14 DAY TRIAL // A cyber-attack on the computer systems of the HSBC Bank in Turkey has compromised card information of customers, but officials say that the intruders cannot use the data for fraudulent transactions.
Detected in the past week through internal verification mechanisms, the incident resulted in exposing card data consisting of number, expiry date and owner's name. The account numbers associated with the cards have also been compromised.
Attackers have useless financial information
In a FAQ explaining the details of the breach, the bank says that despite the fact that the attacker(s) managed to access this information, there is no risk of card fraud, neither through cloning the cards nor through online transactions.
Printing fake cards and withdrawing money from ATMs or using them at retail shops is not possible simply because there is insufficient data (magnetic strip information and PIN code is not available) to pull this type of fraud.
In the case of online shopping, which requires less information from the customer, the bank does not clearly state why fraudulent transactions cannot be carried out, but one reason is the absence of the card security code (CVV) from the list of compromised information.
A CVV (Card Verification Value), or CVC (Card Verification Code) usually consists of the last three numbers printed on the back of the card. Some banks issue a four-digit CVV and it is present on the front of the card.
These verification codes are required for each online shopping session to prove that the buyer actually has the card with them and the data has not been stolen from a database; storing CVVs on merchants' systems is against the Payment Card Industry Data Security Standard (PCI DSS).
Micro-purchases can be made though
On the other hand, some retailers do not ask for this security code in order to complete a purchase. This happens in the case of micropayments, which are limited to a specific amount.
Merchants supporting these transactions are doing it in an effort to make the entire purchase process easier for their customers. Moreover, it has been shown that clients are more willing to make small purchases.
With micropayments, if the card data (save for the CVV) is already present in the shopping cart database, the card verification code is no longer required to complete the order.
If fraudulent transactions occur, they are obviously willing to accept them and to reimburse the customer, since the process was not properly secured on their end.
Customers to be reimbursed if fraud is identified
Although the risk of fraud is non-existent in theory, HSBC officials said that the bank’s clients would not be held liable for any illegal payment occurring as a result of the attack on their systems.
For the time being, the bank has not found any evidence of suspicious activity on the accounts of the affected individuals, but said that it is confident that the attack has no financial risk.
With regards to the amount of records exposed, various online sources report a number of about 2.7 million.
To prevent a similar incident from repeating, the bank has proceeded to upgrade the security measures. An investigation has been initiated in order to learn the identity of the attacker(s).