Fraudsters stole more than $3.2 million from the banking division of South Africa’s post office, after – in a catastrophic breach of security – employees printed out the bank’s master key.

According to South African media reports, the security breach occurred in December 2018 when a copy of Postbank’s digital master key was printed out at a data center in Pretoria.

According to internal documents acquired by journalists, employees stole the 36-digit master encryption key, which “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards.”

The security breach went unnoticed for months, giving fraudsters free reign to steal millions of dollars. In the nine months up to December 2019, the fraudsters are thought to have used the copied master key to access accounts without authorisation, and make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.

A problem for Postbank is that all of the cards were generated with the compromised master key. The bank believes that replacing all of the cards will cost in the region of $58 million.

The bank has conducted an internal security audit following the breach, and suspects that rogue employees are responsible.

According to news reports, South Africa’s Reserve Bank last year gave Postbank an 18 month deadline to replace the compromised cards. The bank has also responded to the breach by prohibiting contactless offline transactions for cardholders.

Many questions remain unanswered regarding how the master key was secured, such as whether the key had been divided into separate parts stored separately – requiring collusion between different people to reveal it in its entirety, and what measures Postbank (Read more...)