/ 15 October 2013

SA banks in massive data breach

SA's banks have suffered tens of millions of rand in losses due to a major breach of customer card data by criminal syndicates.
SA's banks have suffered tens of millions of rand in losses due to a major breach of customer card data by criminal syndicates. (Gallo)

A variant of malware – short for malicious software – called Dexter, inserted into point-of-sale (POS) devices at South African fast-food outlets, has cost local banks tens of millions of rand in what is being described as one of the worst breaches of customer card data in the country's history.

South Africa's banks have suffered tens of millions of rand in losses due to a major breach of customer card data by criminal syndicates that infected electronic POS devices using a variant of malicious software called Dexter.

It's not known exactly how many POS devices were infected by the malware, but the problem is believed to have been widespread in the fast-food industry. It's understood from a source with knowledge of the situation that chicken fast-food chain KFC has been hit particularly hard by the Dexter infection.

The South African Police Service (SAPS), Interpol and Europol are all involved in a multinational investigation to bring the syndicate or syndicates responsible for the data breach to book. South Africa's banking risk intelligence centre, Sabric, is managing the forensic investigation and working with the SAPS, where a case docket has been opened. No South African suspects have been arrested so far.

Payments Association of South Africa chief executive Walter Volker confirms to TechCentral that the breach, which affects most of South Africa's card-issuing banks, is significant – running into tens of millions of rand – and is at least on a par with an incident last year that involved payments company PayGate, in which thousands of cards were compromised. The Dexter incident, however, affects a "broader environment", Volker said.

'Suspected fraud'
South Africa's banks first noticed "unusual levels of suspected fraud" starting to occur at "certain fast-food outlets" earlier this year, Volker explains. "This highlighted reasons for concern, although the numbers were still low."

However, a forensics company was appointed to begin analysing "some of these incidents". An incident response committee was created, consisting of all the affected, card-issuing banks, as well as global payments companies Visa and MasterCard. The committee has worked "through 99% of the issues" and is now in the process of "cleaning up and keeping a list of possible new incidents".

"It took quite a while to get to the bottom of [this incident], because it was not the standard Dexter malware, which has been around for a while, and which many antivirus software programs can pick up," Volker said. "This one was a variant that was changed to [avoid detection] by the antivirus software."

He explains that the infection came from overseas, possibly involving a syndicate based somewhere in Europe. "That's still part of ongoing investigation." He's also reluctant to disclose how the breach occurred until the investigation has been concluded.

Specialist security firm Foregenix was commissioned to investigate and develop anti-malware software to deal with the Dexter variant. This software was provided to all of the fast-food outlets suspected of using infected POS devices, says Volker, leading to a rapid decline in the number of reported incidents after it was deployed.

Volker explains that when a bank customer presented their card at a fast-food outlet and it was swiped, malware hidden in an infected POS terminal would read the customer's card number and send this to an international syndicate. Typically in these situations, the syndicate then sells the numbers to another syndicate, which then produces plastic cards that can be used in physical stores. Because the "card verification value" security numbers on the backs of the cards were not compromised, criminals were not able to use the cards to buy online goods and services.

Volker says authorities have already picked up incidents of South African card numbers, compromised by the Dexter variant-infected POS terminals, being used to make in-store purchases in the US. This has led to arrests.

Monitored for fraudulent activity
But he says South African banking customers should not panic. "All the fast-food retailers have been cleaned out as far as possible," he says. "We're still looking at some sites that are questionable, but they are a very small minority. I don't think there's any need for panic or concern at this stage and certainly no one will be out of pocket [as the banks will honour losses]."

Banks won't necessarily replace compromised cards, Volker added, saying that they'll simply be closely monitored for fraudulent activity. Banks will be alerted automatically if transactions take place outside the country and customers queried immediately as to whether they've made the purchase or not. "We haven't had anyone making fraudulent cards domestically based on this. At this stage, the thing is really well under control," he says.

"I don't think there's any reason for concern, but obviously if you detect something on your statement that you don't recognise, you should contact your bank immediately," he says. "And any person who doesn't have a chip card should ask their bank to replace their mag-stripe card with a chip card."

It's "very difficult" to estimate how many cards have been compromised, but Volker says it's "certainly not in the millions". – TechCentral