Pakistan’s banking system has been hit by the ‘biggest cyber attack in country’s history’.
Data from 19,864 cards belonging to customers of 22 Pakistani banks has been put on sale on the dark web, according to an analysis by Pakistan’s Computer Emergency Response Team, PakCERT.
It all started in mid-October when some customers of Bank Islami received text messages, alerting them of transactions (withdrawal of money), which they didn’t do. Noticing the abnormal transactions of Rs.2.6 million, Bank Islami blocked its international payment scheme on October 27.
It was a coordinated cyber attack in which the payment network of Bank Islami and the international payment scheme was compromised. Hackers made these transactions on international ATMs using cards issued by the bank.
In the wake of this incident, the central bank instructed all commercial banks to ensure the security of all payment cards in the country and monitor usage of their cards, especially international transactions.
However, when PakCERT investigated the cyber attack, it emerged that data of almost 20,000 debit cards was compromised—this may also explain the messages some of you have received from your banks recently, informing your card has been blocked for international transactions for security reasons.
“On 26th October 2018, a data dump was posted on the dark web with over 9,000 debit cards, most of which belonged to customers of Pakistani banks,” says PakCERT. “Just when everyone thought the storm is over, on 31st October 2018, a second dump of over 12 thousand cards was posted on Darknet, comprising of 11000 cards from Pakistani banks,” it said.
Bank Islami was the only bank that came to limelight, but the report says thousands of debit cards of 21 other banks were up for sale on the dark web. Known to be the hotbed of criminal activities, the dark web can’t be accessed without using Tor, a software that enables anonymous communication.
The sale price for these cards ranged from $100 to $160. Among all banks, HBL, the largest bank in the country, was worst hit with more than 8,000 cards, followed by UBL, Standard Chartered Bank, MCB, and Meezan Bank with more than 1,000 cards each. Bank Alfalah, Bank Islami and Bank of Punjab were among banks that saw more than 500 of their cards being dumped on the dark web.
According to PakCERT, the hacked credit card data is available in two formats. First is text-based credit card details: full name, address, phone number, card number, and expiry which can be easily used by someone for illegal online purchases. The second format is skimmed dumps, which means the hacker was physically able to scan the card details possibly at a compromised ATM or merchant machine.
These skimmed card details are used to create a duplicate card which can then be used at an ATM or merchant machine for illegal transactions.
In addition to data of Pakistani customers, cards belonging to banks outside Pakistan like National Bank of Abu Dhabi, Abu Dhabi Islamic Bank, Emirates Nbd, Commonwealth Bank of Australia, Citibank USA, were also dumped, which shows that it includes data from visitors who travelled to Pakistan during this time and used one of the compromised ATM or merchant machine, the report says.
This is still an unfolding story since PakCERT is assessing other information obtained from these dumps, Qazi Mohammad Misbahuddin Ahmed, the author, told SAMAA Digital. More revelations will be made in the next report, he said.
Referring to people who could be behind the attack, Ahmed said the people who did the skimming could be visitors from outside Pakistan, who may have used the cards themselves and later dumped them for sale on the dark web. Or they could be people within Pakistan who helped a more advanced group outside Pakistan to make some profit.
This is not the first time, Pakistani banks were hacked. Cyber attacks are taking place almost every day.
In December, a major skimming attack took place when ATMs of HBL were targeted. The issue was highlighted some arrests were made, but it turns out banks are still vulnerable to such attacks.
PakCERT says that statistics about the compromised cards in both dumps will be made available on their website. In the meantime, many banks have blocked international transactions of their customers’ debit and credit cards while others have sent text messages to customers, telling them their accounts are safe. Other than Bank Islami, no bank has publicly reported if any money was stolen from their account, so it is unclear which customers are at risk.
The central bank’s spokesperson didn’t respond to our queries when this report was filed.