Card-skimming In Pakistan Allows Stolen Data To Go On Sale On Dark Web

othiriondebriel's picture

On 27th October, Karachi-based BankIslami became the target of one of the most devastating cyber-attack in Pakistan. It admitted a security breach of its payment cards system but denied having lost an alleged amount of $6 million. Many reports state that the attack consisted of several suspicious Point of Sales transactions made at Target stores in Brazil and in the U.S. To restrain the attacks, the bank has decided to shut down its access to international payment networks.

On top of the direct monetary loss and the loss of business due to the stop of its international payment service, BankIslami brand reputation is suffering in the press compromising its corporate reputation and brand equity which undoubtedly hit their customers’ trust. The exact origin of the hack is not yet totally clear. It seems some magnet stripes of the payment cards have reportedly been skimmed and resold on the dark web. Those who buy those skimmed cards can therefore create exact duplicates of those cards and use them at Point of Sales, ATM but also to make online payments. Some reports also suggest that the internal payment card system of the bank has been hacked for the hackers to authorize those fraudulent transactions they are making.

This story shows multiple flaws. First of all, and it’s a very well-known problem, magnet stripe payment cards are not secured and easy to duplicate, as we can see here. Banks who have not made the decision yet to migrate to EMV cards must increase their security in order to decrease exposure. Implementing multi-factor authentication on the top of magnet stripe payment cards will provide stronger protecting to the users thanks to a push notification sent to the mobile banking app showing all the transaction information followed by simple approval of the transaction. HID Approve from HID Global is a mobile authentication token based on public key cryptography and OTP technology, leveraging push notification functionality for ease of use. The solution embeds mobile application security functionalities like rootkit detection, RASP, code obfuscation, and others for maximum security.

The breach of the bank’s internal payment card system demonstrates lack of security when accessing the system which could be overcome with multi-factor authentication deployed to protect employee’s accesses. On top of that, threat and fraud detection capabilities will allow to detect in real-time cyber-attacks and to investigate on the causes of the attack. The HID® Risk Management Solution from HID Global provides banks with risk-based advanced authentication based on threat and fraud detection capabilities (HID® RMS), an authentication and authorization platform (ActivID® Authentication Platform) and a suite of authentication hardware or software tokens. HID® Risk Management Solution uniquely embeds three different engines (behavioral biometrics, transaction anomaly detection and threat detection) to evaluate the risk in a more comprehensive and precise manner. It quantifies risk level with digital identity sensing technology, a unique set of device fingerprinting and user identification techniques. This makes the solution able to detect with a high level of accuracy a broad range of risks financial organisations are facing.

Banks need to reinforce their security before bad stories happen. It is much more difficult to recover from such attack than preventing this attack to happen.

For more information visit our website