A fraudulent transaction has led to a loss of about more than USD 3.2 million for Postbank, the banking division of South Africa’s post office. As a result, the bank has to take a major step in replacing more than 12 million cards for its customers as employees printed and stole its master key.

The news broke out when local news outlet the Sunday Times of South Africa reported about the incident that took place in December 2018, when it came to light that someone imprinted the bank’s master key on a paper at its old data center in the city of Pretoria.

The bank suspects the employees’ role in the breach after citing an internal security audit it retrieved from a source in the bank.

The master key, which is a 36-digit code (encryption key), allows the holder to decrypt the bank’s operation as well as access and modify the banking systems. Generating keys for customer cards is also one of the functions of the master key.

In the year 2019, between March and December, a master key was used to access accounts by the rogue employees, and more than 25,000 fraudulent transactions took place, thus stealing more than USD 3.2 million from customer balances.

Following the incident, all the customer cards that were generated with the use of the master key, need to be replaced, which would cost Postbank more than USD 58 million. The process involves replacing regular payment cards along with the beneficiary cards amassing social benefits from the government. Sunday Times said that about eight to ten million cards were supposed to obtain social grants, and that was where most of the fraudulent operations took place.

Inappropriate internal security procedures

A security researcher managing Bank Security, a Twitter account dedicated to banking fraud, said in an interview, “According to the report, it seems that corrupt employees have had to access the Host Master Key (HMK) or lower-level keys.”

“The HMK is the key that protects all the keys, which, in a mainframe architecture, could access the ATM pins, home banking access codes, customer data, credit cards, etc.,” the researcher reported. Access to these data types depends on the configurations of the architecture, servers, and database. This key is then used by mainframes or servers, as mentioned above, which have access to the various internal applications and databases with stored customer data.

“The way in which this key and all the others lower-level keys are exchanged with third party systems has different implementations that vary from bank to bank,” the researcher said.

The Postbank incident is one of a kind as bank master keys are the most important secret of a bank and are guarded appropriately and very rarely compromised, let alone stolen outright.

“Generally, by best practice, the HMK key is managed on dedicated servers (with dedicated OS) and is highly protected from physical access (multiple simultaneous badge access and restricted/separated data center),” told Bank Security. “Furthermore, a single person does not have access to the entire key but is divided between various reliable managers or VIPs, and can only be reconstructed if everyone is corrupt.”

“Generally, the people and the key are changed periodically precisely to avoid this type of fraud or problem, as in the case of Postbank,” the researcher said. “As far as I know, the management of these keys is left to the individual banks, and the internal processes that regulate the periodic change and security are decided by the individual bank and not by a defined regulation,” he added.