Massive South African credit card leak

[faniebraai]

I could have been wrong here as well. All my banking knowledge dates back to dot-matrix printers, punch cards and I can only assume that most things (such as PASA) stay the same.

I had to confirm with my source LOL things changed since i left apparently

 

[*Medusa*]

I had to confirm with my source LOL things changed since i left apparently

Yip, they do STIP.

 

[faniebraai]

Yip, they do STIP.

just for 1 bank... guess who

 

[*Medusa*]

just for 1 bank... guess who

Yip

 

[ld13]

Ironically got this sms just now:

"Standard Bank: Notification of pricing changes with effect from 6 May 2016 in accordance with the National Credit Act. Visit our website for more details."

Unrelated and perfectly normal. Saw similar messages from... absa/virgin/nedbank.

 

[Sinbad]

Unrelated and perfectly normal. Saw similar messages from... absa/virgin/nedbank.

Yup. NCA monthly admin fee has been increased from R50 to R60 + vat.

 

[adielk]

Didn't know Standard bank issued Visa cards?

My cheque card is. The credit card runs via the competition to visa, mastercard.

 

[BlindMelonChitlin]

So help me out - it may have been mentioned, but I don't have the patience to read 9 pages of this thread - how are South African credit cards leaked, but consumers are not affected? Who's credit cards were leaked?

 

[whatwhat]

So help me out - it may have been mentioned, but I don't have the patience to read 9 pages of this thread - how are South African credit cards leaked, but consumers are not affected? Who's credit cards were leaked?

Test cards from the sound of it. Cards that are issued for 3rd parties to test integration with.

 

[access]

Test cards from the sound of it. Cards that are issued for 3rd parties to test integration with.

test cards with real currency?

why on earth.

I suppose its easier when the money is not really bound to anything but numbers. house of cards imo.

 

[BlindMelonChitlin]

Test cards from the sound of it. Cards that are issued for 3rd parties to test integration with.

test cards with real currency?

why on earth.

I suppose its easier when the money is not really bound to anything but numbers. house of cards imo.

Right... so test cards linked to real money that doesn't belong to clients... hmm...
Must be all that other stuff the banks sell.

 

[whatwhat]

Right... so test cards linked to real money that doesn't belong to clients... hmm...
Must be all that other stuff the banks sell.

Test accounts, or non-real accounts are quite common as these are used for integration testing by the banks and 3rd party companies. These accounts have fake balances, and fake cards attached to them.

It seems that the test cards were activated, so they would work at an ATM. The ATM just saw the balance was available and paid out the cash, without the bank doing a check that the account itself wasn't real.

 

[BlindMelonChitlin]

Test accounts, or non-real accounts are quite common as these are used for integration testing by the banks and 3rd party companies. These accounts have fake balances, and fake cards attached to them.

It seems that the test cards were activated, so they would work at an ATM. The ATM just saw the balance was available and paid out the cash, without the bank doing a check that the account itself wasn't real.

Did the ATM dispense fake money? Those balances could not have been fake lol. Surely it would be a totally independent system altogether. If the bank informs a real ATM of the balance, it's out of the 'fake' domain.

 

[whatwhat]

Did the ATM dispense fake money? Those balances could not have been fake lol. Surely it would be a totally independent system altogether. If the bank informs a real ATM of the balance, it's out of the 'fake' domain.

Did you read the next sentence?

The cards were activated, so they were seen as valid by the ATM. There wasn't a secondary check on the account type itself by the bank to check that the they were trying to withdraw from a test account type. So yes, the ATM was able to dispense real cash as the bank said it was fine.

This happened during the Y2K migrations as well, as banks had to get their systems validated and tested by companies.
Would have assumed they would have learned from that.

 

[BlindMelonChitlin]

Did you read the next sentence?

The cards were activated, so they were seen as valid by the ATM. There wasn't a secondary check on the account type itself by the bank to check that the they were trying to withdraw from a test account type. So yes, the ATM was able to dispense real cash as the bank said it was fine.

This happened during the Y2K migrations as well, as banks had to get their systems validated and tested by companies.
Would have assumed they would have learned from that.

Sorry, but that sounds like you're trying to excuse the bank. Are these ATMs supposed to be checking every transaction for 'fake account types' as you put it? The cards were 'activated'? Were they dipped in snake oil? How do they get 'activated'? I assume you mean somewhere on the information system, it still doesn't tally up - perhaps I'm asking for a more detailed and technical explanation.

It sounds like what you're saying is that in order for the banks to 'test' things, they need plastic cards that are flagged on the system as dummies to put into the machine and conduct fake transactions... so in order to test these things, two things have to be in place - cards that are flagged as dummy on the system, which are associated with dummy accounts...
?
So the fact that this worked was down to the transaction happening on another banking system's machines elsewhere in the world (i.e. via Visa/Mastercard)?

 

[faniebraai]

the transactions was authorised by the bank.... there was no stand-in, there was no offline... it was done during a maintenance window where certain functionality was 'turned off'

 

[whatwhat]

Sorry, but that sounds like you're trying to excuse the bank. Are these ATMs supposed to be checking every transaction for 'fake account types' as you put it? The cards were 'activated'? Were they dipped in snake oil? How do they get 'activated'? I assume you mean somewhere on the information system, it still doesn't tally up - perhaps I'm asking for a more detailed and technical explanation.

It sounds like what you're saying is that in order for the banks to 'test' things, they need plastic cards that are flagged on the system as dummies to put into the machine and conduct fake transactions... so in order to test these things, two things have to be in place - cards that are flagged as dummy on the system, which are associated with dummy accounts...
?
So the fact that this worked was down to the transaction happening on another banking system's machines elsewhere in the world (i.e. via Visa/Mastercard)?

Not excusing the bank.

http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html

It is common to have test accounts with test cards. They don't work at the ATM and the bank never makes a physical card. There are thousands of these in the system, and the bank system will deny a real money withdrawal from these cards.

The hackers managed to activate the cards, meaning when the ATM does the check the bank servers it will say actually it is a real card, so the withdrawal proceeds. All you do then is make the hundreds of physical cards and go to town at the ATM machines.

It's not complicated at all, but they needed insiders.

 

[BlindMelonChitlin]

Not excusing the bank.

http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html

It is common to have test accounts with test cards. They don't work at the ATM and the bank never makes a physical card. There are thousands of these in the system, and the bank system will deny a real money withdrawal from these cards.

The hackers managed to activate the cards, meaning when the ATM does the check the bank servers it will say actually it is a real card, so the withdrawal proceeds. All you do then is make the hundreds of physical cards and go to town at the ATM machines.

It's not complicated at all, but they needed insiders.

I assume when you say cards, you mean cards and accounts. I can't see how a card can be used to dispense cash if not tied to an account.