MUMBAI: The Reserve Bank of India (RBI) has asked banks to secure their customer card data after a website reported that nearly 1.3 million debit and credit card data of Indian banks are on sale on the dark web potentially causing losses of millions of dollars.
In an alert dated October 29, The Cyber Security & Information Technology Examination (CSITE) cell which is a part of the Department of Banking Supervision, the central bank asked banks to perform a preliminary analysis of the disclosed card information to verify the correctness and genuineness of the data. ET has accessed the letter from the RBI. The letter was addressed to the compliance division of banks.
“On finding leaked data to be correct and genuine, disable and re-issue the credit and debit cards as per the bank’s policy. Monito credit/debit transaction for the detection of frauds and misuses. Sensitise customers to use credit/debit cards in a secured manner in all modes of transactions line online, point of sale etc,” the RBI said.
On Tuesday, technology news website ZDNet reported that more than 1.3 million payment card details have been put up for sale on Joker's Stash, in what it described was the internet's largest carding shop. The data included uploads contains data primarily from Indian cardholders, the website said citing security researchers at Group-IB.
Group-IB said the cards are being sold at a top-tier price of $100/card, putting the hackers on a trajectory of making more than $130 million from their latest haul.
RBI said that banks must take proactive measures to identify and guard against such misuse of customer credentials. The central bank also has to be informed of the steps that banks have taken.
However, bankers said that this notice is a routine one from the RBI and should not be alarming for customers. “The RBI routinely sends such alerts. Specifically, to this issue it can never be certain as to how much data has been leaked. But in the Indian context most of our cards are two factor authenticated so its difficult to cause any harm to customer. I don’t think that it should an issue,” said a banker who has received this RBI notice.
The leaked data includes Track 2 data, usually found on a payment card's magnetic stripe that could have been obtained via skimming devices, installed either on ATMs or PoS systems. The cards are from multiple banks though it could not be ascertained which banks have been hit.
“99% of the cards are now based on chip and pin based system which are difficult to clone. There may be still some magnetic strip based cards in use but that number is very small. I don’t think this should be such a big issue,” said another banker involved in cyber security.
Source: economictimes.indiatimes.com