31,000 bank cards leaked: Will customers lose money?

On November 7, information of more than 31,000 bank card transactions and more than 5 million emails believed to be of Mobile World (TGDĐ) customers were shared on the Internet by the account erchowin. On November 8, hackers continued to post information listing the full 16-digit credit card numbers of accounts believed to be of TGDĐ customers.

Notably, the newly posted list includes international payment cards (Visa, MasterCard...) as well as a record listing bank card numbers.

Before the above event, many people were worried that their card information would be exploited by bad guys and their money would be stolen. Mr. T. (living in Tan Binh District, Ho Chi Minh City) shared: “I often shop at TGDĐ. When paying for purchases, I often swipe my ATM card. So I wonder if my card has been hacked, is there any danger? Besides, when buying goods on installment, I have to provide related information such as phone number, email, address... to the business. This makes me feel insecure.”

Customer credit card information believed to be from Mobile World was shared on the evening of November 7 on RaidForums.

In particular, many users confirmed that they had never shopped at TGDĐ but their emails were still on the leaked list. Therefore, it is very likely that hackers collected emails from many different sources, because in this list there are many emails with company domain names such as Asus, Acer, Bkav...

Through discussions, some bank leaders said that even if hackers had all 16 digits on the card, they would not be able to take the depositor's money. Only in the case of revealing all information about the card number, expiration date, three secret numbers on the back of the card (CVV code)... can bad guys make online transactions.

The deputy general director of a bank further explained: The CVV code is data that only the bank knows, but a payment acceptance point (merchant) like TGDĐ cannot have it. Therefore, if this data was taken from here by hackers as they claimed, there would be no CVV number.

On the other hand, the information that hackers have in their hands is not enough to take money from users' accounts. However, the leader of this bank said that he will wait for the assessment of the authorities to decide whether to replace all credit cards for his customers or not.

According to banking expert Nguyen Tri Hieu, indirectly, it is possible. Because hackers can use bank accounts to make online transactions from the exploited information. However, with the information that hackers have released to the public, such as having card numbers, it does not mean that hackers can take money from customers' bank accounts. The reason is that credit or debit cards have many layers of security.

For example, hackers claim to have obtained international card numbers such as Visa, but without the three-digit encryption code and solutions such as 3D Secure that Visa cards require to enhance security for safe payments, there is no way to get the money.

“Even for ATM cards that Vietnamese customers use to make online purchases or through POS systems, domestic banks also apply multiple layers of security such as login names, PIN codes, OTPs and authentication solutions as required. Therefore, I believe that customers whose information was leaked at Mobile World will not lose money,” Mr. Hieu affirmed.

Another banking expert said that TGDĐ needs to resolve this incident scientifically and transparently. It should not explain this incident by “pushing the responsibility to the bank”, as this will not be convincing enough to dispel all concerns for consumers and may lead to uncontrollable risks.

Customers are worried that bad guys will take advantage of leaked information to steal money, while Mobile World claims that it did not disclose any information.

Up to now, there has been no information about dangerous risks to cardholders due to information disclosure. However, representatives of some banks said that they have reviewed all data as well as analyzed related factors to determine whether there is a risk or not. In case of risk, customers will be warned immediately.

Mr. Le Minh Huan - Deputy General Director of Saigon Commercial Joint Stock Bank (SCB), said: Although TGDĐ has confirmed that their information system is still safe, to ensure the safety of their wallets and to avoid possible risks, it is best for customers who have made card transactions at TGDĐ to go to the bank to exchange for a new card immediately.

“On SCB’s side, in addition to waiting for re-verification from the authorities to determine whether the leaked data originated from TGDĐ or not, we continuously observe unusual transactions on the system thanks to the information technology system and human observation. If we see any unusual transactions, we will immediately call the customer to verify the transaction” - SCB’s Deputy General Director said.

Some banking experts also recommend: To ensure safety, it is best for users to change their personal email password; change their online banking transaction password or temporarily freeze credit card transactions pending verification.