Lessons to Learn From the Great Pakistani Bank Hack That “Never Happened”

Dark web forums recently received a fresh dump of Pakistani debit and credit cards. By November 2nd, at least six banks in Pakistan had stopped all international card purchases and disabled the ability for customer debit cards to be used outside the nation’s borders.

The theft was initially discovered by Russian fraud prevention and computer forensics firm Group-IB. Initial comments from the Pakistani government suggested broad infiltration of the banks; however, the nation’s central bank later stated that what had occurred to the bank accounts was “skimming” and that no hacking had actually taken place.

Mohammad Shoaib, Director of the Federal Investigation Agency’s cyber crimes unit in Pakistan, announced that nearly all user data from major Pakistani banks were taken. “[D]ata from almost all Pakistani banks has been reportedly hacked,” he said.

Rs. 2.6 million had been taken from accounts at the Bank Islami when it was pummeled with the largest cyber attack in Pakistani history on October 28. The first people to notice the hack may have been the customers themselves as some of them reported to the bank that their cards had been fraudulently used for purchases in other nations. A hacking ring was thought to have breached the BankIslami and stolen the account information.

Incredibly, Shoaib told Pakistani news outlet that the deluge of attacks included more than 100 reported incidents. The institutions that were breached included 22 banks, with more than 20,000 user accounts compromised.

Shoaib noted that the attacks were currently being investigated and that a few suspects had been arrested already, some of them connected to global crime rings. But the amount stolen from the Islamic bank is not as shocking as it may first seem; 2.6 million PKR was equivalent – on November 13, 2018 – to under 20,000 USD.

Also, BankIslami has returned the money that was lost by account hackers.

That same day, the State Bank of Pakistan surely raised many eyebrows around the world by announcing that the banks had not been hacked as previously reported. The central bank said that it “categorically rejects” previous reports that the banks had been hacked. This statement is certainly confusing given the fact that the central bank is refuting previous statements that came directly from the government.

Key lessons from this incident are to implement robust cybersecurity defenses and to consider the benefits of managed services such as cloud computing solutions.

Implement Robust Defense

Shoaib noted that each bank ultimately had a responsibility to protect customer data. Whether the second announcement was accurate or not, a few of the most important protections that should be implemented at the banks include the following:

  • Education – Banks ought to make efforts on an emergency and continuing basis to reach out to their clients and educate them not to disclose their PIN or other personal information to anyone, even if someone calls from a bank.
  • Multi-Factor Authentication (MFA) – MFA is the addition of an extra authentication layer, a layer that can be handled by the bank, to ensure users with the appropriate permissions are accessing information. The additional authentication step could be something bank customers have (such as a phone or ATM card), are (e.g., a voiceprint, fingerprint, or other biometric feature), or know (e.g., a PIN or password) or a simple text message to the customers mobile phone.
  • Firewall – Your firewall approach should include device health monitoring, log oversight, ingress and egress controls, and extensive security mechanisms to include intrusion detection and prevention. Instituting a firewall is important, but it is more important that the apparatus is configured properly.
  • Malware Protection – Banks must guard against malware, particularly given the insider threat due to social engineering and the delivery of ransomware via phishing emails (in which sites are mimicked to steal login information).
  • End-to-end encryption – All data you transfer between bank locations and that is filed away in storage should be encrypted using the highest security standards that are advocated and used by federal agencies.
  • DDoS and edge protection – A robust edge protection service that includes defenses against distributed denial of service (DDoS) and distributed reflection denial of service (DRDoS) attacks is necessary for an era when these attacks are becoming increasingly complex, especially as they’re integrated with AI.
  • CDP (continuous data protection) backup – While onsite and offsite data backup will not protect you from hacking, it is a good practice that does protect you from ransomware scenarios. This form of backup, which sidesteps the complexities of the file system and reads straight from the disk at the block level, can also be managed by an MSP.

Get Help as Needed

One of the main concerns initially mentioned by Shoaib was lack of proper updates, which becomes automatic when entrusted to a cloud provider. While security used to be viewed as the biggest weakness of cloud, the distributing computing method is now appreciated as a way to improve data protection, with seamless updates and continual security monitoring. Cloud solutions to improve data protection include cloud security platforms and private cloud infrastructure, but public cloud infrastructure also has security advantages over many on-premise data centers simply due to security experts.

Cybersecurity is incredibly important to keeping records private in an increasingly digital world. As time has passed, rather than simplifying, computing security has only become more challenging. Implementing technologies and practices internally is one option to maintain strong protections. You can also access compliant and secure solutions by contracting with outside MSPs as needed, whether for cloud services or otherwise.

About the Author

Moazzam Adnan Raja is the Vice President of Marketing at Atlantic.Net. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally.


  • shaitan

    This
    has nothing to do with cloud computing. Half the article is irrelevant
    to the topic. Skimming devices were installed on ATM machines and that’s
    how these people got the card numbers. In the past they would have been
    forced to monetize this knowledge locally i.e. attempt to withdraw from
    these accounts here in Pakistan. But now with bitcoin and other
    cryptocurrencies you can monetize this knowledge by selling it to
    foreigners. That’s all that has changed.

    GTK that atlantic dotnet has a Pakistani in its ranks but this is article is spam and no more.

    • Taha Najam

      My MCB lite card had never been inserted into an ATM machine, or even used for any local transactions. The only thing that was used for, was to retrieve my freelance gig revenue from abroad. And yet it got hacked, locally, with transfusions done in multiples of 100. This is clearly more than just skimming.