KUALA LUMPUR: For as little as US$8 (RM33), you can buy what appears to be bank account information on thousands of Malaysians.
A cyber consumer activist says such information has long been available to those who can afford it and who are able to shop at the secret marketplaces existing on the “dark web”.
The “dark web” is an underground section of the internet running on privately-run servers, with a domain of .onion which is not readily accessible to most online users.
Marketplaces in the “dark web” sell almost anything, from drugs to pornography and guns. However, there are also online forums run by political activists and others, while Facebook and the Duck Duck Go search engine also have “dark web” onion sites for users who have a need to protect their privacy.
One website that FMT accessed was found to contain what appeared to be bank account information of thousands of Malaysian consumers available for sale for as little as US$8 (RM33).
Cyber consumer activist Siraj Jalil said criminal syndicates obtain bank account details using credit card receipts that have been discarded after a transaction has been made. “They sell the six-digit bank identification number of your credit card after running it through some random encryption that is run by bots,” Siraj told FMT.
This piece of information is more than enough for them to be able to hack into bank accounts, he said. They can even take this one step further and hack into your Netflix accounts.
He said this was how “Netflix murah” accounts have been obtained for a fraction of the regular subscription fee, and how some people purchase virtual gems and gold in-app games online without paying for the real thing.
Siraj said he found out about this after complaints were received by the Malaysia Cyber Consumer Association, of which he is president.
The association was set up last year to advocate the rights of Malaysian internet users. The group assists consumers with cyber-related issues by bringing them up to CyberSecurity Malaysia, helping them lodge police reports or reaching out to Bank Negara Malaysia. They also help find lawyers to initiate lawsuits on their behalf.
“We are hoping to emphasise more awareness through education so that the public know about these things and won’t just leave their credit card receipts or throw them away,” Siraj said.
He is worried about the ease of such information being available for purchase on the internet. Thousands of websites sell them. Now anyone with Bitcoin in their wallets can access such information. So there’s no way of tracking them either.
It’s easy to purchase Bitcoin in Malaysia. And now that three companies doing digital exchange have been given the finance ministry’s blessings to operate, Siraj is worried that this will be misused.
He’s also worried about the government’s efforts in promoting a cashless society and the global push towards Industrial Revolution 4.0.
“This issue can become even more problematic unless there is a solution by Bank Negara Malaysia and the government to counter such a syndicate,” he said.
He claimed that the current laws are not enough, and police officers looking at police reports on the matter would find it difficult to trace the IP addresses that sold such information. The police also do not investigate cases like these unless a substantive amount is involved, he said.
Siraj said the government can amend the Computer Crimes Act 1997 and the Finance Act 1990 to ensure that people who have committed such crimes online can be charged in the courts here.
He proposed a cyber crime department spearheaded by Bukit Aman’s Criminal Investigation Department as opposed to the current practice of a unit in the CID.
“Just imagine, there are more than 28.7 million internet users in Malaysia. Billions of transactions are made daily in e-commerce, yet concerns over this are handled by a single unit,” he said.