According to internal documents acquired by journalists, employees stole the 36-digit master encryption key, which "allows anyone who has it to gain unfettered access to the bank's systems, and allows them to read and rewrite account balances, and change information and data on any of the bank's 12-million cards."The security breach went unnoticed for months, giving fraudsters free reign to steal millions of dollars. In the nine months up to December 2019, the fraudsters are thought to have used the copied master key to access accounts without authorisation, and make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government. A problem for Postbank is that all of the cards were generated with the compromised master key. The bank believes that replacing all of the cards will cost in the region of $58 million. The bank has conducted an internal security audit following the breach, and suspects that rogue employees are responsible. According to news reports, South Africa's Reserve Bank last year gave Postbank an 18 month deadline to replace the compromised cards. The bank has also responded to the breach by prohibiting contactless offline transactions for cardholders. Many questions remain unanswered regarding how the master key was secured, such as whether the key had been divided into separate parts stored separately - requiring collusion between different people to reveal it in its entirety, and what measures Postbank (not to be confused with the German bank of the same name) had taken to keep tight control of such a critical asset. But clearly something went very wrong at the very heart of the bank if it was possible for someone to make off with a copy of such an essential part of its security as its master key, and then exploit it to make fraudulent transactions. The natural suspicion has to be that the fraud was orchestrated with the assistance or knowledge of privileged insiders within the bank, rather than tech-savvy hackers just happened to stumble across a piece of paper containing a printout of the bank's master key. All too often organisations are more focused on the threat posed by external hackers and ignoring the risks presented by partners, contractors, and rogue members of staff. Insiders have advantages over malicious external hackers for a variety of reasons. An insider threat can be tough to detect and remain undetected for years, sometimes indistinguishable from regular work activities. An insider has often been given special privileges to work alongside sensitive data, making it harder to know if what they are doing is malicious or not. Furthermore, it's much easier for a rogue employee to cover their tracks than an external hacker, destroying evidence that otherwise might later be used against them, or blaming incompetence rather than malicious intent for any breach that occurs.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.