Massive South African credit card leak

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Since it sounds that no customer is affected by this, it really sounds that someone within the bank was "rather lax" when it comes to track2 data and probably dumped a file with it for the attackers to then write it out to cards they could use. When the "attack" happened in Japan it was between 5am - 8am in the morning and as far as I understand it was also a banking holiday in Japan. Those convenience store ATMs allow up to 900USD per withdrawal and seem to have no hot-carding functionality and their switching infrastructure does not process in real-time (similar to most Mediterranean countries).

Track2 makes the most sense to me and it could be quite easy to have a pre-provisioning file go missing and 1600 cards would not be noticed for quite some time. You will probably find that similar attacks happened elsewhere, but the bank is not quite aware of it yet.

I also think that countries like Japan have never been exposed to fraud and banks seem to be more trusting which is obviously a huge mistake.

Something which has not been mentioned before: Although SBSA has seemingly shown negligence in leaking (either not securing the information allowing the creation of cards properly or an inside fraudulent job) it could also be argued that the Japanese bank(s) are at fault for allowing transactions of such volume. I have not seen concrete evidence (or missed it) which details which issuer is affected (my bet is on Visa).

What you might not know and which has not been mentioned anywhere is that Seven Bank in Japan (they provide ATM services to some 20,000 7-eleven stores in Japan) never had a good history with security. Last year for example Seven Bank was hit with a DDoS and although they denied that data was compromised, data was certainly leaked on the dark net days later.

Where I think Seven Bank will have accountability is when you think that 100 individuals used 1600 forged cards to make about 14,000 withdrawals at 1,400 ATMs. So 1 individual would have to hit 14 ATMs with 14-16 cards - quite achievable in a time-frame of 2-3 hours, but surely Seven Bank's fraud system should have kicked in due to velocity tests of a huge number of foreign withdrawals - a pattern which would have been very visible from standard behaviour.

Either Seven Bank has no fraud-detection or when the red-lights went off, no-one was in the office (due to the bank-holiday) - either way, I think SBSA has a good case to shift liability via the issuer. Most banks are covered through insurance any how.
 
Joined
Dec 7, 2010
Messages
78,906
Since it sounds that no customer is affected by this, it really sounds that someone within the bank was "rather lax" when it comes to track2 data and probably dumped a file with it for the attackers to then write it out to cards they could use. When the "attack" happened in Japan it was between 5am - 8am in the morning and as far as I understand it was also a banking holiday in Japan. Those convenience store ATMs allow up to 900USD per withdrawal and seem to have no hot-carding functionality and their switching infrastructure does not process in real-time (similar to most Mediterranean countries).

Track2 makes the most sense to me and it could be quite easy to have a pre-provisioning file go missing and 1600 cards would not be noticed for quite some time. You will probably find that similar attacks happened elsewhere, but the bank is not quite aware of it yet.

I also think that countries like Japan have never been exposed to fraud and banks seem to be more trusting which is obviously a huge mistake.

Something which has not been mentioned before: Although SBSA has seemingly shown negligence in leaking (either not securing the information allowing the creation of cards properly or an inside fraudulent job) it could also be argued that the Japanese bank(s) are at fault for allowing transactions of such volume. I have not seen concrete evidence (or missed it) which details which issuer is affected (my bet is on Visa).

What you might not know and which has not been mentioned anywhere is that Seven Bank in Japan (they provide ATM services to some 20,000 7-eleven stores in Japan) never had a good history with security. Last year for example Seven Bank was hit with a DDoS and although they denied that data was compromised, data was certainly leaked on the dark net days later.

Where I think Seven Bank will have accountability is when you think that 100 individuals used 1600 forged cards to make about 14,000 withdrawals at 1,400 ATMs. So 1 individual would have to hit 14 ATMs with 14-16 cards - quite achievable in a time-frame of 2-3 hours, but surely Seven Bank's fraud system should have kicked in due to velocity tests of a huge number of foreign withdrawals - a pattern which would have been very visible from standard behaviour.

Either Seven Bank has no fraud-detection or when the red-lights went off, no-one was in the office (due to the bank-holiday) - either way, I think SBSA has a good case to shift liability via the issuer. Most banks are covered through insurance any how.

what I don't understand how offline withdrawals (if that is the scenario) even happened? what was the average transaction value of these withdrawals, surely not under floor limit, right?
 

garp

Executive Member
Joined
Aug 2, 2004
Messages
9,050
Mildly ironic that the country that produced (but not necessarily designed) the most advanced electronic components on the planet has such backward ATMs.
 
