Three hours, around 100 people, 1 400 Japanese ATMs and 1 600 counterfeit credit cards, was all it took for fraudsters to exploit Standard Bank in Japan.
The bank, which stands to lose up to R300m, described the attack as a “sophisticated, coordinated fraud incident” and said “swift action to contain the matter” had been taken.
“It is evident that it is an incident of transnational organised crime that was well planned and executed,” said Kalyani Pillay, CEO of the South African Banking Risk Information Centre.
Security experts agree, saying perpetrators went to “considerable trouble” to pull it off.
The gang is believed to have targeted Japan due to bank security measures, which permit the use of credit and debit cards with magnetic strips as opposed to the newer and more secure chip-and-Pin technology, said Frans Lategan, an IT security consultant at SensePost, which exposes vulnerabilities and weaknesses in computer-based systems.
According to The Yomiuri Shimbun, Japanese police believe the cash was withdrawn outside South Africa, the country in which the cards were issued, in order to delay the scam’s detection.
That the withdrawals took place between 5am and 8am on Sunday, 15 May, is believed to be another delaying tactic. Seven bank ATMs, located in 7-Eleven convenience stores, were also targeted as they are of only two Japanese banks that allow withdrawals on foreign-issued credit and debit cards.
Each of the 14 000 transactions saw the gang withdraw ¥100 000, or roughly R14 300, the maximum withdrawal limit set for ATMs. However, transacting below a floor limit could have also delayed detection as these transactions can be processed without bank authorisation, Lategan said.
The news site reported that Japanese police are attempting to identify suspects by analysing security camera footage. Japanese and South African authorities are also said to be working together, via Interpol, to determine how the gang obtained the credit card data.
“In order for external parties to gain access [to credit card information], there usually [is] some sort of collusion,” said Steven Powell, co-head of forensics at ENSafrica. He added Standard Bank would have to investigate whether its security measures were compromised internally or externally as well as whether the security breach was isolated to Japan.
“Unless we know what security measures were in place, it is hard to know what method was used,” said Lategan.
He said the gang could have obtained the data from an inside source, merchant or other third-party records or by exploiting numeration vulnerabilities.
Banks follow a pattern when issuing 16-digit credit card numbers. The first six digits denote a “major industry identifier” like Visa or MasterCard as well as a “bank identification number” based on the type of card issued such as gold or platinum, in some cases the second to last digit denotes the number of times that a card has been issued and the last digit, a function of the first 15 digits, is based on the Luhn formula.
“Just by knowing eight digits, I can probably guess the other eight straight away,” Lategan said, adding that this method was the least likely to be used. With credit card details — including card numbers, valid expiry dates and “card verification value” (CVV) numbers — going for as little as US$1 each on the black market, he said it would have been much easier for the gang to have paid for the data. Powell said it is also possible that the gang coded the cards themselves.
That the gang used only 1 600 fake credit cards, a relatively small amount, and only scammed one bank is also telling. “They went to considerable trouble to filter them and make sure that they had valid details,” Lategan said.
It is likely the gang “fine-tuned” their processes by conducting similar, smaller-scale scams at other banks, so as not to raise alarm, and “Standard Bank just happened to be last”, he said.
Lategan said the heist shows that credit cards are reasonably safe for cardholders as the gang withdrew the “bank’s money” and the burden of proof related to credit card fraud lies with banks instead of cardholders.
“The fault doesn’t lie with the cardholder,” said Global Technology Security Provider’s Jacques van Heerden. Still, he advised cardholders to protect their information making use of chip-and-Pin cards, not allowing cards out of their sight and not entering their credit card details on any third-party Web application unless they intend to pay for something.
- This article was originally published on Moneyweb and is used here with permission