Earlier this week, South Africa’s Postbank (the banking arm of South Africa’s national post office), fell victim to an insider attack. In a highly unprecedented move, rogue employees with access to the bank’s ‘master key’ used it to make off with $3.2 Million in fraudulent transactions, leading to the bank having to re-issue over 12 Million cards to customers, in order to prevent further misuse. Unfortunately, the bank’s losses don’t stop there. In addition to the lost $3.2 Million, Postbank estimates the cost of replacing the cards and reinforcing security measures to set them back by another $58 Million (1 Billion Rands).
The news was first reported by the Sunday Times of South Africa, who noted that the incident exposes the account information of several account holders, some of which included those of grant beneficiaries. Examination of a past internal security audit revealed that the incident was sparked by employees gaining access to one of the bank’s old data centers in Pretoria, sometime around 2018. The master key was then printed out on a piece of paper, and used to illegally access accounts and carry out over 25,000 transactions in the span of nine months.
The ‘master key’ (a.k.a host master key or HMK) is, simply put, an encryption key that allows for decryption of confidential banking information, and thereby, access to the bank’s systems (including account information, credit/debit card details, transaction details, and so on). A malicious actor with access to this key could access and manipulate sensitive information, and greatly simplify the funneling of funds to their private accounts (or any vehicle used to carry out this activity).
Master keys are some of the most well-protected software in most banks, making it highly unusual that it could be stolen with impunity without leaving so much as a trail. Let’s take a closer look at some of the reasons why Postbank may have fallen victim to this act of theft:
- The server hosting the key lacked both physical (simultaneous key-card access, lax data center security) and cyber (restrictions placed on printing the key, audit trail) security.
- Key generation and circulation may not have been handled with utmost care.
- Key access might not have been split among several individuals to avoid compromise.
From an encryption and network security standpoint, there are several actions Postbank can take to prevent such an incident occurring in the future. Naturally, this applies to every institution that leverages encryption keys to protect sensitive information. Our recommendations are as follows:
- Always generate keys ONLY on the server or machine on which it is being used.
- Use secure methods for key transfer – do this by leveraging automation to minimize manual intervention.
- Frequently scan networks for rogue machines.
- Categorize assets based on the level of security needed. Assign and enforce security protocols as necessary.
- Maximize physical security methods, as they are the first line of defence against attacks (in similar cases).
This breach comes in the midst of a turbulent year for cybersecurity – food delivery service Foodora reported a breach less than 24 hours ago, and cyber attacks have been occurring since February, where another South African bank, Nedbank, reported a cyber attack. We strongly urge businesses to ramp up their cybersecurity practices during these turbulent times in order to nip such incidents in the bud.