Hundreds of thousands of stolen Asian credit cards are being bought and sold in hacker market places. Among the countries are the Philippines, Singapore, and Malaysia.
When it comes to security incidences, we often find ourselves reporting on ones that occur in North America, Australia, New Zealand, and Europe. In the last few incidences we reported, we saw a UK mobile carrier, a Canadian mobile carrier, and an American business.
You might be tempted to think that these issues predominantly happen in first world countries. In fact, some might be tempted to think it’s exclusive to first world countries. For the latter, we know that is not the case and this latest story certainly proves that security incidences aren’t exclusively a first world problem. In a report posted on Asian One, security researchers are seeing hundreds of thousands of stolen credit cards being bought and sold. The credit card owners are from 6 Asian countries. From the report:
The company said this week it had found a series of data breaches involving credit card details issued by top banks in Singapore, Malaysia, the Philippines, Vietnam, Indonesia and Thailand.
“The results are alarming as it seems no one is aware that such a huge volume of payment card details – including the CVV and PIN – are available,” said CEO Nandakishore Harikumar, referring to the card verification value and personal identification number.
Anyone with access to those details could cause financial losses to the owner of the cards, he added.
Technisanct said its research found that credit card holders in the Philippine were the worst hit, with 172,828 cards breached, while Malaysia and Singapore had 37,145 and 25,290 cards breached respectively.
The article does also suggest that this is one massive breach, but the details point to the more likely source of it being multiple breaches. For all we know, it could be a small business whose security was compromised, causing a handful of credit cards to be stolen. Then, those stolen credentials are just thrown onto the pile and placed on the dark web for whoever has the cash and guts to try and run up the card in question. What is interesting is the fact that some companies affected by some of these breaches have responded to the story:
CIMB Group Holdings – allegedly one of the affected banks – said it had “no credible evidence that any actionable customer data has been compromised from us”.
“CIMB takes data privacy and protection seriously and has taken the necessary security measures to ensure all customers’ personal information remain secured. We continuously monitor all avenues to ensure that our customer data remains protected where possible,” a spokesperson said.
This Week in Asia understands the CERTs of both Vietnam and Malaysia are investigating the matter.
Meanwhile, the Monetary Authority of Singapore said it was constantly monitoring cyber threats, including cyberattacks that may result in payment card fraud, as part of its surveillance.
“We note that security vendors have reported a rise in incidents of data theft internationally, including loss of card details from compromised e-commerce websites,” a spokesperson said, adding that it had strict requirements for financial institutions in Singapore to implement information technology controls to protect sensitive information from unauthorised disclosure.
“Card issuers have well established processes to handle credit cards whose details have been leaked. Card issuers have also put in place real time fraud monitoring to detect and block suspicious transactions promptly,” the MAS said.
Just in that excerpt alone, you see a whole range of responses. You have an example of a company who simply denies that anything is wrong. Then, you see another response that says that the company is openly investigating any reports of unauthorized activity.
One thing that is amusing in a sad way is the reaction of the researcher who says how “alarming” it is to see over a hundred thousand accounts being compromised. From what we’ve seen, 6 figures in compromised accounts is among the smaller pools of stolen data we see on a semi-regular basis. For us, we’re more used to numbers like millions of accounts being compromised or millions in fines being handed out. In fact, if the researchers are alarmed at a couple hundred thousand accounts floating around, they should ask the security researches what it was like to uncover a 1.2 billion account trove on the dark web.
While this puts the numbers into perspective, that’s not to say the find isn’t significant. If anything, this shows that stolen credentials and compromised financial cards is an international problem not necessarily tied to one specific country or region. No one region, country, or company is immune to this sort of thing. The best case scenario is minimizing the chances of having customers exposed to these sorts of things. The sooner that countries and companies can admit that security incidences are a problem, the sooner coordination can happen and solutions can be looked at.
Drew Wilson on Twitter: @icecube85 and Facebook.