SoylentNews

upstart writes in with an IRC submission:

South African bank to replace 12m cards after employees stole master key:

Postbank says employees printed its master key at one of its data centers and then used it to steal $3.2 million.

The Sunday Times of South Africa, the local news outlet that broke the story, said the incident took place in December 2018 when someone printed the bank's master key on a piece of paper at its old data center in the city of Pretoria.

The bank suspects that employees are behind the breach, the news publication said, citing an internal security audit they obtained from a source in the bank.

The master key is a 36-digit code (encryption key) that allows its holder to decrypt the bank's operations and even access and modify banking systems. It is also used to generate keys for customer cards.

[...] Following the discovery of the breach, Postbank will now have to replace all customer cards that have been generated with the master key, an operation the bank suspects it would cost it more than one billion rands (~$58 million).

This includes replacing normal payment cards, but also cards for receiving government social benefits. Sunday Times said that roughly eight to ten million of the cards are for receiving social grants, and these were where most of the fraudulent operations had taken place.

"According to the report, it seems that corrupt employees have had access to the Host Master Key (HMK) or lower level keys," the security researcher behind Bank Security, a Twitter account dedicated to banking fraud, told ZDNet today in an interview.

Original Submission