Postbank replaces 12m cards after employees steal master key
Postbank, the banking division of South Africa’s Post Office, has had to replace more than 12 million of its customers’ cards after a group of its employees printed and then stole its master key, the Sunday Times of South Africa reports.
The employees stole the bank’s master key back in December 2018, printing it on a piece of paper at its old data centre in the country’s capital, Pretoria.
According to an internal security audit at Postbank which was leaked to the Sunday Times, the rogue employees used it between March and December 2019 to access accounts and make more than 25,000 fraudulent transactions.
The master key – a 36-digit code – allows the holder to decrypt the bank’s operations, modify the bank’s systems, and generate codes for customer cards.
The bank will have to replace all customer cards which have been generated with hijacked master key. Customers have lost around $3.2 million in fraudulent transactions, and the bank believes replacing the cards will cost it around $58 million.
Normal payment cards were affected, as well as government social benefit cards which make up 8-10 million of the cards to be replaced.
“A single person does not have access to the entire key but is divided between various reliable managers or VIPs, and the key can only be reconstructed if everyone is corrupt,” a security researcher at Bank Security told ZDNet, highlighting the rare incident in which a master key can in fact be stolen.
In February 2020, fellow South African bank Nedbank also revealed it had suffered a security breach. Hackers breached a third-party service provider to steal the information of more than 1.7 million of its customers.
Read next: Banks, cybersecurity and virology
Seriously, no use of HSM in this context?
That’s a joke.