1.3 million Indian credit and debit card details put up for sale

Jokers-Stash-logo Logo of the 'Automated Vending Cart' website 'Joker's Stash'

In one of the largest-ever and most-valuable breaches of financial data, the details of 1.3 million credit and debit cards, largely belonging to Indians, has been put up on the underground website 'Joker's Stash'.

The breach was reported (but not yet verified) by Singapore-based security firm Group-IB, which said that over 18 per cent of the cards had come from a single bank. Many other banks were part of the mix, however, with over 98 per cent of details belonging to Indian banks and one per cent to Columbian banks.

The data reportedly contains Track 1 and Track 2 records—suggesting a combination of cards acquired through physical skimming techniques (ATM skimmers) and cards acquired through online skimmers known as 'Magecarts'.

With each dump selling for $100, the total value of the leaks is $130 million (6.76 lakh crore rupees), making it one of the largest-ever by value.

According to Group-IB's CEO Ilya Sachkov, card details from India are usually rare on underground markets. In addition, this is "the biggest card database encapsulated in a single file ever uploaded on underground markets at once."

Hackers or individuals who buy the data will likely be able to use it to clone the victim’s card and attempt an ATM transaction—or use the card details online to make purchases.

Indian banks have yet to issue a security warning to users which for now prevents affected users from knowing if their cards have been hacked. While the credibility of the dumps has yet to be verified, Joker's Stash has a long reputation of uploading genuine card dumps.

As a popular and reputed 'Automated Vending Cart' (AVC) site, Joker's Stash is a place for hackers to sell details en masse. Like with accessing the Dark Web, visiting Joker's Stash is not as simple as visiting the URL—the site is hosted on a blockchain network that requires the installation of a browser extension to visit.

The site was the host for the card details of 2.15 million Americans in February and for the leak of 5.3 million card details in August. According to ZD-Net, earlier dumps were done gradually, but this leak happened all at once—suggesting the hackers wanted to quickly sell their data before banks could intervene.

While there is no official advice on protecting your finances in case your card has been hacked, enabling Two Factor Authentication (TFA) for all purposes might limit attackers from making unauthorised transactions.

TFA makes all payments require the input of a One-Time Password (OTP) before completion. Normally, online purchases require this by default, but since 2016, the RBI eased TFA requirements for purchases up to Rs 2,000—meaning users could opt-out of TFA for purchases below Rs 2,000.

However, not even an OTP is the final protection—criminals could attempt to visit the bank and impersonate the user if they acquire a fake id of the same.

The Joker's Stash leaks comes a month after security firm Kaspersky identified a malware called ATMDTrack that targeted Indian banks with the aim of getting onboard ATM software.