Credit, debit card data of 4.6 lakh Indians up for sale on dark web
THE DATA INCLUDES SENSITIVE DETAILS – EXPIRATION DATES, CVV/ CVC CODES, NAMES, AND EVEN EMAIL IDS
NEW DELHI: Credit and debit card details of nearly half a million Indians have been put up for sale on an underground website that is a popular resource for financial fraud, according to cybersecurity researchers who say the leak is the most serious in at least the last 12 months.
The data, put up for sale on Joker’s Stash, includes sensitive level of detail – expiration dates, CVV/CVC codes, cardholders’ names, and even email addresses in some cases – in addition to the 14-16 digit card numbers, according to Group IB, a Singaporebased cybersecurity firm.
These can together be used for carrying out financial transactions online without the need for any other method of authentication.
“This is the second major leak of cards relating to Indian banks detected by Group-IB threat intelligence team in the past several months... In the current case, we are dealing with so-called fullz — they have info on card number, expiration date, CVV/CVC, cardholder name as well as some extra personal info,” said Dmitry Shestakov, the head of Group-IB ybercrime research unit, in an email to HT.
Each of the 461,976 cards’ details was being sold for $9, bringing the total value of the data leak at $4.2 million. “Such type of data is likely to have been compromised online,” he added.
According to the Reserve Bank of India’s 2018-19 annual report, there were 1,866 instances of frauds through cards and internet banking. An average of ₹20 lakh was stolen per fraud, the RBI’s data said.
Indian cybersecurity officials have alerted the Reserve Bank of India (RBI) and all Indian banks that such data was being sold on the dark web, a senior official in a department handling cybersecurity said, asking not to be named. “We do not know how many of these cards are active,” the official said, adding that many could be old or inactive cards.
“Once RBI and banks inform us of the nature of the data being sold, investigations on how the information was accessed can be more targeted and specific,” a second senior official, also in a cybersecurity department, said.
Group IB found a similar card data dump in October, but, the organisation’s representatives added, that information was limited to data contained in a card’s magnetic strip. Usually, most payment gateways across the world require additional details such as CVV and expiration dates to authenticate a transaction – information that may not have been available in the leak reported in October. The first included a much larger number of cards (1.3 million), but the listing was soon taken offline.
“As of Friday evening, 407 card details had been bought by someone,” Shestakov said, referring to the new data leak. “The data contained in the current database enables fraudsters to make any purchases online. In a basic scenario, criminals purchase luxury goods and then resell them,” he explained.