Massive South African credit card leak

Joined
Dec 7, 2010
Messages
78,906
I could have been wrong here as well. All my banking knowledge dates back to dot-matrix printers, punch cards and I can only assume that most things (such as PASA) stay the same.
:D :D

I had to confirm with my source LOL things changed since i left apparently
 

ld13

Honorary Master
Joined
Oct 28, 2005
Messages
11,921
Ironically got this sms just now:

"Standard Bank: Notification of pricing changes with effect from 6 May 2016 in accordance with the National Credit Act. Visit our website for more details."
Unrelated and perfectly normal. Saw similar messages from... absa/virgin/nedbank.
 

BlindMelonChitlin

Expert Member
Joined
Nov 3, 2015
Messages
1,334
So help me out - it may have been mentioned, but I don't have the patience to read 9 pages of this thread - how are South African credit cards leaked, but consumers are not affected? Who's credit cards were leaked?
 

whatwhat

Executive Member
Joined
Jun 1, 2009
Messages
6,187
So help me out - it may have been mentioned, but I don't have the patience to read 9 pages of this thread - how are South African credit cards leaked, but consumers are not affected? Who's credit cards were leaked?
Test cards from the sound of it. Cards that are issued for 3rd parties to test integration with.
 

access

Honorary Master
Joined
Mar 17, 2009
Messages
11,120
Test cards from the sound of it. Cards that are issued for 3rd parties to test integration with.
test cards with real currency? :confused:

why on earth.

I suppose its easier when the money is not really bound to anything but numbers. house of cards imo.
 

BlindMelonChitlin

Expert Member
Joined
Nov 3, 2015
Messages
1,334
Test cards from the sound of it. Cards that are issued for 3rd parties to test integration with.
test cards with real currency? :confused:

why on earth.

I suppose its easier when the money is not really bound to anything but numbers. house of cards imo.
Right... so test cards linked to real money that doesn't belong to clients... hmm...
Must be all that other stuff the banks sell.
 

whatwhat

Executive Member
Joined
Jun 1, 2009
Messages
6,187
Right... so test cards linked to real money that doesn't belong to clients... hmm...
Must be all that other stuff the banks sell.
Test accounts, or non-real accounts are quite common as these are used for integration testing by the banks and 3rd party companies. These accounts have fake balances, and fake cards attached to them.

It seems that the test cards were activated, so they would work at an ATM. The ATM just saw the balance was available and paid out the cash, without the bank doing a check that the account itself wasn't real.
 

BlindMelonChitlin

Expert Member
Joined
Nov 3, 2015
Messages
1,334
Test accounts, or non-real accounts are quite common as these are used for integration testing by the banks and 3rd party companies. These accounts have fake balances, and fake cards attached to them.

It seems that the test cards were activated, so they would work at an ATM. The ATM just saw the balance was available and paid out the cash, without the bank doing a check that the account itself wasn't real.
Did the ATM dispense fake money? Those balances could not have been fake lol. Surely it would be a totally independent system altogether. If the bank informs a real ATM of the balance, it's out of the 'fake' domain.
 

whatwhat

Executive Member
Joined
Jun 1, 2009
Messages
6,187
Did the ATM dispense fake money? Those balances could not have been fake lol. Surely it would be a totally independent system altogether. If the bank informs a real ATM of the balance, it's out of the 'fake' domain.
Did you read the next sentence?

The cards were activated, so they were seen as valid by the ATM. There wasn't a secondary check on the account type itself by the bank to check that the they were trying to withdraw from a test account type. So yes, the ATM was able to dispense real cash as the bank said it was fine.

This happened during the Y2K migrations as well, as banks had to get their systems validated and tested by companies.
Would have assumed they would have learned from that.
 

BlindMelonChitlin

Expert Member
Joined
Nov 3, 2015
Messages
1,334
Did you read the next sentence?

The cards were activated, so they were seen as valid by the ATM. There wasn't a secondary check on the account type itself by the bank to check that the they were trying to withdraw from a test account type. So yes, the ATM was able to dispense real cash as the bank said it was fine.

This happened during the Y2K migrations as well, as banks had to get their systems validated and tested by companies.
Would have assumed they would have learned from that.
Sorry, but that sounds like you're trying to excuse the bank. Are these ATMs supposed to be checking every transaction for 'fake account types' as you put it? The cards were 'activated'? Were they dipped in snake oil? How do they get 'activated'? I assume you mean somewhere on the information system, it still doesn't tally up - perhaps I'm asking for a more detailed and technical explanation.

It sounds like what you're saying is that in order for the banks to 'test' things, they need plastic cards that are flagged on the system as dummies to put into the machine and conduct fake transactions... so in order to test these things, two things have to be in place - cards that are flagged as dummy on the system, which are associated with dummy accounts...
?
So the fact that this worked was down to the transaction happening on another banking system's machines elsewhere in the world (i.e. via Visa/Mastercard)?
 
Joined
Dec 7, 2010
Messages
78,906
the transactions was authorised by the bank.... there was no stand-in, there was no offline... it was done during a maintenance window where certain functionality was 'turned off'
 

whatwhat

Executive Member
Joined
Jun 1, 2009
Messages
6,187
Sorry, but that sounds like you're trying to excuse the bank. Are these ATMs supposed to be checking every transaction for 'fake account types' as you put it? The cards were 'activated'? Were they dipped in snake oil? How do they get 'activated'? I assume you mean somewhere on the information system, it still doesn't tally up - perhaps I'm asking for a more detailed and technical explanation.

It sounds like what you're saying is that in order for the banks to 'test' things, they need plastic cards that are flagged on the system as dummies to put into the machine and conduct fake transactions... so in order to test these things, two things have to be in place - cards that are flagged as dummy on the system, which are associated with dummy accounts...
?
So the fact that this worked was down to the transaction happening on another banking system's machines elsewhere in the world (i.e. via Visa/Mastercard)?
Not excusing the bank.

http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html

It is common to have test accounts with test cards. They don't work at the ATM and the bank never makes a physical card. There are thousands of these in the system, and the bank system will deny a real money withdrawal from these cards.

The hackers managed to activate the cards, meaning when the ATM does the check the bank servers it will say actually it is a real card, so the withdrawal proceeds. All you do then is make the hundreds of physical cards and go to town at the ATM machines.

It's not complicated at all, but they needed insiders.
 

BlindMelonChitlin

Expert Member
Joined
Nov 3, 2015
Messages
1,334
Not excusing the bank.

http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html

It is common to have test accounts with test cards. They don't work at the ATM and the bank never makes a physical card. There are thousands of these in the system, and the bank system will deny a real money withdrawal from these cards.

The hackers managed to activate the cards, meaning when the ATM does the check the bank servers it will say actually it is a real card, so the withdrawal proceeds. All you do then is make the hundreds of physical cards and go to town at the ATM machines.

It's not complicated at all, but they needed insiders.
I assume when you say cards, you mean cards and accounts. I can't see how a card can be used to dispense cash if not tied to an account.
 
Top