Pakistan’s Federal Investigation Agency (FIA) said that major banks in the country have suffered a major cyber attack affecting more than 20,000 users.
"Almost all [Pakistani] banks' data has been breached. According to the reports that we have, most of the banks have been affected," said FIA’s director of cybercrime Mohammad Shoaib, following a previous report from a global cyber security firm, which said that hackers had released a dump of Pakistani credit and debit cards on dark web forums.
The news followed a cyberattack on BankIslami Pakistan a week earlier that siphoned off at least $20,000 from its accounts.
This forced at least six Pakistani banks to suspend the usage of their debit cards outside the country, and blocked all international transactions on their cards.
FIA that has written to the banks in question, summoned the banks' representatives, and pointed out that the banks are responsible for ensuring security of their clients' data. If a bank’s security infrastructure is weak then the bank is to be held responsible for any breach, he added.
The meeting is also to look into ways the security infrastructure of banks can be bolstered.
"Banks are the custodians of the money people have stored in them," Shoaib said. "They are also responsible if their security features are so weak that they result in pilferage."
"More than 100 cases (of cyberattacks) have been registered with the FIA and are under investigation. We have made several arrests in the case, including that of an international gang last month," continued Shoaib.
The State Bank of Pakistan (SBP) said that banks themselves were not hacked. "It has been noted with concern news items reporting that the data of most banks has been hacked. SBP categorically rejects such reports," a statement from the central bank said.
This is further supported by a report by Pakistan Computer Emergency Response Team (PakCERT) which details out the timeline and scale of data leaks. It supported the SBP’s claim, and said that the data was most likely leaked through card skimming.
Card skimmers are devices that can be used to copy and store the details contained in a credit card's magnetic stripe they came into contact with. Using this illegally obtained data, criminals can conduct credit card frauds.
PakCERT said that either some visitors to Pakistan performed the skimming, or the locals have executed the theft by partnering with groups outside the country.
According to the report, the first dump appeared on a dark web forum on 26th October 2018 with information about over 9,000 debit cards. This was followed by a second dump which contains more than 11,000 records, also appearing on the dark web.
The more than 20,000 cards that were up for sale, cost anywhere between $100 to $160.
About a week later, cybersecurity firm Group-IB has found out that another dump appeared the dark web, but this time has a details of 177,878 users.
The report noted that the dump appeared on the dark website Joker Stash on November 13. From the total number of cards, there were 150,632 cards of Pakistani banks, 16,227 cards of other regions’ banks, and 11,019 cards of undefined banks.