[BreachExchange] Pakistan Says Hit By Card-Skimming But Denies Mass Bank Data Breach

[Destry Winant]

https://www.ndtv.com/world-news/pakistan-says-hit-by-card-skimming-but-denies-mass-bank-data-breach-1943892

KARACHI/ISLAMABAD: Pakistan's central bank rushed on Tuesday to
reassure investors and consumers that its banking system had not been
hacked after a mass skimming operation hit customers' credit and debit
cards.

The skimming took details of nearly 20,000 debit and credit cards from
22 Pakistani banks, according to the Pakistan Computer Emergency
Response Team (PakCERT), a monitoring group.

It was not immediately clear how much money was stolen using the
cards, beyond an initial report of about $20,000.

The State Bank of Pakistan (SBP) said on Tuesday it had already
instructed all banks to increase their scrutiny after one lender
reported the problem last week, but stressed that the banks themselves
were not hacked.

"It has been noted with concern news items reporting that the data of
most banks has been hacked. SBP categorically rejects such reports," a
statement from the central bank said.

Earlier, Mohammad Shoaib, head of the Federal Investigation Agency's
cyber-crime unit, told two television stations that "almost all" banks
had been hit by hacking and a "large amount of money" had been stolen,
though he gave few details.

PakCERT said in a threat report that BankIslami first noticed unusual
transactions of 2.6 million rupees (about $20,000) on Oct. 27 and
temporarily shut down its international payments system.

"Subsequently, several other banks issued security alerts and either
completely blocked customers' debit and credit cards or blocked their
online and international use," PakCert said in its report.

BankIslami, in a statement, confirmed that it had shut down its
international and online payments systems and notified the central
bank. It said the initial illicitly withdrawn 2.6 million rupees had
been returned to customers' accounts.

PakCERT said that details of the cards were posted on the dark net, an
area of the Internet only accessible via special web browsers that
ensure anonymity.

COMMENT

Dark net users could then access the cards to make online purchases
but it was not clear how much money in total had actually been stolen.