The point of sales system of numerous well-known fast food outlets in South Africa were infected with malware earlier this year which enabled cyber-criminals to steal credit and debit card information of customers.
Techcentral reported today (15 October 2013) that a variant of malware called Dexter which infected the point of sales devices “cost local banks tens of millions of rand”.
The report added that the breach is described “as one of the worst breaches of customer card data in the country’s history”.
Volker preferred not to provide the names of the affected fast food chains, but confirmed that it included big names in the industry.
He said that they first detected fraud based on this security breach early in 2013, and started to investigate the issue as fraud volumes started to increase.
With the help of a forensic investigation company, the affected outlets and the cause of the security breach was uncovered. The cause was that payment systems were infected with malware.
Volker said that they know exactly how the point of sales systems were infected, but is keeping the information private to assist with an ongoing police investigation.
It was also established that an international syndicate was behind the security breach which recorded credit card and debit card data.
This banking card data was used to either clone cards for international use in a physical environment, or sold to be used by other parties.
Large-scale investigation, banks refunding customers
Volker said that Interpol, Europol, and the South African police are involved in the investigation.
Good news is that card holders who have been affected by this security breach have not lost money.
Volker explained that the banks absorbed the losses incurred through this security breach.
The payment systems of the fast food outlets affected by the security breach has been cleaned of any malware.
Volker added that they are still closely monitoring the situation, and the investigation into other potential security breaches is ongoing.
When asked for comment, Absa said that this is an industry issue and is not isolated to Absa. They suggested that the Payments Association or BASA (Banking Association of South Africa) should be consulted for comment.
FNB echoed this comment.
The Dexter malware made headlines towards the end of 2012 when Seculert published details on its research into the software on its blog.
According to Seculert, Dexter is a custom-made malware that had been used for 2-3 months prior to its blog post and had infected hundreds of point-of-sale (POS) systems.
What made the malware so interesting was that it targeted POS terminals rather than personal computers, and that it was POS malware that behaved like a botnet.
According to reports, Dexter looked for credit card information in the memory of the infected POS device and then communicated back to a command and control (C&C) system. It could also receive commands from a C&C system.
In December 2012, Seculert reported that of the 40 countries where it tracked Dexter infections, South Africa ranked 6th, with 4% of infections seen here.
Update: Following the reports this morning, PASA issued the following statement:
The Payments Association of South Africa (PASA), international card schemes (Visa and MasterCard) and South Africa’s major banks are aware of a data compromise at a number of South Africa’s restaurant chains/franchises.
As a result of the data compromise, card details were accessed by an unauthorised international organisation through custom-written virus software. Immediate and proactive steps have been taken to secure the relevant systems and to prevent further leakage of card details as well as identify the extent of the potential exposure. This includes cleaning-up confirmed sites, with effective custom anti-malware software, and carefully monitoring transactions on the cards involved – to detect possible unusual activity.
“PASA is working with the banks and the card schemes to implement immediate measures to block the potential exposure of personal card data and bring the merchants to a state of full compliance in relation to the Payment Card Industry Data Security Standards (PCI DSS),” says Walter Volker, CEO of PASA.
“There is no need for concern by cardholders. Rather, it is important to be aware of the fact that the issuing and acquiring banks in the South African payments environment all have very well developed and sophisticated fraud and risk management systems in place. Additionally, the monitoring of any heightened levels of potential fraud, which might result from this card data exposure, would not require additional systems,” continues Volker.
PASA and the South African banks have been working actively with the merchant industry to ensure that all companies that process card transactions implement and comply with the PCI Data Security Standards.
“However, it is the responsibility of the cardholders’ banks to decide whether they will be contacting their customers with a view to replacing any cards that might have been exposed, or placing these cards on a heightened level of monitoring before any action is taken,” adds Volker. “There was no need for undue concern by cardholders however; we urge card users to report any suspicious transactions to their banks, for urgent investigation.”
“What is important to understand is that should fraudulent transactions be perpetrated on any cards, as a result of the data compromise, cardholders will not be exposed to any losses – as is the case under normal circumstances,” concludes Volker.
Cardholders who have any concerns or are suspicious of any transactions appearing on their card statements, or of which they are alerted to via their SMS/ email ‘in contact’ services, should contact their bank directly and immediately.
Standard bank provided the following statement:
Standard Bank is aware of the breach of card data that has been stored, external to the bank, in select fast food outlets. This fraud impacted the banking industry as a whole, and some Standard Bank debit, credit and cheque card customers have been affected. Immediate and pro-active steps have been taken by Standard Bank and at an industry level to identify and limit the extent of the potential exposure.
All Standard Bank cards that may have been impacted have been placed under a heightened level of monitoring to detect possible unusual or fraudulent activity. Should fraudulent transactions occur on any of these cards, cardholders will not be exposed to any losses and Standard Bank will replace the cards of affected customers. Standard Bank views this breach in a serious light and has committed resources and skills to ensure that their customers can transact in a safe and secure manner.
Should customers become aware of any suspicious transactions through MyUpdates (sms alerts), mobile app, internet banking, or on their bank statements, they are requested to contact Standard Bank on 0861 201 000.
The incident is regrettable and Standard Bank would like to reassure customers that there is no need for undue concern. The banking industry and PASA has well developed and sophisticated fraud and risk management systems in place to limit the exposure of our customers to criminal activity.
Absa provided the following statement:
Banking fraud is a major concern to Absa. Significant investment is made in helping to ensure our customers are aware of safe banking practices.
It has come to light that the Dexter virus was identified at a contained number of terminals across a number of merchants where Absa has had very limited exposure to date.
Supported by the South African Banking Risk Information Centre (SABRIC) we are working with the authorities under the guidance of the Payment Association of South Africa (PASA) to resolve the matter.
Absa still urges customers to remain vigilant and scrutinise their credit card statements for unusual or unfamiliar transactions. Absa provides its NotifyMe service to alert customers to transactions performed on their accounts and encourage customers to make use of this service to proactively identify unauthorised transactions which may be as a result of compromised card data.
Update on 16 October 2013: Nedbank has provided the following statement:
Nedbank is aware of a data compromise at some of South Africa’s restaurant chains/franchises. The Payments Association of South Africa (PASA) in conjunction with member banks, has taken immediate steps to secure the relevant systems to prevent further leakage of card details. Nedbank can confirm that the number of incidents reported is limited and that where fraud losses have been reported, Nedbank Card clients have been refunded and reissued with new cards. Nedbank will continue to closely monitor all transactions acquired by third party processors and Nedbank clients need not be concerned.