Credit card details of almost 70,000 cards including their PIN codes from Pakistan’s first and largest Islamic commercial bank, Meezan Bank, have reportedly shown up for sale on Joker’s Stash, an underground marketplace known for selling stolen credit card information.
According to a report by business technology publication, ZDNet, the cybercriminals have put up three large sets (or dumps) of payment cards on Joker’s Stash.
The information available for sale can be used to create cloned cards to withdraw money or make payments from these credit cards.
Out of the three dumps that ZDNet has reported about, two contain card details of Pakistani users. The report notes that the first set was published on January 24 and included 1,535 cards, with 1,457 from Meezan Bank, and the second was published on January 30, with the information of 67,654 cards, 96 percent of which are from Meezan Bank.
What’s interesting is that Meezan Bank, according to their website at least, does not offer any credit card so it is perhaps the information of debit cards that is being sold.
The information of Pakistani cards can be purchased for $50 per card, which according to a Russian cyber-security firm Group-IB that spoke with ZDNet, is higher than the regular price for such cards.
“Pakistani banks’ cards are rarely sold on underground cardshops. This, and the fact that all the cards came on sale with PIN codes explains the high price, which was kept at 50 USD per card, while usually, the price per card on dark web forums ranges from 10 to 40 USD,” the firm told ZDNet.
Meezan Bank, replying to a public post on Facebook said that they’re aware of the rumors and that they have not experienced any unusual event. The bank has not disclosed a data breach in recent times and is now claiming that they’re unable to verify the authenticity of these rumors at this point but can confirm that the data of their customers, their cards and the money is safe. For some reason, the bank did not announce this on their social media pages and shared it only a response to a Facebook public post in which they were tagged. Here’s complete text of their response.
We are aware of this rumor going around. All our security measures are in place and we have not experienced any unusual event.
Also, we have taken the following steps to safeguard our customers:
1. Customers are forced to change their PINs on ATM machine if they haven’t changed them in 6 months.
2. All Meezan ATMs are Chip Card enabled which protects against any skimming
3. Furthermore, Meezan Bank has introduced a unique and innovative SkimGuard service that protects high-value transactions through real-time OTP verification on ATM machine.
As you can see, we have various steps in place to ensure the safety and security of our customers and their data. While we are unable to verify the authenticity of the rumors at this point, we can confirm that our customers, their cards and the money is safe.
The bank is clearly claiming that there is nothing to worry about (which might very well be true) but if the information of these cards including the pin numbers actually ended up on Joker’s Stash and other underground marketplaces as claimed by ZDNet’s report and the Russian cyber-security firm, Meezan Bank should perhaps look into the matter and share a proper explanation with all their customers instead of rubbing it off as a “rumor”.