There is an online website on the darknet where around 13 lakh Indian credit and debit card details are available for open sale. These details are uploaded by the hackers on the darknet website. The details can fetch around $130 Million to hackers.

At some or the other point of our lives, we have come across the news of or either has been a victim to hacking or phishing attack on our bank accounts. Either you would have received a fake call about a problem with your bank account or you would have ended up clicking a wrong link on social media or through a text message, allowing hackers to enter in your mobile and seize vital information.

The Great Indian Online Heist

It is very common in India to have been victimized by cybercriminals. As per information from a Singapore based cybersecurity firm ‘Group-IBA’, it is found that details of about 1.3 million (13 lakh) credit and debit cards have been put out on sale on a darknet marketplace called Joker’s Stash.

What’s astonishing to know is that out of these 13 lakh cards, almost 98 per cent are from India. The company found the Indian cardholders’ listing on Joker’s Stash, advertised under the “INDIA-MIX-NEW-01” heading.

Group-IBA is an expert in identifying and detecting cyber-attacks and has claimed the figures to be true. While the security firm has not shared the names & numbers of banks affected. However, it has cautioned that over 18 % of the total compromised cards were issued by a single Indian bank.

The report further suggested that the looking at the diversity of banks involved, it can be said that the dump was not the result of one bank getting hacked but it is an issue of wider security failure.

According to ZDNet, the first firm to report the breach, Joker’s Stash is one of the oldest card shops on the dark web where hackers sell & dump card details.

How do these hackers get & use this information?

The card details are skimmed by the hackers either while the card-holders use it to withdraw money from ATMs and point of sale (POS) machines or they steal it by hacking into your mobile or computer device, where you’ve saved these details.  

The report by Group-IBA in this regard read, “Early data analysis suggests the card details may have been obtained via skimming devices, installed either on ATMs or point of sale (PoS) systems.”

The hackers, who are behind this heist, tell that they hold track-1 and track-2 data which is sufficient to steal the card details or clone a card to perform the transaction. Every single card details are priced at USD 100 each. Thus, with the details of 1.3 million cards, the hackers have an in-hand business of around 130 million US$.

The report further suggested, “The card dump includes Track 2 data which is usually found on a payment card’s magnetic stripe. The presence of this kind of data automatically rules out skimmers installed on websites (Magecart attacks), where Track 1 and Track 2 is never used.”

RBI’s Statement

In a conversation with India Today, an official spokesperson said: “They (RBI’s) Department of Banking Supervision has sent out this letter as whenever there are some incidents the RBI alerts the banks and sends them a cautionary note which is sent to all the scheduled commercial banks.”

As per official figures of Reserve Bank of India, in September 2019, total 971.7 million debit and credit cards are operating & used in India.

Experts Opinion

According to the CEO & Founder of Group-IBA, Ilya Sachkov, the card details from India are very rare in underground markets and described the stealing as the only big sale of card dumps related to Indian banks in the past 12 months.

Criminals who buy card dumps from Joker’s Stash typically use the data to clone legitimate cards and withdraw money from ATMs in so-called “cash outs.”

He further assured that the details have been shared with the relevant authorities. However as said by Nitin Bhatnagar, head of the ‘Global Standards Body’ of ‘Payment Card Industry’, the veracity of information with the hackers is yet to be ascertained.

Further, speaking of the deficiencies of the Indian Law System in this regard, an official from Data Security Council, India has underlined “Where India largely fails its customers is in not having data breach disclosure laws in place,” in a national publication.

The publication further read, “In other countries like European and North American, banks and payment vendors are mandated by law to report to the data breach to law enforcement, regulators and customers within 24 hours. However, In India, the customers at loss can sometimes be the last one to know about how his or her bank accounts/cards have been compromised.”

Not for the first time

Breaching of card details is very common. However, a large dump sale like this is one rare event and yet it is not happening for the first time with Indian Credit & Debit Cardholders. Three years ago, in September2016, more than 3.2 million (32 lakh) debit card details were exposed after hackers found a default in Hitachi’s Payment Systems.

India is not the only one to have been infected with this cybercrime. In February 2019, around 2.15 million Americans card details were out for sale on Joker’s Stash.

Apart from this, in August-2019, around 5.3 million card details were available on Joker’s Stash after they were procured from gas and convenience chain Hy-Vee’s customers.

Joker’s Stash

Joker Stash frequently provides card details on the darknet and is one of the oldest and biggest markets of debit & credit card dump sales. Over the past 5 years, it has grown to dominate the card details dump market. Until now the major breaches have been conducted at Target, Walmart, Saks Fifth Avenue, Lord & Taylor, and British Airways.