A mere three years after a South African bank spent $1.8 million on a new fraud-detection system, hackers managed to swindle $6.7 million out from under that system’s nose.
As the South African Times Live reported on Sunday, the high-tech heist is believed to have been carried out by a cybercrime syndicate with in-depth knowledge of the IT systems in question.
The bank, Postbank, is part of the South African Post Office. It holds about $500 million in deposits and oversees the movement of millions of rands in social grants each month, according to Times Live.
Starting on New Year’s Day, the robbers launched the operation. Over the next 72 hours, they hacked into two employees’ accounts, dramatically increased withdrawal limits, and shifted $6.7 million into their own accounts before cashing out.
Here are details on how the heist went down, as paraphrased from the Times Live account:
The syndicate started its operation by opening accounts in post offices across the country late last year.
With offices closed for the holiday, the syndicate gained access to a Rustenburg Post Office employee's computer, linked to Postbank's server system, sharply increased withdrawal limits, and made deposits into the accounts.
Over the next three days, ATMs in Gauteng, KwaZulu-Natal and the Free State were used to withdraw cash from the accounts.
The login details of a teller and a call center agent were used. Police would not tell Times Live if the two are suspects. Questions remain about how low-level employees could have clearance to increase withdrawal limits for such large amounts.
An unnamed IT and bank security expert told the Times Live that the theft comes as no surprise, given Postbank’s poor security profile. Here’s how the newspaper quoted that expert:
The Postbank network and security systems are shocking and in desperate need of an overhaul. This [theft] was always going to be a very real possibility.
At first glance you have to say the intrusion detection system on its servers [was] obviously not working properly. It will be difficult for the post office to detect and stop something like this. But, if they had the will and knowledge, it could certainly have been prevented.
As of the time of writing, the home page of the bank’s site had nothing listed under its “headlines” section except for the sad, lonely number “1” in red, with no corresponding headline whatsoever, never mind one that might inform visitors about this massive robbery.
Nobody expects full details while an investigation is under way, but this lack of acknowledgement is a little baffling.
It’s also a little ironic, given that the bank’s got an entire section devoted to online security advice.
While none of the bank’s 4 million customers’ accounts have been breached this time around, as bank officials assured Times Live reporters, that’s truly cold comfort. Why would customers trust a bank to keep their accounts safe when that bank is vulnerable to a cyber robbery of this magnitude?
It’s not hard to imagine how such a robbery would shake any business to its core.
Unfortunately, the lack of a simple message to inform site visitors about the incident and the ongoing investigation is easy to read as an indication of the bank’s lack of security and disaster response preparedness.
There’s something about it that’s reminiscent of a fish, on a beach, surprised, gasping, helpless.
Times Lives reports that the three-day heist comes as Postbank seeks to become a separate entity and get a full banking license from South Africa’s Reserve Bank, to allow it to compete with commercial banks while still being state-owned.
Let’s hope that before it goes further in that quest that the bank make it a priority to tighten up its network, its intrusion detection system, and its disaster response protocol.