Postbank security crisis — over R150 million stolen
Postbank insiders have helped criminal syndicates steal over R150 million that should have gone towards helping South Africa’s poorest families, Sunday Times reports.
The report comes after the poorly-secured state-owned financial institution blocked grant recipients from making ATM withdrawals using their South African Social Security Agency (Sassa) cards.
It halted withdrawals after R18 million was stolen from the Postbank.
The report revealed that several severe operational security flaws at the Postbank are allowing fraudsters to rob it blind.
Highly sensitive systems, including Postbank’s integrated grant payment system, are being accessed using a single set of credentials.
Up to 40 employees, ranging from junior to senior staff, have this key.
Even when fraud is discovered, it is difficult to trace the transactions to a particular staff member.
Those with the credential can also delete transaction logs, making it difficult to detect fraud in the first place.
Citing insider accounts, the Sunday Times also reported that the Postbank has been operating the grant payment system without activating a feature designed to detect anomalies and alert the institution to possible fraud.
Postbank interim CEO Lucas Ndala told the newspaper all indications point to an inside job.
He said they’ve seen disturbances like this every month since taking over Sassa grant payments from the Post Office.
“It points to a concerted effort of sabotage against the bank,” stated Ndala.
Ndala confirmed that several people were placed on suspension as a precaution.
This is not the first time the Sunday Times exposed extremely poor operational security at the bank.
In 2020, it reported that Postbank’s “master key” was stored in plaintext during a data centre migration in July 2018.
Two staff members stored the key in plaintext on USB flash drives, and one of the drives couldn’t be located.
The 36-digit master key reportedly lets anyone read and write account balances, and read and alter information on any of the cards the bank has issued.
Following the potential master key exposure, criminals siphoned around R56 million in 25,000 fraudulent transactions from Postbank accounts between March 2018 and December 2019.
The Post Office initially denied that its master key for Postbank’s cards was compromised, saying that the “stories” were unfounded and only sought to create panic among Postbank’s clients.
However, in January 2021, social development minister Lindiwe Zulu told Parliament that government was in talks to replace all Sassa cards following the security breach.
Reports of all Sassa cards being replaced have led to widespread misinformation claiming the cards have expired.
The Postbank has once again emphasised that its Sassa gold cards remain valid.
Postbank’s stolen millions — at least R175 million stolen since 2012
In March, the amaBhunghane Centre for Investigative Journalism reported that between 16 and 28 October 2021, criminals helped themselves to at least R89,459,330 in cash stolen from the Postbank.
The perpetrators fraudulently transferred the money to 279 Sassa accounts, which they withdrew at ATMs using cloned cards.
In 2020, Zulu revealed that over 1,700 Post Office workers received social grants for which they did not qualify.
That resulted in Sassa bleeding around R1.5 million a month.
The Post Office had also been targeted in several robberies, which saw Sassa cards and computers stolen.
In 2012, a syndicate stole R42 million from Postbank in a heist between 1 and 3 January.
The criminals had opened several Postbank accounts towards the end of 2011, and, over New Year’s, they gained access to a Rustenburg Post Office employee’s computer.
From there, the syndicate made deposits from other accounts into its own.
Over the next three days, they used ATMs in Gauteng, Free State and KwaZulu-Natal to withdraw cash from the accounts.
Sunday Times reported that this type of attack had reared its ugly head again.
In one incident, criminals deposited R13.3 million into a Postbank account in 13 transactions and withdrew R9 million between 29 and 31 October 2022.
Another case saw R21 million of Sassa funds deposited into a fraudulently created account, of which R16 million was withdrawn.
This recent fraud was reportedly perpetrated after hours, on Saturdays, when the branches are closed.
Criminals apparently got into the Postbank’s system and client database remotely, using credentials belonging to bank tellers.
As a result, Postbank is considering halting all weekend and after-hours transactions for the time being.