Banks in Pakistan were hit by a coordinated hacking attack late last month. Credit card details of thousands of customers were later put up for sale on the 'dark web'. Photo: iStock
Banks in Pakistan were hit by a coordinated hacking attack late last month. Credit card details of thousands of customers were later put up for sale on the 'dark web'. Photo: iStock

Banks in Pakistan have suffered a major coordinated cyber-attack, allegedly one of the biggest ever. A group of international hackers put a database of credit- and debit-card owners linked to 22 of the country’s commercial banks up for sale on the dark web.

The crime, late last month, left more than 20,000 bank customers exposed to potential financial losses.

The exact amount of total losses stemming from the attack is still being calculated. One report has said losses of at least $2.6 million, with at six banks suspending use of their debit cards internationally to avoid a run on deposits.

Many banks refused to discuss what occurred. Various agencies are busy figuring out what actually happened, while the country’s central bank is saying the magnitude of the cybercrime is less than what the media has reported.

A Threat Analysis Report compiled by Pakistan’s Computer Emergency Response Team (PakCERT) – a business concern in the services sector dealing in information security solutions – revealed that on October 26 a data dump was posted on the dark web with over 9,000 debit cards from as many as 22 banks operating in Pakistan for sale. The report revealed that just when everyone thought the storm was over, another dump of 12,000 cards was uploaded on October 31, including a further 11,000 cards from Pakistani banks.

“We are currently working with the SBP [State Bank of Pakistan] to assess the nature and quantum of damage caused to the banking sector of the country,” Qazi Muhammad Misbahuddin Ahmad, chief executive officer of pakCERT, said when asked about the reliability of the report posted on their website. He said no further updates on the attack would be shared publicly until the central bank completes its investigation.

The report showed that bank credit and debit cards were being sold for prices ranging from US$100 to $160. The country’s largest bank, Habib Bank Limited (HBL) was worst hit, with more than 8,000 cards up for sale on the dark web, followed by UBL, Standard Chartered Bank, MCB, and Meezan Bank with more than 1,000 cards each. Bank Alfalah, Bank Islami and Bank of Punjab were allegedly among those that saw more than 500 of their cards dumped on the dark web.

Dark web’s trade in illicit assets

Ahmad said the ‘dark web’ was part of the World Wide Web that allows users and website operators to keep their identity secret and untraceable. “Most of the underworld and criminal gangs use this web for trading in illicit assets. An ordinary visitor cannot access this part of the web without a special software, which provides the user a unique identification,” Ahmad revealed.

The State Bank of Pakistan posted a press release on their website which claimed that except for an incident on October 27 in which the IT security of one bank (Islami Bank) was compromised, no breach had been formally reported by other banks in the country.

The central bank said in the press release it was informed that some banks are putting further security measures in place, including partial restrictions, such as requiring customers to seek prior approval for use in cross-border transactions. And some banks had put a ban on transactions outside the country.

The SBP said it had engaged international payment operators and banks to monitor the current situation to ensure security of the banking system.

Banks disclosing few details

The country’s Federal Investigation Agency (FIA) shared the similar sentiments. Choudhry Abdul Rauf, an additional director of the FIA’s Cybercrime department, said: “So far only a few banks have reported cyber-related transgressions, so the agency is working to track down the gangs involved in these crimes,” Rauf said.

However, a week earlier, Capt. (Retd) Mohammad Shoaib, head of the FIA’s cybercrime department, was portraying quite a different picture of the situation. “According to investigation and reports compiled from the complaints from the public and banks, a group of swindlers based outside Pakistan compromised the data from almost all Pakistani banks. The cybercriminals breached the security systems of several local banks and managed to transfer a large amount of money from the people’s accounts,” he said.

Shoaib claimed that more than 100 cases were under investigation in which banks’ security has breached and data hacked. He said the hackers’ infiltration of commercial banks’ protected databases had underscored a need to improve the banks’ security systems.

Rauf added: “Two different types of things are happening simultaneously in the commercial banks. In addition to the cyber-attacks reported by a few banks, instances of Interbank Fund Transfer (IBFT) frauds are also on the rise.” Once inquiries had been completed, the whole event would be clarified.

Meanwhile, questions are being asked by the public while banks refuse to talk about the cyber-attacks. Complaints of unauthorized withdrawals from people’s accounts have been reported in print and on the internet on a daily basis. And some Pakistani banks sent messages to their clients informing them that online mobile banking services would be halted from November 3 onwards due to “technical reasons”.