“A mess” sums up the last couple of weeks for the banking industry in Pakistan. Over the last two weeks, we found out that tens of thousands of debit card details of Pakistani consumers were being sold on the dark web and BankIslami lost over $6 million in a cyber-attack.
The incidents are huge news because firstly, it’s the largest ever sum lost in a cyber-attack of its kind in Pakistan and second, this is the first time a large cache of Pakistani debit card details has leaked online.
What’s made the situation even worse is the narrative, which has been all over the place.
Many banks have rushed to say their consumers are safe while the FIA chief issued a statement saying “almost all” banks were affected by a cyber attack. To add further confusion to the mix, the State Bank of Pakistan has rejected media reports and said only one bank suffered a data breach.
So who’s telling the truth? Let’s start with a timeline of events as they unfolded.
Timeline of the Events
October 26: Debit card details of around 9000 debit cards from 9 Pakistani banks are made available on the Dark Web.
October 27: BankIslami detects fraudulent transactions and shuts down its international payment systems.
October 29: ProPakistani breaks the news that BankIslami lost over $6 million in the largest ever security breach of its kind in Pakistan’s history.
October 29: BankIslami services aren’t fully restored more than 60 hours after the cyber attack.
October 29: Pakistani banks start (partially or completely depending on the bank) restricting online and international transactions.
October 31: A second batch of 11,000 debit card details from 22 Pakistani banks is uploaded to the Dark Web.
November 6: Mohammad Shoaib, Director of FIA’s cyber-crimes wing, states that data of almost all banks has been hacked.
November 7: State Bank of Pakistan rejects media reports and says only one bank suffered a data breach.
Piecing Together the Puzzle
Here are the possibilities as we see them:
Due to the sheer number of banks and the nature of the leak, the possibility of all bank systems being breached is very slim. This is the only big case of Pakistani debit card details being sold on the Dark Web over the last few months and the timing of the BankIslami hack suggests they are related.
A report by GroupIB, a global cyber-security firm, concludes the same.
Pakistani use their cards at shopping malls, fuel stations, restaurants and in many other places. Not all of these places have their card machines in public places in front of customers. It’s possible cards were cloned electronically or by taking pictures of both sides of the cards.
There have already been multiple cases of fake accounts being used to launder billions of rupees. According to a financial expert who wished to remain anonymous, it’s entirely possible that these 20,000 debit cards were used to launder money and the entire ‘data breach’ narrative was built to kill suspicion.
Analyzing the Root Cause
Regardless of how the data was leaked, security experts we’ve consulted are of the opinion that it’s not a difficult task to find out exactly what happened and where the fault lies.
Banks have the data on every touchpoint – the locations where a card is used, what is the usual spending pattern of each card and so on.
We know the details of the cards that were leaked and the banks have the entire history of when they were used and for what. So the fact that two weeks have passed and there is no plausible explanation suggests incompetence at the very least and subterfuge at worst.
The authorities, banks themselves and the SBP need to stop making empty statements and file a report identifying how the card numbers were leaked and what steps are being taken to make sure such incidents don’t happen again, not to mention holding the guilty parties responsible and taking action against them.
Until it’s found out exactly how the debit card details were leaked, the crisis is not over.
How Can Such Incidents be Eliminated?
These two services allow you to create a private code or password which needs to be entered when you conduct an online transaction. While SecureCode requires the password to be entered for each transaction, Verified by Visa only asks for it when it detects suspicious activity – such as a checkout from an unusual location or a very large transaction.
Enabling them is as simple as calling up your bank and asking for them to be turned on.
The result is that even if your card details are compromised, the hackers or skimmers can’t use the card since they don’t know your code. And since merchants can’t see the code either, there’s no risk of it being leaked from their systems.
This step alone can prevent most of the problems associated with security breaches involving card details.
Right now, they are opt-in but Pakistani banks need to ensure that these two services are turned on by default. It’s a bit of a hassle, yes, but customers end up safer and liability on part of the banks is decreased.
Note: While Verified by Visa and MasterCard SecureCode are used by millions of merchants across the world, not all merchants support them.