Massive South African credit card leak

Joined
Dec 7, 2010
Messages
78,906
Nope. They use the SWIFT standard/format. They do not use the SWIFT network for SAMOS settlements.

All settlements to SAMOS go via Bankserv.

https://www.bis.org/cpmi/publ/d105_za.pdf (page 387)

bankserve is classified as a payment clearing house (page 381)

Bankserv is an ACH (Automated Clearing House) or PCH SO (System Operator). A PCH are payment streams user groups that banks need to belong to in order to process interbank payments through a specific payment stream.

SAMOS - South African Multiple Option Settlement system is SARB's system they use to affect interbank settlement. Bankserv submits interbank gross settlement figures to SAMOS via the SWIFT network and uses MT298 (settlement instructions) message type transactions... SARB/SAMOS then calculate the NET settlement figures between the different settlement participants to affect the settlement on the different bank's SARB account.

I'll give you three guesses where I worked, and which system I maintained and eventually redesigned and rewrote around 2007/8... and the first two guesses don't count. ;)
 

mith

Senior Member
Joined
Feb 9, 2010
Messages
944
Perhaps that is what they took advantage of. The bank would be taking down most of its banking systems and perhaps some of the fraud detection systems went down early on Saturday night to prepare for the maintenance window.

This all reeks of an insider job.

um...the fraud happened on 15 May.
 

ScrnScrm

Expert Member
Joined
Mar 18, 2005
Messages
1,230
Bankserv submits interbank gross settlement figures to SAMOS via the SWIFT network and uses MT298 (settlement instructions) message type transactions...

Last I checked (which admittedly was a while ago as I have left SA), the MT298 files were being sent directly from Bankserv to SAMOS and no longer via SWIFT. All the institutions I consulted at were actively trying to remove their dependence on SWIFT. Not sure what the current posture is in SA, but I can comment that in Europe SWIFT is now used as last viable path (at least everywhere that I have worked so far).

I'll give you three guesses where I worked, and which system I maintained and eventually redesigned and rewrote around 2007/8... and the first two guesses don't count. ;)

I know exactly who you are and where you worked :D :D

Thanks for the info.
 
Joined
Dec 7, 2010
Messages
78,906
Last I checked (which admittedly was a while ago as I have left SA), the MT298 files were being sent directly from Bankserv to SAMOS and no longer via SWIFT. All the institutions I consulted at were actively trying to remove their dependence on SWIFT. Not sure what the current posture is in SA, but I can comment that in Europe SWIFT is now used as last viable path (at least everywhere that I have worked so far).

It is sent from Bankserv to SAMOS, but using the SWIFT network.

I know exactly who you are and where you worked :D :D

Thanks for the info.

:D well then it's not as if I'm anonymous lol
So do I know you? :p
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
TBH - I worked across most major banks right from the beginning of assembler/Cobol days all the way into the days of internet banking (I still remember the SBSA MD's response when we showed him a web-page rendered via the main-frame and his comment was "bah... the internet is just a fluke, don't waste your time on it" --- that was in 1999) and every single one has security holes all over the place.

I think everyone on this forum working for financial institutions can agree to how carelessly production data is rolled into staging environments and how poor branch-security is (i.e. ATMs sharing the same network as other terminals). With one bank (not SBSA) it is possible to just plug any network device into the LAN and you got an IP and were on the network - a true beauty, considering that their store-and-forward records are sitting on the branch-server in unencrypted form. In-branch security is general lax and it gets worse at head-office.

I would guess with SBSA a file to pre-load cards was shipped around the network / via email and conveniently got dumped to asia. Nothing unusual - similar things happened to 2 other banks last year and if you work in the industry you will know about it.

Having seen how other banks safeguard their infrastructure, I must honestly say that I feel the most comfortable with SBSA. I know of 3 similarly large incidents with other banks in the last 3 years and none of them made headlines as they managed to keep it internal.
 

ScrnScrm

Expert Member
Joined
Mar 18, 2005
Messages
1,230
I know of 3 similarly large incidents with other banks in the last 3 years and none of them made headlines as they managed to keep it internal.

^^^^^^ Yup. Spot on. Like a very recent event where one of the banks paid out huge bucks for ransonware on their network. They covered it up because they didn't want it detracting from their recent "best bank" blah blah blah awards.
 

zippy

Honorary Master
Joined
May 31, 2005
Messages
10,060
This is bad. First a huge leak and now a massive leak. Or was the massive leak before the huge leak ? Same bank.....
 

Beachless

Executive Member
Joined
Oct 6, 2010
Messages
6,003

Its really surprising that we dont have more problems and the issues run across most industries. The fact that real customer data is available in dev environments and lax security on networks is not news to most. Ps its still cobol days when it comes to banks :whistling:
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
76,696
How is it possible for the bank to lose 300m and no loss to clients? Was that spare change lying around?

The bank owes it to MasterCard. Withdrawals authorized by MasterCard against cards created against fraudulent accounts via standard bank, at a guess.
 

Arthur

Honorary Master
Joined
Aug 7, 2003
Messages
25,569
I was curious why this happened in Japan. And then ran across this comment by a reader on a UK site:

"Disaster Waiting to happen

The Japanese banks still live in the 1980's and for the most part so does their IT infrastructure.

In many cases Japanese can only withdraw from their own bank ATMs, and foreign issued cards are only acepted in a few places (like 7/11 convenience stores).

Add to that that most ATMs are not EMV enabled (hello magstripe) and that a good number of transactions are done "offline" or in "batch mode" (transaction is cleared with the issuer some time after the withdrawal).... and you have a nice recipe for a major con exercise like this !

Maybe this will (at long last) kick the japanese bankers enough where it hurts for things to change..."

The Malaysian scammers clearly know enough about banking in SA and Japan to choose their targets.
 
Last edited:

BlindMelonChitlin

Expert Member
Joined
Nov 3, 2015
Messages
1,334
I was curious why this happened in Japan. And then ran across this comment by a reader on a UK site:

"Disaster Waiting to happen

The Japanese banks still live in the 1980's and for the most part so does their IT infrastructure.

In many cases Japanese can only withdraw from their own bank ATMs, and foreign issued cards are only acepted in a few places (like 7/11 convenience stores).

Add to that that most ATMs are not EMV enabled (hello magstripe) and that a good number of transactions are done "offline" or in "batch mode" (transaction is cleared with the issuer some time after the withdrawal).... and you have a nice recipe for a major con exercise like this !

Maybe this will (at long last) kick the japanese bankers enough where it hurts for things to change..."

The Malaysian scammers clearly know enough about banking in SA and Japan to choose their targets.
Interesting, but how does that equate to a South African bank losing out?
 

Saba'a

Executive Member
Joined
May 21, 2009
Messages
6,296
How do banks honour a withdrawl "using a small number of fictitious cards" without checking the balance of those cards? Surely fictitious cards don't have credit?

I'm sure I saw notice of a planned Standard Bank maintenance window this weekend. Was it related or the window of opportunity?
Forever offline over weekends during shopping time.
 

ActivateD

Expert Member
Joined
Jun 7, 2004
Messages
1,581
With one bank (not SBSA) it is possible to just plug any network device into the LAN and you got an IP and were on the network - a true beauty, considering that their store-and-forward records are sitting on the branch-server in unencrypted form. In-branch security is general lax and it gets worse at head-office.

Hehehe I think I know this bank.
 

Saba'a

Executive Member
Joined
May 21, 2009
Messages
6,296
To be fair the atms seem correct when you check but checking online you cant even get any info sometimes.
 
Top