Pakistan’s central bank has sought to quash reports that the country’s lenders have been hacked en masse, following an apparent coordinated skimming campaign.
Mohammad Shoaib, head of the Federal Investigation Agency’s cyber-crime unit, apparently told two TV stations that “almost all” banks had been hacked, with a “large amount of money” stolen.
However, the State Bank of Pakistan (SBP) tweeted yesterday that it “categorically rejects reports of banks' data being hacked.” It added later that “no #bank or law enforcement agency has provided any evidence/info about #databreach to #SBP as yet.”
It ‘clarified’ that just one bank had been hacked, although it's unclear which lender this was.
BankIslami temporarily shut down its international and online payments system on October 27 after noticing unusual transactions of 2.6 million rupees ($20,000), according to a PakCERT report seen by Reuters.
“Subsequently, several other banks issued security alerts and either completely blocked customers’ debit and credit cards or blocked their online and international use,” the report continued.
The activity was apparently related to a skimming operation which harvested the details of 20,000 debit and credit cards from 22 Pakistani banks, which were subsequently put on the dark web for sale.
It appears they were then used to carry out the fraudulent online transactions, which were eventually spotted by the lenders. A small number of foreign cards were also caught in the data dump, presumably those which had been used by visitors at the affected skimming ATMs or merchant terminals.
It’s not just banks in Pakistan that are being targeted with ever-greater frequency. US financial services firms suffered three-times more data breaches in the first six months of 2018 than during the same period in 2016, according to Bitglass.
Verizon’s latest Data Breach Investigations Report also warned of the growing threat from ATM skimming and jackpotting.