Restraints: The banking sector adheres to global benchmarks regarding credit card security but still the system remains vulnerable because its foundational IBM architecture limits this and there is no instantaneous payment system. Photo: Supplied
South Africa’s banking system may be insufficiently secure to combat the rising risk of cybercrime and global hackers who now wield artificial intelligence (AI) as a weapon to attack and plunder customers’ bank accounts.
This is the view of forensic criminologist and certified security professional Laurie Pieters-James, the chief operating officer of cybersecurity consultancy firm Cybareti, following reports that at least 136 debits were processed on the bank accounts of four customers after they paid for petrol using a Standard Bank point-of-sale machine at the Cascades BP garage in Pietermaritzburg.
The unauthorised debits totalled just over R52 000, and even though some of the affected customers had near-zero balances in their accounts, the debits were not declined.
Pieters-James said her consultancy is aware of many issues related to fraud at banks, Standard Bank and Capitec in particular.
She said Standard Bank had last year invested in the security system Maltego, marketed on its website as “an investigation platform that accelerates complex cyber investigations from hours to minutes”.
“But the problem with cyber is that you can be up to date today, and by tomorrow, there are 30 new, new hacks out there. And with AI the code is weaponised. They take a previous code, and just bang it into an AI platform, and say, ‘weaponise this code’, and it will do it,” Pieters-James said.
Standard Bank this week blamed the debits on a technical glitch rather than cybercrime.
Townhill community policing forum chairperson Darryl Schoeman, who has been collating complaints from affected bank customers, said his nightmare began after he paid R600.09 for fuel at the BP Cascades on 21 October.
“This transaction only reflected on my account on 26 October. On 29 October at 10.40am, I drew a transaction report to keep for my bank reconciliations. At that time, only transactions up to the 26th were showing, the BP transaction and a balance of only R32.09,” he said.
“When I opened my banking app to put funds in for my wife to make a purchase, I saw that I was in arrears of over R11 000. Upon investigation, I saw that the BP transaction of 26 October had repeated on 28 October, with the exact same reference number, with an additional 18 transactions with new reference numbers, all running in sequential order.
“I simply accepted the incident as a system error and went through to the service station where I met another lady, Yoga Maharaj, who was also there to raise the issue. We were informed by the staff that we were about the 15th person,” he said.
Schoeman said he had alerted the garage owner who was assisting customers to get refunds. He also reported it to his bank, FNB, lodged a dispute and cancelled his bank card on 30 October.
But on 31 October, when he checked his account, a further 15 duplicate transactions — which had not been there the day before — reflected as having been processed on 29 October.
“My account was now R20 403.06 overdrawn. These additional transactions had been processed after my card was cancelled,” Schoeman said.
“I always maintain a close to zero balance in my account to avoid any possible fraudulent transactions. I maintain this vigilance to ensure that I cannot be defrauded, but this seems to not be good enough.”
Schoeman said he does not have overdraft facility on the account and asked why the bank had not declined the transactions because of insufficient funds.
“What better safeguard to have than to have no money in your account to be stolen? And yet this has proven not to be sufficient to be safe from fraudulent transactions,” he said.
“I do not feel that any bank is safe anymore. They tell us that virtual cards linked to Google Wallet tap-to-pay is the safest, preferred form of payment and yet this has been severely compromised.
“I feel extremely vulnerable and have reverted to withdrawing cash to pay for goods now as I don’t know which system, which bank, which merchant, is going to be compromised.”
Schoeman said his bank eventually reversed the debits on 1 November.
Maharaj said her account incurred 34 debits of R150 on 29 and 30 October totalling R5 100. She complained to her bank, FNB, and to the garage, and the debits were reversed on 2 November.
“If you’re conducting a point-of-sale transaction, you have to use your pin number to authenticate a single transaction. How were these funds taken off our account without that security comfort?” Maharaj wondered.
Another customer, Amanda Ganguloo, said she had bought fuel worth R500 and the debit had reflected on 28 October.
“Thereafter, my account was debited 34 times. In total R17 000 was erroneously debited. I have been told that 26 people are in this unfortunate situation.”
Ganguloo said she disputed the transactions with FNB and the debits were reversed. She also alerted the garage owner.
“She was helpful and stated that this was a case of a technical issue with that particular speedpoint they were using at the service station. She stated that this was a systems error on the Standard Bank side and that she had contacted BP management and Standard Bank,” Ganguloo said.
The fourth customer, who asked not to be named, said she was also debited 34 times for R300, totalling R10 200 on 27 October. She said her bank, Capitec, had reversed the transactions last week.
“How did this happen? How did my bank allow them to take a further 15 times R300 when my account was at a zero balance and I do not have a credit facility? Capitec and other banks should take suspected fraud more seriously and should have notified me after the first 19 was deducted,” she said.
