Details of Over 69,000 Pakistani Bank Cards Worth $3.5 Million Leaked: Report

Group-IB, an international company that specializes in preventing cyberattacks, has discovered new databases with a total of 69,189 Pakistani bank cards that have shown up for sale on the dark web.

The total market value of the databases is estimated at nearly $3.5 million. According to Group-IB data, it is the second biggest sale of Pakistani bank cards in the past 6 months, which may indicate the activity of advanced financially motivated threat actors in the region.

96% of all card dumps, unauthorized digital copies of the information contained in the magnetic stripe of a payment card, were related to a single bank – Meezan Bank Ltd.

However, a Meezan Bank spokesperson said that following the last hack, which took place 6 months ago, the Bank had asked its customers to change their PIN numbers and added various other security measures.

The full statement is as follows:

We are aware of this rumor going around. All our security measures are in place and we have not experienced any unusual event.

 

Also, we have taken the following steps to safeguard our customers:

 

1. Customers are forced to change their PINs on ATM machine if they haven’t changed them in 6 months.

 

2. All Meezan ATMs are Chip Card enabled which protects against any skimming

 

3. Furthermore, Meezan Bank has introduced a unique and innovative SkimGuard service that protects high value transactions through real time OTP verification on ATM machine.

 

As you can see, we have various steps in place to ensure the safety and security of our customers and their data. While we are unable to verify the authenticity of the rumours at this point, we can confirm that our customers, their cards and their money is safe.

Double Trouble for Pakistani Banks?

Pakistani bank card details are rarely sold on underground cardshops. This and the fact that all the cards came on sale with PIN codes explains the high price of this latest card dump, which is 50 USD per card, while usually, the price per card on dark web forums ranges from 10 to 40 USD.

First set of dumps, titled «PAKISTAN-D+P-01», was up for sale on Jan. 24, 2019 and included 1,535 cards, 1,457 of which were issued by Meezan Bank Ltd. It is worth noting that this batch of cards was not announced on the forum.

The second database was put up on Joker’s Stash on January 30th. The «PAKISTAN-D+P-02» set, comprised of the details of 67,654 cards of Pakistani banks was significantly larger. The sellers marked the set as “high valid” and, unlike the first set, advertised the database on all major underground forums such as («Omerta», «Crdclub», «Enclave» etc.).

Dmitry Shestakov, Head of Group-IB сybercrime research unit, said:

The scale, volume, frequency and connection to one institution contributes to the theory that the leak might be involved in a larger incident, potentially an advanced actor gaining access to card systems within Pakistan.

This is a developing story and we will update it as more information becomes available


  • Mezaan, MCB, UBL, HBL have Chip Based Cards,
    while Faysal Banks have Magnetic Stripe,

    Even Meezan and HBL Cards are 3d Secure, so more secure…

    MCB Lite, UBL Wiz Cards are too Magnetic Stripe based Cards but no one use them ATM, but only for Online Shopping and are separate from Basic Bank A/C

    • The chip based cards have magnetic strips in them too for use with older machines. If they were chip alone then it would be better.

  • Meezan Bank statement is incorrect. My card was used thru skimming a few days back from vehari whereas I am in Lahore and I complained about it to bank. It seems to be part of this hack as I didn’t use my card on any atm for last many months.

  • I wonder if State Bank ever going to do anything about Meezan Bank and its lousy security?
    66,421 Meezan Bank customers have their debit cards up for sale at 50 bucks a pop and it seems like aside from some local tech blogs, no one cares?
    I really want to sue Meezan Bank but the problem is; I’m just a common, ‘mango man’ with minimal income. I can’t afford a legal battle with a commercial juggernaut.
    Anyhow, very disappointed in SBP, PTI and IK.

  • Guys plz use other options as alternative to avoid any headache such as Mobile banking, e.g
    Easypaisa
    Jzcash
    Etc.
    They also offers Bank like features with a secure setup.

  • There is no “official” statement from meezan bank on public forums. Pls share source/link to their statement


  • >