SA banks in massive data breach

A variant of malware – short for malicious software – called Dexter, inserted into point-of-sale (POS) devices at South African fast-food outlets, has cost local banks tens of millions of rand in what is being described as one of the worst breaches of customer card data in the country's history.

South Africa's banks have suffered tens of millions of rand in losses due to a major breach of customer card data by criminal syndicates that infected electronic POS devices using a variant of malicious software called Dexter.

It's not known exactly how many POS devices were infected by the malware, but the problem is believed to have been widespread in the fast-food industry. It's understood from a source with knowledge of the situation that chicken fast-food chain KFC has been hit particularly hard by the Dexter infection.

The South African Police Service (SAPS), Interpol and Europol are all involved in a multinational investigation to bring the syndicate or syndicates responsible for the data breach to book. South Africa's banking risk intelligence centre, Sabric, is managing the forensic investigation and working with the SAPS, where a case docket has been opened. No South African suspects have been arrested so far.

Payments Association of South Africa chief executive Walter Volker confirms to TechCentral that the breach, which affects most of South Africa's card-issuing banks, is significant – running into tens of millions of rand – and is at least on a par with an incident last year that involved payments company PayGate, in which thousands of cards were compromised. The Dexter incident, however, affects a "broader environment", Volker said.

'Suspected fraud'
South Africa's banks first noticed "unusual levels of suspected fraud" starting to occur at "certain fast-food outlets" earlier this year, Volker explains. "This highlighted reasons for concern, although the numbers were still low."

However, a forensics company was appointed to begin analysing "some of these incidents". An incident response committee was created, consisting of all the affected, card-issuing banks, as well as global payments companies Visa and MasterCard. The committee has worked "through 99% of the issues" and is now in the process of "cleaning up and keeping a list of possible new incidents".

"It took quite a while to get to the bottom of [this incident], because it was not the standard Dexter malware, which has been around for a while, and which many antivirus software programs can pick up," Volker said. "This one was a variant that was changed to [avoid detection] by the antivirus software."

He explains that the infection came from overseas, possibly involving a syndicate based somewhere in Europe. "That's still part of ongoing investigation." He's also reluctant to disclose how the breach occurred until the investigation has been concluded.

Specialist security firm Foregenix was commissioned to investigate and develop anti-malware software to deal with the Dexter variant. This software was provided to all of the fast-food outlets suspected of using infected POS devices, says Volker, leading to a rapid decline in the number of reported incidents after it was deployed.

Volker explains that when a bank customer presented their card at a fast-food outlet and it was swiped, malware hidden in an infected POS terminal would read the customer's card number and send this to an international syndicate. Typically in these situations, the syndicate then sells the numbers to another syndicate, which then produces plastic cards that can be used in physical stores. Because the "card verification value" security numbers on the backs of the cards were not compromised, criminals were not able to use the cards to buy online goods and services.

Volker says authorities have already picked up incidents of South African card numbers, compromised by the Dexter variant-infected POS terminals, being used to make in-store purchases in the US. This has led to arrests.

Monitored for fraudulent activity
But he says South African banking customers should not panic. "All the fast-food retailers have been cleaned out as far as possible," he says. "We're still looking at some sites that are questionable, but they are a very small minority. I don't think there's any need for panic or concern at this stage and certainly no one will be out of pocket [as the banks will honour losses]."

Banks won't necessarily replace compromised cards, Volker added, saying that they'll simply be closely monitored for fraudulent activity. Banks will be alerted automatically if transactions take place outside the country and customers queried immediately as to whether they've made the purchase or not. "We haven't had anyone making fraudulent cards domestically based on this. At this stage, the thing is really well under control," he says.

"I don't think there's any reason for concern, but obviously if you detect something on your statement that you don't recognise, you should contact your bank immediately," he says. "And any person who doesn't have a chip card should ask their bank to replace their mag-stripe card with a chip card."

It's "very difficult" to estimate how many cards have been compromised, but Volker says it's "certainly not in the millions". – TechCentral

Subscribe to the M&G

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years, and we’ve survived right from day one thanks to the support of readers who value fiercely independent journalism that is beholden to no-one. To help us continue for another 35 future years with the same proud values, please consider taking out a subscription.

Related stories

Saul’s bold last stand for the ANC

The fate of the ANC is on the line as the next generation of party leaders fight to ‘reinvent the future’ in contested provinces

Editorial: Water is a right in SA in name only

Enough money has been spent to supply 95% of all households with water infrastructure

KFC falls fowl in Britain with chicken run

Hundreds of KFC outlets remained shut in the the UK due to a supply crisis after the company changed delivery partners

Thousands of websites infected by ‘crypto mining’ malware

Researchers have been warning in recent weeks about this kind of malware, which can deliver profits without being obvious to users.

#MduduziManana: Being called gay is not an insult

Since Sunday evening, social media has been ablaze with news implicating the deputy minister of education for allegedly beating up a woman.

The cyber-war(s) being fought right under our noses

Hackers are consistently coming up with ways of accessing the devices of people and companies, despite the proliferation of security software.

Subscribers only

FNB dragged into bribery claims

Allegations of bribery against the bank’s chief executive, Jacques Celliers, thrown up in a separate court case

Dozens of birds and bats perish in extreme heat in...

In a single day, temperatures in northern KwaZulu-Natal climbed to a lethal 45°C, causing a mass die-off of birds and bats

More top stories

North West premier goes off the rails

Supra Mahumapelo ally Job Mokgoro’s defiance of party orders exposes further rifts in the ANC

Construction sites are a ‘death trap’

Four children died at Pretoria sites in just two weeks, but companies deny they’re to blame

Why the Big Fish escape the justice net

The small fish get caught. Jails are used to control the poor and disorderly and deflect attention from the crimes of the rich and powerful.

Koko claims bias before Zondo commission

In a lawyer’s letter, the former Eskom chief executive says the commission is not being fair to him

press releases

Loading latest Press Releases…