“Bank heist! How insiders stole millions and threatened the cybersecurity of more than 12 million South African bank customers.”
It’s got all the makings of a made for the movies bank robbery. This was a criminal plot to steal the 36-digit code and “master key” that secured South Africa’s Postbank, the banking arm of the country’s post office.
And it’s not the next big picture movie thriller. It happened last year to Postbank.
Just three days ago, the Sunday Times of South Africa, broke the story of the December 2018 security breach where criminals obtained the bank’s master key codes enabling the theft of millions through tens of thousands of fraudulent transactions.
The bank’s security audit says one or more criminal employees stole the master key which is a 36-digit code or encryption key that allows a user to decrypt the bank’s operations as well as access and modify banking systems, and generate security keys for customer credit and bank cards.
Rogue employees made more than 25,000 fraudulent transactions
The newspaper received a copy of the bank’s security audit from a confidential source and it said the master key was exposed during a July 2018 move of the bank’s data center to a new, secure building.
Unfortunately, it’s believed wayward employees copied the source code “after being stored in clear text on one laptop (at a minimum) and remains compromised to the present day,” according to the confidential security audit.
With the master key in hand, between March and December 2019, the criminals carried out more than 25,000 transactions netting them more than $3.35 million from the accounts of bank customers, many receiving social benefit payments every month.
The result is a security headache of major proportions forcing the bank to replace an estimated 12 million customer credit and debit cards in addition to further investigating related thefts and fraud. Also, at risk is the confidential data of more than one million customers which could already be for sale on the Dark Web.
Lax security and human frailty
According to security consultants, this kind of security breach should not have happened, and the costs are mounting quickly.
“It appears that the significance of magnitude of this card breach may not have been comprehended by Postbank operations and IT senior management,” said former chief risk officer Benjamin April in a January report. “The Sassa master key compromise is a significant failure for the Postbank and also for the national payment system.”
It seems that many serious security breaches follow a similar pattern of a lapse in normally tight technology security backed by human error or, in this case, friendly fraudsters willing to take advantage of the crime opportunity during the data center relocation.
“Key management of master keys is well established in terms of process, so something went horribly wrong here. Just how insiders managed to gain access to a complete key points to gross collusion,” Mark Bower, senior vice president with data security specialists comforte AG said.
Modern cryptosystems usually avoid exposure of entire keys to people, and better yet, avoid live data exposure to any process or person to eliminate more widespread theft and insider abuse.
“It’s likely here that an outdated approach such as printed key material sections placed in safes was used as a backup to a complete key. Key custodian processes in early generation credit card processes require that master keys be split for process loading or recovery by three or more people who, in theory, are entrusted with their component in an individual safe,” Bower said.
He added the incident shows that assuming data is safe falls completely apart if access to sensitive data – in this case, key material – isn’t secured, monitored, and managed with modern data-centric methods.
Security cleanup continues
Meanwhile, the security breach cleanup continues, and the costs are growing. In addition to millions of dollars in known losses to date, security consultants are now examining how many other bank accounts in addition to those receiving social security benefits were compromised. Postbank must now rework its security protocols from top to bottom.
Security Boulevard reports South Africa’s Reserve Bank gave Postbank 18 months to replace the 12 million compromised cards and also blocked all contactless offline transactions for cardholders during this timeframe. The cost of replacing these millions of cards is estimated at $58.7 million.
On LinkedIn, Saryu Nayyar, CEO of cybersecurity consulting firm Gurucul said, “When it comes to insider threats, insiders with privilege inflict the most damage. In this case, privileged users abused their access to the bank’s master key. Further, this single key was protected by the four eyes principle where at least two people were required to reproduce the full access key, as the 36-digit code had been divided between multiple parties. So much for added security. The corruption at this bank was coordinated across multiple bank managers and VIPs.”
“It just takes a single key compromise to be the million-dollar problem which is the projected minimum cost impact in this case. The mind boggles as to how many other banks still have this highly vulnerable master key management strategy in place and, that is the bottom of a house of cards for data security,” Bower added.
It seems that friendly fraud, cybersecurity risks, and data breaches are destined to continue until financial institutions take a harder line approach to security.
Let’s see. Who do you think is the ideal box office star in this new bank heist thriller – Jean Reno, Brad Pitt, Angelina Jolie, Denzel Washington, or Daniel Craig?