Media reports say that details of 1.3 million credit and debit cards, mostly belonging to customers of Indian banks, are up for sale on a darkweb marketplace called Joker’s Stash. The darknet or darkweb is parallel to the internet but provides users with anonymity, which is often exploited for criminal activities. Reports suggest this lot could fetch the cybercriminal as much as $130 million upon sale.
Hackers and fraudsters deploy a variety of techniques to obtain card data illegally. “They could hack into the information technology (IT) network and database. Sometimes the data gets leaked accidentally from controlled areas and falls into hackers’ hands. Cybercriminals also obtain details from customers themselves by luring them with promises of benefits or by threatening to stop the card. Such data is also obtained by installing skimming devices in automated teller machines (ATMs) and point-of-sale (PoS) machines,” says Bharat Panchal, chief risk officer, FIS, a Fortune 500 company and provider of banking and payments technology.
A notable aspect of this incident is the large number of cards being sold at one place. Udbhav Tiwari, public policy advisor, Mozilla Corporation, explains this as follows. “It is inconvenient for a single hacker or group to sell a few cards over the darknet. So, multiple groups of cybercriminals would have accumulated the data from a variety of sources over time. They would have sold their data to an aggregator, who has now put it up for sale.”
Once they have obtained the data, cybercriminals can use it to cause card owners immense financial harm. In India, a customer needs two-factor authentication to carry out internet transactions. Besides the password, he needs a one-time password (OTP) which is sent to him over the mobile phone. But the provision for two-factor authentication does not exist in most parts of the world.
In view of growing security risks, banks and card companies need to safeguard their systems against the risk of cyberattacks. They need to check their ATM and PoS machines regularly to ensure card-skimming devices are not installed on them. “Usage of best-in-class security tools, experienced people, and continuous monitoring of the IT environment can help reduce the risk of such attacks. High-level encryption of data and full compliance with protocols like PCI DSS and ISO 27001 can help enhance security,” says Panchal.
On their part, card users, too, need to be vigilant and observe security-related best practices. Scan your credit card and bank statements at regular intervals. If you observe a transaction that you have not undertaken, call up your bank and get the card blocked. Two, if you don’t need to carry out international transactions, then switch off the international usage feature. You can do so via internet banking or by visiting your bank branch. Three, do not reveal card-related information like name, password, card number, OTP, etc to anyone over the phone or in person.
While the Reserve Bank of India has mandated that customers should be shifted from magnetic strip cards to EMV chip-based cards, many customers may still be using plastic of the former type. “Customers who are still using magnetic strip credit cards should switch to chip-based cards to avoid card skimming at swipe terminals. Chip-based cards are more secure because they encrypt the information contained in the magnetic strip,” says Saurabh Sharma, senior security researcher (GReAT), Kaspersky (APAC).