ATM Fraud , Breach Response , Data Breach

Pakistan: Banks Weren't Hacked, But Card Details Leaked

Card Details From 22 Banks Appeared on Underground Market
Pakistan: Banks Weren't Hacked, But Card Details Leaked
Pakistan's 1000 rupee note, worth about US$7.50. (Source: Wikipedia/CC)

Pakistan says the nation's banks have not been hacked, but adds that they are taking defensive steps after nearly 20,000 payment card details appeared for sale online. The State Bank of Pakistan says banks are implementing restrictions on international transactions.

See Also: Live Webinar | Cybercrime 2.0: A New Era for the Identity and Authentication Challenge

The State Bank of Pakistan on Tuesday refuted news reports that many banks in Pakistan had suffered data breaches.

"There is no evidence to this effect nor has this information been provided to SBP by any bank or law enforcement agency," the central bank says in a statement.

SBP did note that one bank was reportedly compromised on Oct. 27, but says that a data breach did not occur. It did not provide further details.

Instead, card details may have been harvested from ATMs or merchant point-of-sale machines in skimming attacks. The confusion may have arisen after a comment from an official at Pakistan's Federal Investigation Agency, or FIA.

Reuters reports that the head of the FIA's cybercrime unit, Mohammad Shoaib, told two television states in interviews that "almost all" banks had been hacked, resulting in large amounts of money stolen.

Abnormal Transactions

As a result of the payment card breach, SBP says some banks have implemented restrictions on the use of payment cards internationally, as well as requiring approval from customers prior to an international transaction.

In a report issued Sunday, the Pakistan Computer Emergency Response Team, PakCERT, described in detail the card breach, which affected credit and debit cards issued by 22 banks. More than 8,000 of the leaked cards were issued by Habib Bank. PakCERT is a private consulting company.

PakCERT's report on the payment card breach

The incident came to light in mid-October when some banking customers began receiving alerts for transactions they didn't make on their accounts, writes Qazi Mohammad Misbahuddin Ahmed of PakCERT.

One bank, BankIslami, shut down international transactions after noticing about 2.6 million rupees (US$20,000) in "abnormal" transactions, Ahmed writes. Reuters reports that BankIslami has since refunded the affected customers.

"Subsequently, several other banks issued security alerts and either completely blocked customers' debit and credit cards or blocked their online and international use," Ahmed writes.

Then, 9,000 debit cards from nine Pakistani banks were advertised on an underground forum where stolen card data is traded. Card details range from $100 to $135, with higher prices for Visa and MasterCard gold and platinum cards.

A screenshot of Pakistani payment cards for sale on a forum (Source: PakCERT)

Ahmed writes that those prices are surprising, because the spending limit for cards issued in Pakistan is usually lower than for cards issued in the U.S.

Second, Larger Dump

On Oct. 31, a second batch comprised of 12,000 cards from 21 banks was posted for sale, Ahmed writes.

The payment details were offered in two formats. One includes the cardholder name, address, phone number, card number, expiry date and CVV2, Ahmed writes. The other format is skimmed card details, which may have been collected from an ATM or a merchant, Ahmed writes.

A small number of card details from banks outside Pakistan were affected, including from Commonwealth Bank of Australia, Citibank, National Bank of Abu Dhabi, Abu Dhabi Islamic Bank and Emirates NDB.

Ahmed writes that the second dump "shows it includes data from visitors who traveled to Pakistan during this time and used one of the compromised ATMs or merchant machines."


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.