The leak of 31,000 bank cards: Will customers lose money?

On November 7th, information from over 31,000 bank card transactions and more than 5 million emails allegedly belonging to Mobile World (TGDĐ) customers were shared online by the account erchowin. By November 8th, hackers continued to release information listing the full 16-digit credit card numbers of accounts supposedly belonging to TGDĐ customers.

Notably, the newly released list includes international payment cards (Visa, MasterCard, etc.) as well as records listing bank card numbers.

Following the incident, many people worried that their card information could be exploited by criminals to steal money. Mr. T. (a resident of Tan Binh District, Ho Chi Minh City) shared: “I often shop at The Gioi Dien Thoai (TGDĐ). When paying for purchases, I usually use my ATM card. So I wonder if my card has been hacked, and if there is any danger? Besides, when buying goods on installment, I have to provide related information such as my phone number, email, address… to the business. This makes me feel insecure.”

Customer credit card information, allegedly from The Gioi Dien Thoai (Mobile World), was shared on RaidForums on the evening of November 7th.

In particular, many users confirmed they had never shopped at TGDĐ, yet their email addresses were still included in the leaked list. Therefore, it is highly likely that the hackers collected emails from various sources, as this list contains many emails with company domains such as Asus, Acer, Bkav, etc.

During discussions, several bank leaders stated that even if hackers had all 16 digits on a card, they wouldn't be able to steal money from depositors. Only if all information about the card number, expiration date, and the three-digit security code on the back of the card (CVV code) were leaked could malicious actors carry out online transactions.

The deputy general director of a bank further explained: The CVV code is data that only the bank knows; a payment acceptance point (merchant) like The Gioi Dien Thoai (Mobile World) cannot have it. Therefore, even if hackers obtained this data from there, as they claimed, they could not have the CVV number.

On the other hand, the information the hackers have is not enough to steal money from users' accounts. However, the bank executive said they will wait for the assessment of the authorities before deciding whether or not to replace all credit cards for their customers.

According to banking expert Nguyen Tri Hieu, indirectly, it is possible. Hackers could use bank accounts to conduct online transactions using the information they've obtained. However, the fact that hackers have released information to the public, such as card numbers, doesn't necessarily mean they can steal money from customers' bank accounts. This is because credit and debit cards have multiple layers of security.

For example, hackers might claim to have obtained international card numbers like Visa, but without the three-digit PIN and security measures like 3D Secure that Visa requires to enhance payment security, there's no way they could steal the money.

"Even the ATM cards that Vietnamese customers use for online purchases or through POS systems, domestic banks apply multiple layers of security such as login names, PIN codes, OTPs, and on-demand authentication solutions. Therefore, I believe that customers whose information was leaked at TGDĐ will not lose money," Mr. Hieu affirmed.

Another banking expert suggested that Mobile World Group (TGDĐ) needs to handle this matter scientifically and transparently. They shouldn't explain the incident by "shifting the blame to the bank," as this would not be convincing enough to alleviate consumer concerns and could lead to uncontrollable risks.

Customers are worried that malicious actors might exploit the leaked information to steal money, while The Gioi Dien Dong (Mobile World) maintains that it did not leak any information.

To date, there is no information about serious risks to cardholders due to data breaches. However, representatives from several banks have stated that they have reviewed all data and analyzed related factors to determine if any risks exist. In the event of a potential risk, customers will be immediately alerted.

Mr. Le Minh Huan, Deputy General Director of Saigon Commercial Joint Stock Bank (SCB), said: Although Mobile World Group (TGDĐ) has confirmed that their information system is still secure, to protect their wallets and avoid potential risks, it is best for customers who have previously made transactions using their cards at TGDĐ to go to the bank to exchange their cards for new ones immediately.

“On SCB Bank's side, besides waiting for further verification from the authorities to determine whether the leaked data originated from The Gioi Dien Thoai (TGDĐ), we are continuously monitoring unusual transactions on the system using our information technology system and human observation. If we detect any unusual transactions, we will immediately call the customer to verify the transaction,” said the Deputy General Director of SCB Bank.

Some banking experts also advise that, for security reasons, users should change their personal email passwords; change their online banking transaction passwords; or temporarily freeze credit card transactions pending verification.