Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News

      Public money, private plans: MPs demand Post Office transparency

      13 June 2025

      Coal to cash: South Africa gets major boost for energy shift

      13 June 2025

      China is behind in AI chips – but for how much longer?

      13 June 2025

      Singapore soared – why can’t we? Lessons South Africa refuses to learn

      13 June 2025

      10 red flags for Apple investors

      13 June 2025
    • World

      Yahoo tries to make its mail service relevant again

      13 June 2025

      Qualcomm shows off new chip for AI smart glasses

      11 June 2025

      Trump tariffs to dim 2025 smartphone shipments

      4 June 2025

      Shrimp Jesus and the AI ad invasion

      4 June 2025

      Apple slams EU rules as ‘flawed and costly’ in major legal pushback

      2 June 2025
    • In-depth

      Grok promised bias-free chat. Then came the edits

      2 June 2025

      Digital fortress: We go inside JB5, Teraco’s giant new AI-ready data centre

      30 May 2025

      Sam Altman and Jony Ive’s big bet to out-Apple Apple

      22 May 2025

      South Africa unveils big state digital reform programme

      12 May 2025

      Is this the end of Google Search as we know it?

      12 May 2025
    • TCS

      TechCentral Nexus S0E1: Starlink, BEE and a new leader at Vodacom

      8 June 2025

      TCS+ | The future of mobile money, with MTN’s Kagiso Mothibi

      6 June 2025

      TCS+ | AI is more than hype: Workday execs unpack real human impact

      4 June 2025

      TCS | Sentiv, and the story behind the buyout of Altron Nexus

      3 June 2025

      TCS | Signal restored: Unpacking the Blue Label and Cell C turnaround

      28 May 2025
    • Opinion

      Beyond the box: why IT distribution depends on real partnerships

      2 June 2025

      South Africa’s next crisis? Being offline in an AI-driven world

      2 June 2025

      Digital giants boost South African news media – and get blamed for it

      29 May 2025

      Solar panic? The truth about SSEG, fines and municipal rules

      14 April 2025

      Data protection must be crypto industry’s top priority

      9 April 2025
    • Company Hubs
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Altron Group
      • Arctic Wolf
      • AvertITD
      • Braintree
      • CallMiner
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • Incredible Business
      • iONLINE
      • Iris Network Systems
      • LSD Open
      • NEC XON
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SkyWire
      • Solid8 Technologies
      • Telit Cinterion
      • Tenable
      • Vertiv
      • Videri Digital
      • Wipro
      • Workday
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Motoring
      • Public sector
      • Retail and e-commerce
      • Science
      • SMEs and start-ups
      • Social media
      • Talent and leadership
      • Telecoms
    • Events
    • Advertise
    TechCentralTechCentral
    Home » In-depth » Inside the R300m Standard Bank heist

    Inside the R300m Standard Bank heist

    By Editor25 May 2016
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    ATM-640

    Three hours, around 100 people, 1 400 Japanese ATMs and 1 600 counterfeit credit cards, was all it took for fraudsters to exploit Standard Bank in Japan.

    The bank, which stands to lose up to R300m, described the attack as a “sophisticated, coordinated fraud incident” and said “swift action to contain the matter” had been taken.

    “It is evident that it is an incident of transnational organised crime that was well planned and executed,” said Kalyani Pillay, CEO of the South African Banking Risk Information Centre.

    Security experts agree, saying perpetrators went to “considerable trouble” to pull it off.

    The gang is believed to have targeted Japan due to bank security measures, which permit the use of credit and debit cards with magnetic strips as opposed to the newer and more secure chip-and-Pin technology, said Frans Lategan, an IT security consultant at SensePost, which exposes vulnerabilities and weaknesses in computer-based systems.

    According to The Yomiuri Shimbun, Japanese police believe the cash was withdrawn outside South Africa, the country in which the cards were issued, in order to delay the scam’s detection.

