Banking cards’ data worth $3.5mln stolen for online sale

KARACHI: Pakistani banks’ payment cards data worth an estimated $3.5 million have been put on sale at a secretive online hub of stolen card data, depicting the second big infringement on the vulnerable banking system in six months, The News learnt on Friday.

Most of the stolen data were related to the country’s biggest Islamic bank Meezan Bank, Moscow-based anti-fraud firm the Group IB said.

The bank’s top official, however, said the customers’ data is safe. “I have checked there is nothing alarming and Meezan Bank has already taken safety steps and measures to safeguard its customers and card holders,” the official added. “Our customer data is safe and secured.” The Group IB discovered new databases with a total of 69,189 Pakistani banks’ cards that have shown up for sale on the dark web. The total market value of the databases is estimated at nearly $3.5 million.

“It is the second big sale of Pakistani banks’ cards in the past 6 months, which may indicate the activity of advanced financially motivated threat actors in the region,” the international firm that specialises in preventing cyber attacks said in a document.

The State bank of Pakistan earlier raised question over the credibility of the Group-IB report’s revaluations about Pakistan’s bank’s data breach. The central bank has, however, been instructing banks in the past to upgrade their systems to meet any cyber attack challenge in future.

The document, available with The News, showed that Group-IB’s team the databases were released on Joker’s Stash, one of the most popular underground hubs of stolen card data at the end of January. “96 (ninety six) percent of all card dumps, unauthorised digital copies of the information contained in magnetic stripe of a payment card, were related to a single bank - Meezan Bank Ltd,” it said. “Pakistani banks’ cards are rarely sold on underground cardshops. This, and the fact that all the cards came on sale with PIN codes explains the high price, which was kept at $50/card, while usually the price per card on dark web forums ranges from 10 to 40 USD.”

The document showed that first set of dumps – technical epithet for card data – was set up for sale on January 24, 2019 and included 1,535 cards, 1,457 of which were issued by Meezan Bank Ltd. “This batch of cards was not announced on the forum.”

The second database was put up on Joker’s Stash on January 30. The dump comprised of the details of 67,654 cards of Pakistani banks was significantly larger. “The sellers marked the set as ‘high valid’ and, unlike the first set, advertised the database on all major underground forums. 96 percent of all cards in the set were also related to Meezan Bank Ltd,” the document added. Last year, Group-IB ascertained two incidences of payment cards’ data theft that affected Pakistan banks, including Habib Bank, MCB Bank, Allied Bank and BankIslami.