This week, BankIslami became the target of one of the most devastating cyber attacks in Pakistan. The attack caused millions in losses and invited tons of bad press for the institution. The hack was majorly targeted towards debit card users, who were notified of cash withdrawals from their accounts (without their consent and knowledge), through automated text messages from the system.
BankIslami initially denied that the incident occurred. However, it quickly understood the gravity of the situation and proceeded to fully lock down its system and forbid any transactions through ATMs, POS or any other banking channel.
Before the bank could take some preventive measures, transactions worth $6.5 million were processed by International Payment Switch, out of which (according to BankIslami) PKR 2.6 million were cleared by the Bank while the rest of the transactions were denied or not approved.
While the bank has refunded the amount that was deducted from account holders, the threat is still very much there as evident from the fact that not all banking channels have been cleared by BankIslami.
In fact, in addition to BankIslami, there are many other Pakistani Banks who have disabled the use of their debit and credit cards from abroad.
While we know what has happened, it would be interesting to find out the chain of events that triggered the hack. This will also help us determine the response to similar cyber attacks in the future.
For those who don’t know, the hackers had the data of debit card holders — including names, card numbers, CVV codes and expiry dates — on a file. They simply had to duplicate these cards with the information they had to be able to use these debit cards at POS machines.
You may have observed how mobile phone companies write SIM cards whenever we request them for duplicate SIMs. They simply transfer customer information on an empty SIM, and its ready for use within seconds.
In a similar manner, there are debit card writers that can load information on empty debit cards and are ready for use when done.
These hackers essentially loaded the bank account holders’ information on empty cards and swiped them on POS machines, or withdrew cash from ATM machines from abroad.
While we know that hackers had bank account holders’ information available on a file, the question that arises is how they managed to get this information in the first place?
While we can not say with certainty, however, here are a few tried and tested ways of hacking customers’ data:
So once this data is compromised, it is compiled into a dump which’s then sold online, usually over the dark web.
According to Rafay Baloch, an accomplished white hat hacker, he has pinpointed evidence that this BankIslami hack was related to a data dump that was being sold on the Dark web.
Other than Rafay Baloch, there is more evidence confirming that the data dump was sold on the Dark Web. Group-IB, a threat-meditation firm, confirmed the existence of a dump named “PAKISTAN-WORLD-EU-MIX-01”, which was made available on the dark web on October 26th, 2018.
Not to mention, BankIslami had blocked the transactions happening from abroad, which means that there are still more cards out in the open that may result in further monetary losses in the future.
For now, Pakistani banks need to get their act together and invest in more secure systems. The recent hack, once again, demonstrates that we simply cannot ignore the importance of securing our systems more.
In this age and time, one — particularly the financial institutions — is supposed to be on their toes, all the time, to ensure the protection of data as well as their customers’ trust.
