It is believed that the data dump could have been obtained by skimming details from the magnetic stripe on the cards, while bank users were using ATMs and point of sale machines.
Group-IB — a Singapore-based firm that specialises in detection and prevention of cyber attacks — said of the 1.3 million cards, 98% are believed to be from India. Total cards in circulation in India, including both debit and credit, stood at 971.7 million as of September 2019. The fraudsters selling the data claim that they have both track-1 and track-2 data, which can be used for online transactions or for cloning cards.
Researchers at Group-IB found card details being sold at $100 each, with the total value of the card database estimated at over $130 million. Ilya Sachkov, CEO and founder of Group-IB, said in a statement that they have alerted the authorities concerned.
“The cards from this region are very rare in underground markets. In the past 12 months, it is the only big sale of card dumps related to Indian banks. Group-IB’s Threat Intelligence customers have already been notified about the sale of this database. The information was also shared with proper authorities,” he said.
An official at industry body Data Security Council of India (DSCI) said, “Where India largely fails its customers is in not having data breach disclosure laws in place. In other countries in Europe and North America, banks and payment vendors are mandated by law to report to law enforcement, regulators and customers within 24 hours of a data breach. Here, affected customers can sometimes be the last people to know about their own bank accounts/cards getting compromised.”
Nitin Bhatnagar, head of industry body PCI-DSS (Payment Card Industry – Data Security Standard), said, “We are yet to ascertain the veracity of the information that is out there — the number of banks affected, etc. The regulators and banks are yet to confirm such a data breach. But if this breach has occurred, then it only reiterates that data security is not a one-time fix.”
While Group-IB has not shared the names or number of banks affected, it said more than 18% of compromised cards were issued by a single Indian bank. The diversity of banks involved suggest that the dump was not the result of one bank getting hacked but a wider security failure, said a report by ZDNet, which first reported the breach.
In September 2016, Indian banks faced a similar massive data breach, when 3.2 million debit cards got compromised after fraudsters exploited a vulnerability at Hitachi Payment Systems. In that breach, a dozen banks — including Yes Bank, ICICI Bank, SBI and others — saw their cards compromised and millions of cards were reissued.
Two years ago, the RBI had mandated that banks move from magnetic stripe to EMV-based chip cards. But banks are yet to fully comply with RBI’s requirement. The industry estimates that about 70% of cards in circulation today are EMV chip-based.
Earlier this year in February, 2.15 million Americans’ cards were dumped on the site. Bank customers feel that banks should be mandated to inform customers in the event of such a data breach. Customers on Twitter pointed out that, during the earlier 2016 debit card breach of 3.2 million cards, they were not informed by the banks till news reports emerged.