    That the withdrawals took place between 5am and 8am on Sunday, 15 May, is believed to be another delaying tactic. Seven bank ATMs, located in 7-Eleven convenience stores, were also targeted as they are of only two Japanese banks that allow withdrawals on foreign-issued credit and debit cards.

    Each of the 14 000 transactions saw the gang withdraw ¥100 000, or roughly R14 300, the maximum withdrawal limit set for ATMs. However, transacting below a floor limit could have also delayed detection as these transactions can be processed without bank authorisation, Lategan said.

    The news site reported that Japanese police are attempting to identify suspects by analysing security camera footage. Japanese and South African authorities are also said to be working together, via Interpol, to determine how the gang obtained the credit card data.

    “In order for external parties to gain access [to credit card information], there usually [is] some sort of collusion,” said Steven Powell, co-head of forensics at ENSafrica. He added Standard Bank would have to investigate whether its security measures were compromised internally or externally as well as whether the security breach was isolated to Japan.

    “Unless we know what security measures were in place, it is hard to know what method was used,” said Lategan.

    He said the gang could have obtained the data from an inside source, merchant or other third-party records or by exploiting numeration vulnerabilities.

    Standard-Bank--640

     

    Banks follow a pattern when issuing 16-digit credit card numbers. The first six digits denote a “major industry identifier” like Visa or MasterCard as well as a “bank identification number” based on the type of card issued such as gold or platinum, in some cases the second to last digit denotes the number of times that a card has been issued and the last digit, a function of the first 15 digits, is based on the Luhn formula.

    “Just by knowing eight digits, I can probably guess the other eight straight away,” Lategan said, adding that this method was the least likely to be used. With credit card details — including card numbers, valid expiry dates and “card verification value” (CVV) numbers — going for as little as US$1 each on the black market, he said it would have been much easier for the gang to have paid for the data. Powell said it is also possible that the gang coded the cards themselves.

    That the gang used only 1 600 fake credit cards, a relatively small amount, and only scammed one bank is also telling. “They went to considerable trouble to filter them and make sure that they had valid details,” Lategan said.

    It is likely the gang “fine-tuned” their processes by conducting similar, smaller-scale scams at other banks, so as not to raise alarm, and “Standard Bank just happened to be last”, he said.

    Lategan said the heist shows that credit cards are reasonably safe for cardholders as the gang withdrew the “bank’s money” and the burden of proof related to credit card fraud lies with banks instead of cardholders.

    “The fault doesn’t lie with the cardholder,” said Global Technology Security Provider’s Jacques van Heerden. Still, he advised cardholders to protect their information making use of chip-and-Pin cards, not allowing cards out of their sight and not entering their credit card details on any third-party Web application unless they intend to pay for something.

    • This article was originally published on Moneyweb and is used here with permission


    ENSafrica Frans Lategan Kalyani Pillay Sabric SensePost Standard Bank Steven Powell
    Subscribe to TechCentral Subscribe to TechCentral
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous ArticleMPs pay tribute to Dene Smuts
    Next Article Can Top Gear survive without Clarkson?

    Related Posts

    Home affairs faces backlash over ID database fee surge

    9 June 2025

    South Africans hit by wave of sophisticated banking scams

    28 May 2025

    Rising subscription costs creeping up on household finances

    20 May 2025
    Company News

    Huawei Watch Fit 4 Series: smarter sensors, sharper design, stronger performance

    13 June 2025

    Change Logic and BankservAfrica set new benchmark with PayShap roll-out

    13 June 2025

    SAPHILA 2025 – transcending with purpose, connection and AI-powered vision

    13 June 2025
    Opinion

    Beyond the box: why IT distribution depends on real partnerships

    2 June 2025

    South Africa’s next crisis? Being offline in an AI-driven world

    2 June 2025

    Digital giants boost South African news media – and get blamed for it

    29 May 2025

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2025 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.