Last edited:

Arthur

Honorary Master
Joined
Aug 7, 2003
Messages
25,807
Mildly ironic that the country that produced (but not necessarily designed) the most advanced electronic components on the planet has such backward ATMs.
Very many Japanese still use savings books. And most ATMs in Japan have savings book readers, just like pre-ABSA UBS had in the 1970s.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
what I don't understand how offline withdrawals (if that is the scenario) even happened? what was the average transaction value of these withdrawals, surely not under floor limit, right?

The limit is 100,000 Yen (a bit over USD 900) per transaction. I don't think those where off-line transactions though. You will probably find that they had to hit that many ATMs due to a possible ATM limit (either available cash in the machine or a hard-limit on how much could be withdrawn per day)?
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
77,164
Floor limits are an interesting one.

I thought they were set at vendor level and normally around R200... however one of my cards seems to frequently not dial through for amounts under about R2k.
Is there a card floor limit coded onto the card?
 
Joined
Dec 7, 2010
Messages
78,906
The limit is 100,000 Yen (a bit over USD 900) per transaction. I don't think those where off-line transactions though.

so why do people mention maintenance windows as possible cause?

how will the bank shift liability to the japanese if they authorised those transactions themselves?
 
Joined
Dec 7, 2010
Messages
78,906
Floor limits are an interesting one.

I thought they were set at vendor level and normally around R200... however one of my cards seems to frequently not dial through for amounts under about R2k.
Is there a card floor limit coded onto the card?

I'm not sure... i'll ask the card people around here
 

kolaval

Executive Member
Joined
May 13, 2011
Messages
6,759
Ironically got this sms just now:

"Standard Bank: Notification of pricing changes with effect from 6 May 2016 in accordance with the National Credit Act. Visit our website for more details."
 

Arthur

Honorary Master
Joined
Aug 7, 2003
Messages
25,807
I'm also curious about the Malaysian connection. Seems to be quite a hub for global card frauds.
 

access

Honorary Master
Joined
Mar 17, 2009
Messages
12,106
every time I am overseas I have to notify the bank that I will be making withdraws from an atm in a foreign country, otherwise it stops the transaction and tells me to contact the bank. this has been with every bank in SA so far.


did the bank make this up to steal cash? surely there is an inside man that enabled this to happen. I wonder who will be going to japan soon for 'diplomatic' reasons.

this doesn't add up.

I buy all types of rubbish online, I bought windows 10 online from Microsoft the other day and the bank was all over me, fraud! fraud! so funny. then when I report something as fraud its a "not our problem" type of attitude I get, have to land on the sun at night to get someone to investigate.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Remember that those cards are not linked to any customer. They are probably "pre-loaded" and linked to some generic suspense account. From the Visa/Mastercard side of things they are fully provisioned. As far as I know, Japan banks do not use EMV/Chip&PIN/3d-secure so those cards would have not even needed to be authenticated via the issuer or something like BankServ.

You will probably find that Seven Bank did an automatic auth/accept on the card and this would then certainly shift liability. There is no doubt that SBSA is at fault as well but like in most cases this information will hardly ever be accurately made public (such as the case of another bank dumping a good 30,000 card numbers two years ago or a payment gateway dropping a ton of ABSA cards).

I wonder how PCI will fare for SBSA in this scenario (and obviously the wrath of the card-issuers).
 
Joined
Dec 7, 2010
Messages
78,906
Remember that those cards are not linked to any customer. They are probably "pre-loaded" and linked to some generic suspense account. From the Visa/Mastercard side of things they are fully provisioned. As far as I know, Japan banks do not use EMV/Chip&PIN/3d-secure so those cards would have not even needed to be authenticated via the issuer or something like BankServ.

You will probably find that Seven Bank did an automatic auth/accept on the card and this would then certainly shift liability. There is no doubt that SBSA is at fault as well but like in most cases this information will hardly ever be accurately made public (such as the case of another bank dumping a good 30,000 card numbers two years ago or a payment gateway dropping a ton of ABSA cards).

I wonder how PCI will fare for SBSA in this scenario (and obviously the wrath of the card-issuers).

Bankserv does not do stand-in or authorisation of any kind as far as I know. And if the transaction don't have bank auth id, then definitely Standard Bank can shift liability to Seven Bank.

'Bank' and 'PCI' cannot be used in the same sentence :D :D
 

access

Honorary Master
Joined
Mar 17, 2009
Messages
12,106
Remember that those cards are not linked to any customer. They are probably "pre-loaded" and linked to some generic suspense account. From the Visa/Mastercard side of things they are fully provisioned. As far as I know, Japan banks do not use EMV/Chip&PIN/3d-secure so those cards would have not even needed to be authenticated via the issuer or something like BankServ.

