Pakistan reports card-skimming, but says no mass bank data breach

KARACHI/ISLAMABAD (Reuters) - Pakistan’s central bank rushed on Tuesday to reassure investors and consumers that its banking system had not been hacked after a mass skimming operation hit customers’ credit and debit cards.

The skimming took details of nearly 20,000 debit and credit cards from 22 Pakistani banks, according to the Pakistan Computer Emergency Response Team (PakCERT), a monitoring group.

It was not immediately clear how much money was stolen using the cards, beyond an initial report of about $20,000.

The State Bank of Pakistan (SBP) said on Tuesday it had already instructed all banks to increase their scrutiny after one lender reported the problem last week, but stressed that the banks themselves were not hacked.

“It has been noted with concern news items reporting that the data of most banks has been hacked. SBP categorically rejects such reports,” a statement from the central bank said.

Earlier, Mohammad Shoaib, head of the Federal Investigation Agency’s cyber-crime unit, told two television stations that “almost all” banks had been hit by hacking and a “large amount of money” had been stolen, though he gave few details.

PakCERT said in a threat report that BankIslami first noticed unusual transactions of 2.6 million rupees (about $20,000) on Oct. 27 and temporarily shut down its international payments system.

“Subsequently, several other banks issued security alerts and either completely blocked customers’ debit and credit cards or blocked their online and international use,” PakCert said in its report.

BankIslami, in a statement, confirmed that it had shut down its international and online payments systems and notified the central bank. It said the initial illicitly withdrawn 2.6 million rupees had been returned to customers’ accounts.

PakCERT said that details of the cards were posted on the dark net, an area of the Internet only accessible via special web browsers that ensure anonymity.

Dark net users could then access the cards to make online purchases but it was not clear how much money in total had actually been stolen.

Reporting by Syed Raza Hassan and Asif Shahzad Writing by Kay Johnson; Editing by Mark Heinrich