1.0 Introduction
Recently MyCERT observed massive amount of Personal Identification Information (PII) related to credit card information circulated publicly in cybercriminal's forum and dark web. The credit card information is traded in the forum and dark webs using bitcoin and USD currency. Excerpts of the credit card information and other associated PII have been posted in the forum as proof that such data is available and can be purchased from the irresponsible party. These information consist of Full Name, Address, City, State, Country, Email, Phone number, Pin code, Bank Name, Credit Card Number, Card Type and Card Circuit. The exposed data poses threat to the individuals who own the data and can be potentially manipulated for malicious intentions.

Hence, MyCERT advise individuals to be more precautious and vigilant while performing online transactions. System owners must adhere to the latest security updates and follow best practices to keep systems up-to-date with latest patches and upgrades. 

2.0 Impact
Users whose PII has been exposed could become a potential target of financial fraud, unauthorised online transactions and phishing attempts.

3.0 Recommendations
While financial institutions and e-commerce providers have put into place several measures to safeguard users' PII and cybersecurity best practices to reduce the prevalence of credit card fraud, it is also important for users to be aware about these threats in order to prevent their credit card information from compromise and misuse.

Below are best practices to prevent misuse of credit card fraud information by irresponsible parties:

  • Regularly monitor your credit card statement and check for any suspicious or unfamiliar transactions. If there is suspicious transaction, contact respective bank immediately.
  • Sign up for an auto-alert service that will alert you each time there’s a transaction on your card.
  • Do not click on suspicious links or share sensitive financial and personal information on the phone.

MyCERT also suggest the below guidelines to protect users’ credit card information when performing online transactions:

  • Do not use public, untrusted computers for e-commerce transactions. Public computers may not be secure and could be capturing payment card data as it is being entered.
  • Always clear the cache memory of the Internet browser after performing online banking transaction.
  • Do not make purchases when connected to an unsecured wireless network (for example, using your laptop computer with a public Wi-Fi connection), unless you have a personal firewall on your computer.
  • Be aware of “shoulder-surfing” when entering payment card data in a public location.
  • Do not do any financial transactions before verifying with the alleged parties.
  • Keep personal computers up to date with latest security patches.
  • Always ensure your connected devices, including PC, Laptop, and Mobile devices are running anti-virus software that is updated with the most recent virus signatures and definitions before connecting to the Internet. 
  • Always check for signs of a secure web page, For example, look for the "HTTPS" prefix in the web address, the little “padlock icon” at the top or bottom of the web browser, a green address bar, or a security seal before entering your payment card data.
  • Use strong passwords that cannot be easily guessed (for example, do not use your date of birth or your name as a password).
  • Keep your passwords private. For example, do not write them on a piece of paper and attach to your computer (especially if you are in a public place), and do not save them in a file on a computer that is shared with others.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

4.0    References