Postbank, the banking division of South Africa’s Post Office is forced to replace more than 12 million cards for its customers and has lost over $3.2 million from fraudulent transactions due to a breach in which the employees printed and then stole its master key.
According to a local news outlet of South Africa, Sunday Times, the incident took place in December 2018 when someone printed the bank’s master key on a piece of paper at its old data center in the city of Pretoria.
The master key is a 36-digit code (encryption key) which is used by the holder to decrypt the bank’s operations and even access and modify banking systems. It is also used to generate keys for customer cards.
The bank suspects that employees are behind the breach. According to an internal report, between March and December 2019, the rogue employees used the master key to access accounts and make more than 25,000 fraudulent transactions, stealing more than $3.2 million (56 million rand) from customer balances.
On being aware of the breach, Postbank will now have to replace all customer cards that have been generated with the master key, which would cost at least more than one billion Rands (~$58 million).
The normal payment cards and also cards for receiving government social benefits must be replaced. Sunday Times said that approximately eight to ten million of the cards are for receiving social grants, and most of the fraudulent operations took place here.
The security researcher behind Bank Security said that corrupt employees have had access to the Host Master Key (HMK) or lower level keys. The HMK is the key that protects all the keys, which, in a mainframe architecture, could access the ATM pins, home banking access codes, customer data, credit cards, etc.
A bank master keys are the most sensitive secret of a bank and must be guarded accordingly. It is not usually compromised.
Usually, the HMK key is managed on dedicated servers (with dedicated OS) and is highly protected from physical access (multiple simultaneous badge access and restricted/separated data center).
Also, it is not possible for a single person to have access to the entire key but is divided between various reliable managers or VIPs, and hence, the key can only be reconstructed if everyone is corrupt.
In order to avoid this type of incidents, the people and the key are changed periodically precisely. As of now, the Postbank could not be reached for any comment.