Postbank, the banking division of South Africa's Post Office, has lost more than $3.2 million from fraudulent transactions and will now have to replace more than 12 million cards for its customers after employees printed and then stole its master key.
The Sunday Times of South Africa, the local news outlet that broke the story, said the incident took place in December 2018 when someone printed the bank's master key on a piece of paper at its old data center in the city of Pretoria.
The bank suspects that employees are behind the breach, the news publication said, citing an internal security audit they obtained from a source in the bank.
The master key is a 36-digit code (encryption key) that allows its holder to decrypt the bank's operations and even access and modify banking systems. It is also used to generate keys for customer cards.
The internal report said that between March and December 2019, the rogue employees used the master key to access accounts and make more than 25,000 fraudulent transactions, stealing more than $3.2 million (56 million rand) from customer balances.
Following the discovery of the breach, Postbank will now have to replace all customer cards that have been generated with the master key, an operation the bank suspects it would cost it more than one billion rands (~$58 million).
This includes replacing normal payment cards, but also cards for receiving government social benefits. Sunday Times said that roughly eight to ten million of the cards are for receiving social grants, and these were where most of the fraudulent operations had taken place.
Improper internal security procedures
"According to the report, it seems that corrupt employees have had access to the Host Master Key (HMK) or lower level keys," the security researcher behind Bank Security, a Twitter account dedicated to banking fraud, told ZDNet today in an interview.
"The HMK is the key that protects all the keys, which, in a mainframe architecture, could access the ATM pins, home banking access codes, customer data, credit cards, etc.," the researcher told ZDNet.
"Access to this type of data depends on the architecture, servers and database configurations. This key is then used by mainframes or servers that have access to the different internal applications and databases with stored customer data, as mentioned above.
"The way in which this key and all the others lower-level keys are exchanged with third party systems has different implementations that vary from bank to bank," the researcher said.
The Postbank incident is one of a kind as bank master keys are a bank's most sensitive secret and guarded accordingly, and are very rarely compromised, let alone outright stolen.
"Generally, by best practice, the HMK key is managed on dedicated servers (with dedicated OS) and is highly protected from physical access (multiple simultaneous badge access and restricted/separated data center)," Bank Security told ZDNet.
"Furthermore, a single person does not have access to the entire key but is divided between various reliable managers or VIPs, and the key can only be reconstructed if everyone is corrupt.
"Generally, the people and the key are changed periodically precisely to avoid this type of fraud or problem ,as in the case of PostBank," the researcher said. "As far as i know, the management of these keys is left to the individual banks and the internal processes that regulate the periodic change and security are decided by the individual bank and not by a defined regulation."
Postbank could not be reached for comment.
In February 2020, fellow South African bank Nedbank also reported a security breach. The bank said that hackers breached a third-party service provider and then stole information on more than 1.7 million of its customers.