She said Capitec staff said it was the bank’s fault but they “could not understand” what had happened.
A Standard Bank spokesperson said: “A technical issue at Standard Bank caused a limited number of transactions to be duplicated during the end-of-day transaction clearing process. Although each transaction was authorised only once, a system error caused the transaction instruction to be replicated, leading to multiple debits.
“Fewer than 200 cardholders nationwide were affected by this issue.”
She said the bank had identified the issue on 28 October and initiated refunds to the affected customers. “Once detected, the issue was quickly resolved, and we worked with FNB to ensure refunds were processed.”
Several cybersecurity experts who spoke to the Mail & Guardian this week were also uncertain what may have transpired, but some suggested that the customers’ cards may have been skimmed — although clearly not in Schoeman’s case because he tapped his cellphone to pay — or that the electronic code transmitted from the card or cellphone to the point-of-sale device had been intercepted by criminals standing nearby.
“The problem is, unless these companies are running proper cybersecurity [software] it’s really difficult to see if the transaction is internal or external, because what a lot of these syndicates do is they have someone in the bank, so they’re running the system from inside and outside,” Pieters-James said.
If banks are running the right software they should be able to trace where the transactions were effected and whether they came from the same IP (internet protocol) address.
“I don’t know what they’re running as endpoint protection but if they’ve deployed something like Sentinel One, they will see all of these transactions. This is why [mobile phone operators] Vodacom and MTN have just invested in this technology. Because the problem is so complex today that if you’re not planning a proper EDR [endpoint detection and response] system, it’s almost impossible to keep up with it,” she said.
Asked how secure the South African banking system is against hackers and cybercriminals Pieters-James said: “Nothing is secure. The problem is you just need one hacker to find one new methodology that gets through. And what people don’t understand about the underworld financial hacking system is that they share information. It’s not one lone guy trying to hack your system. It’s a team.
“And when they find a way in, it’s usually through social engineering. We’ve learned that you can put billions into your technology, and you just need one vulnerable employee, and they give out a password, and the guy’s in, or they click on a link, or do something equally stupid.”
A lot of cybercrime emanates from Russia, Ukraine and Eastern Europe where people are struggling financially, Pieters-James said.
“The hackers have forums. They get together, look at what they need to do, and they make a team, and they attack us as one. There are hacker forums all over the internet, and that’s not even talking about the dark net,” she said.
Banks need to do more to ensure their cybersecurity systems are adequate and constantly train their staff to be aware of social engineering tactics, Pieters-James stressed.
Pieter Geldenhuys, futurist and director at the Institute for Technology Strategy and Innovation, noted that although South Africa’s banking system is, in certain respects, more advanced than that of the United States, its foundational infrastructure remains antiquated and difficult to modernise. This outdated architecture hinders the implementation of a real-time payment capability between banks.
He pointed to innovations such as Apple Pay, which leverages existing credit card payment rails by employing a unique, single-use dynamic cryptogram for each transaction, thereby enhancing payment facilitation and reducing fraud risks at the point-of-sale interface.
“Our credit card systems and overall banking standards adhere to global benchmarks, meaning we’re no more vulnerable than other nations. In fact, in some areas, like the US and parts of Europe, we’re comparatively more robust,” Geldenhuys said.
“However, this does not imply that our systems are as secure as they could be. The primary limitations arise from the legacy IBM stack architecture and the absence of an instantaneous payment system.”
Wolfpack Risk chief executive Craig Rosewarne said the South African banking system’s technological infrastructure is “very advanced” and can “stand tall” alongside other countries.
“Security is probably one of the best in terms of all the different sectors in the country, and not just at each individual bank, but the banking sector is also very coordinated with Sabric [South African Banking Risk Information Centre] where they coordinate responses and share threat information, across all different types of crimes, including cyber,” Rosewarne said.
“There is quite a bit of oversight from the Reserve Bank, the Prudential Authority, the Financial Sector Conduct Authority and the Financial Intelligence Centre.”
He added, “We’ve got a very good Cybercrimes Act and it’s got penalties for different types of cybercrimes but the structures needed to enforce it are slowly being implemented. Different sectors need to collaborate, and government and private sectors need to collaborate a lot more.”
A spokesperson for BP Southern Africa said “some customers” had reported that “multiple card payments have come off their bank accounts after transacting at some BP service stations which use the Standard Bank stand-alone payment estate.
“We have since been in contact with Standard Bank and established that the issue is technical in nature.”
FNB spokesperson Sizwekazi Jekwa Mdingi said: “Due to client confidentiality, we will communicate directly with our customers to resolve the matter,” Mdingi said.
Capitec had not responded to questions by the time of publication.