Postbank, a South African bank has had to replace more than 12 million customer credit cards after an employee printed and stole a master key.
The master key stolen by that employee is a 36-digit code, otherwise known as an encryption key, that allows the possessor to decrypt sensitive banking information and access key systems like customer’s pins and internet banking passwords.
It can also be used to generate keys associated with customer credit cards, hence Postbank’s move to cancel and reissue as many as 12 million credit cards. The bank has said that it has lost more than USD $3.2 million to fraudulent transactions as a result of the security incident.
The news was broken by the Sunday Times, who said the incident dates as far back as December, 2018, where a bank employee printed a master key at one of its data centers in Pretoria.
PostBank, a financial division of South Africa’s postal service, has since launched a security audit to determine which employees are responsible for the breach. That report shows that between March and December 2019, 25,000 illegitimate transactions were made from having access to master keys, totalling more than $3.2 million.
The Sunday Times writes that PostBank’s move to replace customer credit cards will cost the bank more than $58 million. In addition, a number of affected cards, anywhere between 8 and 10 million, were receiving government social grants and welfare payments, which were targeted the most with fraudulent transactions.
Bank Security told ZDNet that “according to the report, it seems that corrupt employees have had access to the Host Master key (HMK) or lower levels. The HMK is the key that protects all the keys, which, in a mainframe architecture, could access the ATM pins, home banking access codes, customer data, credit cards etc.”
“Access to this type of data depends on the architecture, servers and database configurations. This key is then used by mainframes or servers that have access to the different internal applications and databases with stored customer data, as mentioned above.”
“The way in which this key and all other lower-level keys are exchanged with third party systems have different implementations that vary from bank to bank. Generally, by best practice, the HMK key is managed on dedicated servers (with dedicated OS) and is highly protected from physical access.”
Catalin Cimpanu writes that “the PostBank incident is one of a kind, as bank master keys are a bank’s most sensitive secret and [are] guarded accordingly, and are very rarely compromised, let alone outright stolen.”
This isn’t the first security incident at a major South African bank, with Nedbank reporting a data breach back in February. Netbank said that hackers managed to breach a third party service provider of the bank, and were able to steal information of 1.7 million of its customers.
“Furthermore, a single person does not have access to the entire key but is divided between various reliable managers or VIPs, and then can only be reconstructed if everyone is corrupt,” they continued to explain.
“Generally, the people and the key are changed periodically precisely to avoid this type of fraud or problem, as in the case of PostBank. As far as I know, the management of these keys is left to the individual banks and internal processes that regulate periodic change and security are decided by the individual bank and not by a defined regulation.”
Just a few weeks ago, we reported on a data breach at the Bank of America that potentially compromised details of as many as 305,000 applicants of the US government’s Paycheck Protection Program.
For more information on ISO 27001 – Information Security Management Systems – or for your free ISO 27001 Gap Analysis Checklist, please click here.