Indian Banks Review Leak After Details Of 1.3 Million Cards Surface On Dark Web 

Indian banks have begun reviewing stolen card data that was recently leaked on the dark web for sale, multiple people in direct knowledge of the matter said.

The Reserve Bank of India had sent instructions to the banks after the leak was reported on Oct. 29, the people said on the condition of anonymity as details are not public yet.

In its advisory the Cyber Security and Information Technology Examination Cell of the RBI advised banks to verify the leaked details, disable existing cards and issue replacements. The cyberpolice are also investigating the origin of the leak.

Details of more than 1.3 million cards issued by Indian banks were put on a website called Joker Stash, a notorious marketplace for cybercriminals to buy and sell card details, on the dark web. Uploaded information called “card dumps” can lead to cloning of credit or debit cards, allowing hackers to withdraw money from automated-teller-machines anywhere in the world.

Technology website ZDNet first reported the leak hours after security researchers at the Singapore-based Group-IB detected it.

According to the report, the card details were being sold at $100 each, valuing the entire tranche at $130 million. Dilip Asbe, managing director and chief executive officer of National Payments Corporation of India, told BloombergQuint that the card details are no longer available on Joker Stash.

The NPCI that manages the National Automated Clearing House for processing card payments called a meeting with all public and private banks on Oct. 31 to review the developments and find ways to counter any potential breach, a senior banker told BloombergQuint on the condition of anonymity.

Two senior officers with Maharashtra cyberpolice said investigations are at a preliminary stage and it’s too early to share any details.

The ‘card dump’ includes the Track2 details of credit and debit cards, which is essentially is information stored on the magnetic stripe of the card. Older cards have all the information stored within the magnetic stripe, while the latest technology segregates the data between the magnetic stripe and the EMV chip.

“Now that the card details are out in the public, banks should be proactive and immediately deactivate all these cards, and then issue new cards,” Prashant Mali, advocate and cyber lawyer, said. “Since the leaked details have the serial numbers, it is fairly easy for the banks to swiftly block these cards from usage.”

The RBI has asked banks to keep the Computer Emergence Response Team in New Delhi updated about the steps they are taking. It also advised banks to take proactive measures to guard against such misuses, including sensitising customers on the best way to use their cards in a secure manner.

Akshay Garkel, partner at Grant Thornton India LLP, told BloombergQuint the data could have been obtained by skimming card details when bank customers used cards at ATMs and point-of-sales machines.

“The database contains only credit and debit card Track2 dumps while its name suggests that it holds both Track 1 and Track 2 records,” Garkel said after he reviewed various sources of information that have emerged since the data leak. “Track 2 dumps can be used to produce cloned cards for further cashing out. About 18 percent of the records come from one particular Indian bank.”

This is the second major breach of card details of Indian customers in three years. In October 2016, information of around 32 lakh credit and debit cards was stolen by hackers after a malware was installed in State Bank of India’s ATM network.