You will probably find that Seven Bank did an automatic auth/accept on the card and this would then certainly shift liability. There is no doubt that SBSA is at fault as well but like in most cases this information will hardly ever be accurately made public (such as the case of another bank dumping a good 30,000 card numbers two years ago or a payment gateway dropping a ton of ABSA cards).

I wonder how PCI will fare for SBSA in this scenario (and obviously the wrath of the card-issuers).

are you talking about those travel cards you can apply for at the bank? you need an account with the bank to get one
 

access

Honorary Master
Joined
Mar 17, 2009
Messages
12,106
south Africa is so tight about foreign currency and taking money out the country lately, its reaaally hard to believe this is just a foreign cybercrime
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Bankserv does not do stand-in or authorisation of any kind as far as I know. And if the transaction don't have bank auth id, then definitely Standard Bank can shift liability to Seven Bank.

'Bank' and 'PCI' cannot be used in the same sentence :D :D

Let's step back on how an ATM works: In the most simple term an ATM will connect to a host-processor which is either bank-owned (i.e. only supports bank-owned machines) or independent processors which support merchant owned machines.

When you authenticate your card on an ATM, the machine forwards the information to the host-processor (Seven Bank) which in turn routes the transaction to the cardholders bank (SBSA) or the institution that issued the card (most likely Visa IMO). Typically the host-processor will instruct that a funds transfer to take place from the customers bank account to the host-processor's account. Once the funds are transferred, the host-processor sends an approval message to the ATM authorising the machine to dispense cash.

Based on the above:
1) Seven Bank never forwarded requests to SBSA. This can be because:
- They worked in "offline mode" and the transaction limit was not reached
- The SBSA cards are marked as "do not authenticate" (this happens in the 3d-secure world with Visa / Mastercard where it skips 3d secure automatically)
- They generally messed up

2) SBSA received the auth request and did not validate:
- If this is the case then either the card numbers were set to bypass fraud-checks (if this was done manually, a big issue, as their internal audit did not pick it up) or their processes are flawed (i.e. track2 information available in unencrypted format and readily be used)

3) SBSA received the auth and accepted
- Very strange as this would have then be linked to an account?
 
Joined
Dec 7, 2010
Messages
78,906
Let's step back on how an ATM works: In the most simple term an ATM will connect to a host-processor which is either bank-owned (i.e. only supports bank-owned machines) or independent processors which support merchant owned machines.

When you authenticate your card on an ATM, the machine forwards the information to the host-processor (Seven Bank) which in turn routes the transaction to the cardholders bank (SBSA) or the institution that issued the card (most likely Visa IMO). Typically the host-processor will instruct that a funds transfer to take place from the customers bank account to the host-processor's account. Once the funds are transferred, the host-processor sends an approval message to the ATM authorising the machine to dispense cash.

huh? no.

It'll go like this: ATM->Acquiring Bank(Seven Bank)->IssuerSwitch(Visa/MasterCard)->Issuer(Standard Bank)->reserve funds

the reserved funds will be settled via Visa or MasterCard at the end of the day. There is no movement of funds while the transaction is being performed.

Based on the above:
1) Seven Bank never forwarded requests to SBSA. This can be because:
- They worked in "offline mode" and the transaction limit was not reached
- The SBSA cards are marked as "do not authenticate" (this happens in the 3d-secure world with Visa / Mastercard where it skips 3d secure automatically)
- They generally messed up

2) SBSA received the auth request and did not validate:
- If this is the case then either the card numbers were set to bypass fraud-checks (if this was done manually, a big issue, as their internal audit did not pick it up) or their processes are flawed (i.e. track2 information available in unencrypted format and readily be used)

3) SBSA received the auth and accepted
- Very strange as this would have then be linked to an account?

Every transaction that a bank authorises get a BankAuthID. If standard bank did not supply this bankauthid, then they can easily shift liability, if they did, well, it's their own stupid fault.
 
Joined
Dec 7, 2010
Messages
78,906
Bankserv does not do stand-in or authorisation of any kind as far as I know. And if the transaction don't have bank auth id, then definitely Standard Bank can shift liability to Seven Bank.

'Bank' and 'PCI' cannot be used in the same sentence :D :D

I stand corrected... they do. But they only see local transactions.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
I stand corrected... they do. But they only see local transactions.

I could have been wrong here as well. All my banking knowledge dates back to dot-matrix printers, punch cards and I can only assume that most things (such as PASA) stay the same.
 
Top