the switch application server. The NPCI, which serves to ensure that the user possessed the required balance in his account, also oversees the transfer of the withdrawn money from the user’s account to the bank that manages the ATM.
Home bank bypassed
However, in the Kerala Bank case, the fraudsters are believed to have used an ATM card issued by a bank account based in Uttar Pradesh to fool the Kerala Bank ATMs to spit out large amounts without notifying their home bank.
Investigators suspect that the perpetrators managed this by hacking the Kerala Bank’s software and intercepting the transaction request before it reached the NPCI system.
