Sophos Cloud Optix
A mere three years after a South African bank spent $1.8 million on a new fraud-detection system, hackers managed to swindle $6.7 million out from under that system’s nose.
As the South African Times Live reported on Sunday, the high-tech heist is believed to have been carried out by a cybercrime syndicate with in-depth knowledge of the IT systems in question.
The bank, Postbank, is part of the South African Post Office. It holds about $500 million in deposits and oversees the movement of millions of rands in social grants each month, according to Times Live.
Starting on New Year’s Day, the robbers launched the operation. Over the next 72 hours, they hacked into two employees’ accounts, dramatically increased withdrawal limits, and shifted $6.7 million into their own accounts before cashing out.
Here are details on how the heist went down, as paraphrased from the Times Live account:
The syndicate started its operation by opening accounts in post offices across the country late last year.
With offices closed for the holiday, the syndicate gained access to a Rustenburg Post Office employee's computer, linked to Postbank's server system, sharply increased withdrawal limits, and made deposits into the accounts.
Over the next three days, ATMs in Gauteng, KwaZulu-Natal and the Free State were used to withdraw cash from the accounts.
The login details of a teller and a call center agent were used. Police would not tell Times Live if the two are suspects. Questions remain about how low-level employees could have clearance to increase withdrawal limits for such large amounts.
An unnamed IT and bank security expert told the Times Live that the theft comes as no surprise, given Postbank’s poor security profile. Here’s how the newspaper quoted that expert:
The Postbank network and security systems are shocking and in desperate need of an overhaul. This [theft] was always going to be a very real possibility.
At first glance you have to say the intrusion detection system on its servers [was] obviously not working properly. It will be difficult for the post office to detect and stop something like this. But, if they had the will and knowledge, it could certainly have been prevented.
As of the time of writing, the home page of the bank’s site had nothing listed under its “headlines” section except for the sad, lonely number “1” in red, with no corresponding headline whatsoever, never mind one that might inform visitors about this massive robbery.
Nobody expects full details while an investigation is under way, but this lack of acknowledgement is a little baffling.
It’s also a little ironic, given that the bank’s got an entire section devoted to online security advice.
While none of the bank’s 4 million customers’ accounts have been breached this time around, as bank officials assured Times Live reporters, that’s truly cold comfort. Why would customers trust a bank to keep their accounts safe when that bank is vulnerable to a cyber robbery of this magnitude?
It’s not hard to imagine how such a robbery would shake any business to its core.
Unfortunately, the lack of a simple message to inform site visitors about the incident and the ongoing investigation is easy to read as an indication of the bank’s lack of security and disaster response preparedness.
There’s something about it that’s reminiscent of a fish, on a beach, surprised, gasping, helpless.
Times Lives reports that the three-day heist comes as Postbank seeks to become a separate entity and get a full banking license from South Africa’s Reserve Bank, to allow it to compete with commercial banks while still being state-owned.
Let’s hope that before it goes further in that quest that the bank make it a priority to tighten up its network, its intrusion detection system, and its disaster response protocol.
How can you manage to get $6.7M out of teller machines over a 3 day period? Must have been a lot of machines accessed since they have a limited amount of storage space for cash right?
The lack of posting of the breach/theft on its website along with the "poor security profile" comment by the IT/bank security expert brings to mind an article by David Lacey. (Time to come clean about the state of our security; http://bit.ly/yzWhQ4)
Essentially, corporate security is so ineffective that it's a question of not IF but WHEN an attack will come. Coupled with this reality being kept from executive boards, it's an ostrich's head in the sand attitude that delays solving the problem. Acknowledging the true severity of the cyber-criminal world being ahead of security protections is needed to really spur creative solution creation.
Time to tell it like it is about the inadequacy of current threat prevention efforts.
The problem is that every entity from government to the guy who services your car in South Africa for the tax law reasons has all customer details, from credit history to what lavatory paper one uses. By breaking into any institution the criminal has the profiles to commit fraud. Another is all a criminal has to do is hold up some A hole in the government run credit bureau and he gains access to the whole of SA.