South African bank to replace 12m cards after employees stole master key:
Postbank says employees printed its master key at one of its data centers and then used it to steal $3.2 million.
The Sunday Times of South Africa, the local news outlet that broke the story, said the incident took place in December 2018 when someone printed the bank's master key on a piece of paper at its old data center in the city of Pretoria.
The bank suspects that employees are behind the breach, the news publication said, citing an internal security audit they obtained from a source in the bank.
The master key is a 36-digit code (encryption key) that allows its holder to decrypt the bank's operations and even access and modify banking systems. It is also used to generate keys for customer cards.
[...] Following the discovery of the breach, Postbank will now have to replace all customer cards that have been generated with the master key, an operation the bank suspects it would cost it more than one billion rands (~$58 million).
This includes replacing normal payment cards, but also cards for receiving government social benefits. Sunday Times said that roughly eight to ten million of the cards are for receiving social grants, and these were where most of the fraudulent operations had taken place.
"According to the report, it seems that corrupt employees have had access to the Host Master Key (HMK) or lower level keys," the security researcher behind Bank Security, a Twitter account dedicated to banking fraud, told ZDNet today in an interview.
(Score: 4, Insightful) by Rosco P. Coltrane on Tuesday June 16 2020, @04:32AM (9 children)
A 36 digit code is the key to the entire castle?
It sits a file any old employee with a login can read?
It's happened in 2018 and they only caught it 1 1/2 year later because they did a security audit - read: they didn't investigate when the fraudulent transaction reports began coming in by the thousands?
What bank is it again, so I'm sure never ever to be one of their customers?
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @05:27AM
South Africa, Hell! all of Africa! All the banks are corrupt, just another gangsta's paradise... need the cobalt, you know
(Score: 2) by Mykl on Tuesday June 16 2020, @06:57AM (1 child)
To be fair, the launch codes for the United States' nuclear arsenal was 00000000 for a long time.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @08:42AM
Now updated? To: 1, 2,.. 3,... 4,....... 5.
That's the same combination as my luggage!
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] enter password: ********
ACCESS GRANTED
root@noradlaunch.gov: / % _
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @08:35AM
Sadly appropriate 99.96% of the time: https://youtu.be/umpalMtQE50 [youtu.be]
Can USAians even find on a map / globe:
1. Africa
2. South Africa
3. etc, etc (New Zealand, Australia, Korea, Iraq,....)
But happy to scream protest and point fingers. Where on the map IS that "Iraq"? Oh, you just bombed Canada.
(Score: 3, Interesting) by driverless on Tuesday June 16 2020, @11:11AM (4 children)
Banking systems in many African countries are rife with (potential) fraud. You can't trust any of your employees, so many banks have extensive internal controls to deal with this, e.g. bank staff will sell ATM access to crooks so the banks make sure there are separate, unconnected divisions doing the ATM software and with access to ATMs. One of the best security measures I'm aware of is ATMs made in China running Chinese firmware, because the bank employees in $african_country can't them reprogram them to dispense money to their associates. In the case of Postbank it looks like some of the internal controls broke down.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @02:55PM (3 children)
South Africa didn't use to be like that.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @06:24PM
Yes. This is what happens when the monkeys take over the zoo.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @06:28PM
https://invidio.us/watch?v=a_bDc7FfItk [invidio.us]
(Score: 2) by PartTimeZombie on Tuesday June 16 2020, @10:25PM
South Africa was always like that.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @02:31PM
An employee left the gate open and all of the depositors' cattle ran away.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @06:06PM
This is the bit I don't get.
The card number being known shouldn't be a big deal. The PIN being known should be a problem. But if the PIN is random there's no problem. And if the PIN is changed by the cardholder then it becomes more of the cardholder's problem.
So what are they doing so wrong to get the loss of the master key a big problem for any of this? Are they actually that incompetent to reversibly encrypt all customer PINs in some way that involves the masterkey?
Or is this for signing the chip on the cards? So that means attackers can make duplicates of arbitrary cards they want for use in physical transactions - but for big purchases they normally still need the PIN right?
AFAIK online transactions don't require you to have the actual card.