Exposing The USD 58 Mn Mess Made By Rogue Employees Who Stole From SA Bank
In December 2018, rogue employee(s) at Postbank; the banking division of South Africa’s Post Office, set a plan in motion to steal from customer accounts, and they succeeded.
The employee(s) printed the bank’s master key on a piece of paper at its old data center in the city of Pretoria. Between March and December of 2019, the rogue employee(s) used the master key to access accounts and complete more than 25,000 fraudulent transactions, siphoning over ZAR 56 Mn (USD 3.2 Mn) from customer balances.
As things stand, Postbank is about to incur an expense of ZAR 1 Bn (USD 58 Mn) in the process of replacing all customer cards (some 12 million of them) that have been generated with the master key.
As a local news outlet first reported, Postbank is convinced that its employee(s) is/are behind the breach, per an internal security audit that was obtained from a source in the bank.
South African Post Office Bank (Postbank) claims to offer secure, reliable, accessible, and affordable banking. It boasts some of the best savings accounts interest rates and a low-cost debit card range. But that part about “offering secure banking” is certainly now in doubt given the recent revelations which hint at a major inside job.
According to the bank, the rogue employee(s) pulled off the heist by stealing the bank’s master key. The master key is a 36-digit code (encryption key) that allows its holder to decrypt the bank’s operations and even access and modify banking systems. It is also used to generate keys for customer cards.
The cards that were affected by the breach include normal payment cards and cards for receiving government social benefits. The latter makes up 8-10 million of the cards that need to be replaced, as these were where the bulk of the fraudulent operations happened.
But how could this have happened?
Speaking to ZDNet, a security researcher behind Bank Security; a Twitter account that keeps an eye on banking fraud said:
“According to the report, it seems that corrupt employees have had access to the Host Master Key (HMK) or lower-level keys. The HMK is the key that protects all the keys, which, in a mainframe architecture, could access the ATM pins, home banking access codes, customer data, credit cards, etc.,” the researcher said.
The Postbank heist is not a common occurrence given that bank master keys are a bank’s most sensitive secret, and guarded accordingly. They are very rarely compromised, which makes the idea that they were stolen outright in this case all the more astonishing.
“Generally, by best practice, the HMK key is managed on dedicated servers (with dedicated OS) and is highly protected from physical access (multiple simultaneous badge access and restricted/separated data center),” the security researcher explained.
“Furthermore, a single person does not have access to the entire key but is divided between various reliable managers or VIPs, and the key can only be reconstructed if everyone is corrupt.
“Generally, the people and the key are changed periodically precisely to avoid this type of fraud or problem, as in the case of Postbank. As far as I know, the management of these keys is left to the individual banks and the internal processes that regulate the periodic change and security are decided by the individual bank and not by a defined regulation.”
The bank in question has opted not to make any comments on the matter and it is understood that investigations are still ongoing.
One breach too many
The Postbank incident, once again, highlights some of the flaws in the traditional banking system and the cards that come with it. This makes a case for the increased adoption of digital wallets and branchless banking as mobile money continues to spar with bank cards for Africa’s fintech space.
Although the Postbank breach is not a common occurrence, digital breaches are anything but rare in South Africa.
In February 2020, fellow South African bank, Nedbank, one of the country’s biggest banks, suffered a data breach affecting 1.7 million customers. That same month, state-owned power company, Eskom, acknowledged a malware infection and possible data leak. In March, hackers hit 300,000+ devices in South Africa in one very eventful week.
In October 2019, the website of the City of Johannesburg suffered a ransomware attack for the second time in four months. Both attacks were carried out by the same hackers who demanded a ransom payment of 4 Bitcoin (USD 30 K at the time). They had threatened to publicize sensitive data if their demands are not met.
In the same month, a number of web hosting companies in South Africa suffered a distributed denial of service (DDoS) attacks. The South African Banking Risk Information Centre (SABRIC) said another wave of DDoS attacks affected multiple banks.
Featured Image Courtesy: Moneyweb