Fast food outlet KFC is investigating the credit card scam that cost South African banks “many millions of rands” and targeted the fast food industry.
Doug Smart, MD of KFC South, said in a short statement that the company is taking the issue very seriously and cannot comment on a statement by Walter Volker, CEO of the Payments Association of South Africa (Pasa) that the industry was vulnerable to an international criminal syndicate because it was not fully compliant with security measures.
If this is indeed the case, some of the banks that incurred losses might try to reclaim it from the errand retailers.
“Our first priority is to make sure that the impact on our customers remains minimal. In the unlikely event that customers believe they may have been impacted by the malware, they should immediately make contact with their own bank to investigate and resolve queries on their accounts. We are working with the Payments Association of South Africa (PASA) as well as our own banks in their on-going investigations”, Smart said.
Volker earlier confirmed that South African banks have lost “many millions of rands” as a result of a sophisticated scam in which criminals abroad accessed the card data of clients who bought fast food at several outlets in the country.
This was first reported by TechCentral describing how a custom-written variation of the Dexter malware caused “one of the worst breaches of customer card data in the country’s history”.
“The industry has taken immediate and pro-active steps to identify the extent of the potential exposure, clean up confirmed sites with effective custom anti-malware software and carefully monitor transactions on the cards involved in order to detect possible unusual activity”, says Volker.
Customers suffered no loss, apart from the inconvenience of sorting out unauthorized overseas transactions on their card accounts, says Volker.
He says “very clever people” troll the internet to find vulnerable systems where security systems have been compromised or not adhered to. In this case they found those conditions in sections of the fast food industry and launched their attack.
The malware infiltrated the back office computer system of the particular outlets, copied the data from cards used to purchase fast food and sent it to criminals abroad. There it was sold to other parties who used it to issue fraudulent cards in Europe and America, where they were used for in store purchases.
Volker says mostly credit and cheque cards were affected. They were mostly not chip enabled and typically required a signature. Pins were never compromised.
No fraudulent cards were issued or used in South Africa as a result of the scam.
It is not clear how many client transactions were compromised, says Volker. It was widespread across fast food brands, he says. Pasa has commissioned the development of antimalware software and this has already been used to clean up the affected systems. “There is no reason to be concerned,” says Volker.
“It is clear, if it is not the customer’s fault, he won’t suffer the loss, says Volker. Typically a client would see suspicious overseas transactions on his card account or be notified of such. Since it is not his fault, the issuing bank would reverse the transaction. If the client’s bank is convinced that the loss his none of his doing, but has been caused by a problem on the side of the outlet’s payment system, he can reclaim the loss from the bank backing that system. That bank can reclaim from the outlet if it is found that the outlet did not comply with the security measures contained in its contract for payment services.
Volker says the attack was very sophisticated and is “only the second reasonably big incident” after the PayGate issue last year that also affected cards.
He says the on-going cost of security to stay one step ahead of sophisticated and technically savvy criminals is enormous. “PASA is working with the banks and the card schemes to implement immediate measures to block the potential exposure of card data and bring merchants to a state of full compliance to the Payment Card Industry Data Security Standards (PCI DSS).” Full compliance will limit the risk to all concerned considerably, says Volker.
He says cardholders who have concerns or are suspicious of any transactions appearing on their card statements or of which they are alerted to by their banks should contact their bank directly and immediately.
According to TechCentral the South African Police Service (SAPS), Interpol and Europol are working together to bring the syndicate to book.