There’s More to the Debit Card Hack Than Just a Data Breach [Analysis]

“A mess” sums up the last couple of weeks for the banking industry in Pakistan. Over the last two weeks, we found out that tens of thousands of debit card details of Pakistani consumers were being sold on the dark web and BankIslami lost over $6 million in a cyber-attack.

The incidents are huge news because firstly, it’s the largest ever sum lost in a cyber-attack of its kind in Pakistan and second, this is the first time a large cache of Pakistani debit card details has leaked online.

What’s made the situation even worse is the narrative, which has been all over the place.

Many banks have rushed to say their consumers are safe while the FIA chief issued a statement saying “almost all” banks were affected by a cyber attack. To add further confusion to the mix, the State Bank of Pakistan has rejected media reports and said only one bank suffered a data breach.

So who’s telling the truth? Let’s start with a timeline of events as they unfolded.

Timeline of the Events

October 26: Debit card details of around 9000 debit cards from 9 Pakistani banks are made available on the Dark Web.

October 27: BankIslami detects fraudulent transactions and shuts down its international payment systems.

October 29: ProPakistani breaks the news that BankIslami lost over $6 million in the largest ever security breach of its kind in Pakistan’s history.

October 29: BankIslami services aren’t fully restored more than 60 hours after the cyber attack.

October 29: Pakistani banks start (partially or completely depending on the bank) restricting online and international transactions.

October 31: A second batch of 11,000 debit card details from 22 Pakistani banks is uploaded to the Dark Web.

November 6: Mohammad Shoaib, Director of FIA’s cyber-crimes wing, states that data of almost all banks has been hacked.

November 7: State Bank of Pakistan rejects media reports and says only one bank suffered a data breach.

Piecing Together the Puzzle

Here are the possibilities as we see them:

Data Breach:

Due to the sheer number of banks and the nature of the leak, the possibility of all bank systems being breached is very slim. This is the only big case of Pakistani debit card details being sold on the Dark Web over the last few months and the timing of the BankIslami hack suggests they are related.

A report by GroupIB, a global cyber-security firm, concludes the same.

Social Engineering: 

Pakistani use their cards at shopping malls, fuel stations, restaurants and in many other places. Not all of these places have their card machines in public places in front of customers. It’s possible cards were cloned electronically or by taking pictures of both sides of the cards.

Inside Job:

There have already been multiple cases of fake accounts being used to launder billions of rupees. According to a financial expert who wished to remain anonymous, it’s entirely possible that these 20,000 debit cards were used to launder money and the entire ‘data breach’ narrative was built to kill suspicion.

Analyzing the Root Cause

Regardless of how the data was leaked, security experts we’ve consulted are of the opinion that it’s not a difficult task to find out exactly what happened and where the fault lies.

Banks have the data on every touchpoint – the locations where a card is used, what is the usual spending pattern of each card and so on.

We know the details of the cards that were leaked and the banks have the entire history of when they were used and for what. So the fact that two weeks have passed and there is no plausible explanation suggests incompetence at the very least and subterfuge at worst.

The authorities, banks themselves and the SBP need to stop making empty statements and file a report identifying how the card numbers were leaked and what steps are being taken to make sure such incidents don’t happen again, not to mention holding the guilty parties responsible and taking action against them.

Until it’s found out exactly how the debit card details were leaked, the crisis is not over.

How Can Such Incidents be Eliminated?

One of the simplest ways to beef up security is to use ‘Verified by Visa’ and Mastercard’s SecureCode, which add an additional layer of security to online transactions.

These two services allow you to create a private code or password which needs to be entered when you conduct an online transaction. While SecureCode requires the password to be entered for each transaction, Verified by Visa only asks for it when it detects suspicious activity – such as a checkout from an unusual location or a very large transaction.

Enabling them is as simple as calling up your bank and asking for them to be turned on.

The result is that even if your card details are compromised, the hackers or skimmers can’t use the card since they don’t know your code. And since merchants can’t see the code either, there’s no risk of it being leaked from their systems.

This step alone can prevent most of the problems associated with security breaches involving card details.

Right now, they are opt-in but Pakistani banks need to ensure that these two services are turned on by default. It’s a bit of a hassle, yes, but customers end up safer and liability on part of the banks is decreased.

Note: While Verified by Visa and MasterCard SecureCode are used by millions of merchants across the world, not all merchants support them. 

Talal is a Director at ProPakistani. Reach out at [email protected]


  • Jabbar

    It should be noted that Verified by Visa and Mastercard 3D Secure is not enabled on all websites/merchants. So the Cards can still be used on non-VBV/3D Secure merchant sites.

    • Syed Talal

      Correct, I’ve added that to the article.

    • yasir ali

      Yes Correct! I even used HBL debit card on GoDaddy website and it does not asked for external code and payment been done, whilst HBL has 3D Secure enabled. Banks need to make it secure for all types of websites.

      • even it is happening on Alfalah, while using ali express

  • hehehehehehe

    which dark web site is selling the data

  • abobobilly

    While this incident highlights the grave security loopholes in Pakistani banks, I can say with utmost certainty that this was an inside job. This was engineered to benefit the current parties being investigated under money laundering and i’m reasonably certain that either Zardari Company or Shareefs Company is the beneficiary

    • Leo

      Do you have any proof of what you are saying or are you just following the steps of our current Info Minister !!!

      • abobobilly

        Bring me proof of Benazir Butto’s assassins. You can’t. State level affairs rarely have proofs.
        It doesn’t take a genius to figure out the beneficiaries if you notice the timings of the incidents.
        About the recent incidents where people were destroying public property, I KNOW these are PML-N goons. How can i say this? Well, may i direct your attention towards Mr Gullu Butt of model town incident? EXACTLY the same thing was repeated there.

        Start thinking out of the box. I’m sure movies, novels and conspiracy theories have taught you enough. Everyone just loves to tag such theories/concepts as BS, but remember that all it takes, is an idea to execute whatever evil/good plan someone might have.

  • Az

    there are many ways to make online transactions more secure. 2 factor authentication, like pin generation and verification on each transaction, RSA authentication key, that changes every 2 minutes, USB keys for online transactions, Plus enabling and disabling online transactions for time duration is also good way to secure transactions. banks should equip themselves with these tools and allow users to make online transactions locally or internationally. The solution is not to disable the services but to beef up security measures internally and facilitate the actual customers

    • abobobilly

      Could it be that the security was intentionally kept weak, to encourage such incidents? Or could it be that security was sabotaged to make way of such incidents?
      I mean, if you think about it … if ‘benaami accounts’ can be opened in our banks with successful operation in years … this is not really a far fetched thing. All it takes is to pay some good hacker group a large sum of money and it’s done, money which these corrupt people have too much of.

      • Az

        I dont think so. banks are normally very conservative about spending money. I think the main reason is lack of interest in spending money on Cyber security and lack of knowledge regarding its importance.

  • Shehzad_6

    I seriously disagree that it started from or happened on 27 Oct.
    I and at least 100 other a/c holders of a single Meezan bank branch lost money in dollars on 17 Oct. The total number of Meezan card cards hacked nationwide is in thousands as disclosed by one of bank employee.
    As of now, I haven’t got my money back though been issued a new card.

    • abobobilly

      I’m really sorry to hear that.
      What’s the stance of the bank? Are they showing any willingness to return the money to your account?

      • Shehzad_6

        Yes, they said they will. They got a claim form signed by me and said that it might take 45 working days to credit the lost amount.