Pakistan: Banks Weren't Hacked, But Card Details LeakedCard Details From 22 Banks Appeared on Underground Market
Pakistan says the nation's banks have not been hacked, but adds that they are taking defensive steps after nearly 20,000 payment card details appeared for sale online. The State Bank of Pakistan says banks are implementing restrictions on international transactions.
The State Bank of Pakistan on Tuesday refuted news reports that many banks in Pakistan had suffered data breaches.
"There is no evidence to this effect nor has this information been provided to SBP by any bank or law enforcement agency," the central bank says in a statement.
SBP did note that one bank was reportedly compromised on Oct. 27, but says that a data breach did not occur. It did not provide further details.
Instead, card details may have been harvested from ATMs or merchant point-of-sale machines in skimming attacks. The confusion may have arisen after a comment from an official at Pakistan's Federal Investigation Agency, or FIA.
Reuters reports that the head of the FIA's cybercrime unit, Mohammad Shoaib, told two television states in interviews that "almost all" banks had been hacked, resulting in large amounts of money stolen.
As a result of the payment card breach, SBP says some banks have implemented restrictions on the use of payment cards internationally, as well as requiring approval from customers prior to an international transaction.
In a report issued Sunday, the Pakistan Computer Emergency Response Team, PakCERT, described in detail the card breach, which affected credit and debit cards issued by 22 banks. More than 8,000 of the leaked cards were issued by Habib Bank. PakCERT is a private consulting company.
The incident came to light in mid-October when some banking customers began receiving alerts for transactions they didn't make on their accounts, writes Qazi Mohammad Misbahuddin Ahmed of PakCERT.
One bank, BankIslami, shut down international transactions after noticing about 2.6 million rupees (US$20,000) in "abnormal" transactions, Ahmed writes. Reuters reports that BankIslami has since refunded the affected customers.
"Subsequently, several other banks issued security alerts and either completely blocked customers' debit and credit cards or blocked their online and international use," Ahmed writes.
Then, 9,000 debit cards from nine Pakistani banks were advertised on an underground forum where stolen card data is traded. Card details range from $100 to $135, with higher prices for Visa and MasterCard gold and platinum cards.
Ahmed writes that those prices are surprising, because the spending limit for cards issued in Pakistan is usually lower than for cards issued in the U.S.
Second, Larger Dump
On Oct. 31, a second batch comprised of 12,000 cards from 21 banks was posted for sale, Ahmed writes.
The payment details were offered in two formats. One includes the cardholder name, address, phone number, card number, expiry date and CVV2, Ahmed writes. The other format is skimmed card details, which may have been collected from an ATM or a merchant, Ahmed writes.
A small number of card details from banks outside Pakistan were affected, including from Commonwealth Bank of Australia, Citibank, National Bank of Abu Dhabi, Abu Dhabi Islamic Bank and Emirates NDB.
Ahmed writes that the second dump "shows it includes data from visitors who traveled to Pakistan during this time and used one of the compromised ATMs or merchant machines."