South Africa’s banks have suffered tens of millions of rand in losses due to a major breach of customer card data by criminal syndicates that infected electronic point-of-sale (POS) terminals using a variant of malicious software called Dexter.

It’s not known exactly how many POS terminals were infected by the malware, but the problem is believed to have been widespread in the fast-food industry. It’s understood from a source with knowledge of the situation that chicken fast-food chain KFC has been particularly hit hard by the Dexter infection.

The South African Police Service (SAPS), Interpol and Europol are all involved in a multinational investigation to bring the syndicate or syndicates responsible for the data breach to book. South Africa’s banking risk intelligence centre, Sabric, is managing the forensic investigation and working with the SAPS, where a case docket has been opened. No South African suspects have been arrested so far.

Payments Association of South Africa CEO Walter Volker confirms to TechCentral that the breach, which affects most of South Africa’s card-issuing banks, is significant — running into tens of millions of rand — and is at least on a par with an incident last year involving payments company PayGate, in which thousands of cards were compromised. The Dexter incident, however, affects a “broader environment”, Volker says.

South Africa’s banks first noticed “unusual levels of suspected fraud” starting to occur at “certain fast-food outlets” earlier this year, Volker explains. “This highlighted reasons for concern, although the numbers were still low.”

However, a forensics company was appointed to begin analysing “some of these incidents”. An incident response committee was created, consisting of all the affected, card-issuing banks, as well as global payments companies Visa and MasterCard. The committee has worked “through 99% of the issues” and is now in the process of “cleaning up and keeping a list of possible new incidents”.

“It took quite a while to get to the bottom of [this incident], because it was not the standard Dexter malware, which has been around for a while, and which many antivirus software programs can pick up,” Volker says. “This one was a variant that was changed to [avoid detection] by the antivirus software.”

He explains that the infection came from overseas, possibly involving a syndicate based somewhere in Europe. “That’s still part of ongoing investigation.” He’s also reluctant to disclose how the breach occurred until the investigation has been concluded.

Specialist security firm Foregenix was commissioned to investigate and develop antimalware software to deal with the Dexter variant. This software was provided to all of the fast-food outlets suspected of using infected POS devices, says Volker, leading to a rapid decline in the number of reported incidents after it was deployed.

Volker explains that when a bank customer presented their card at a fast-food outlet and it was swiped, malware hidden in an infected POS terminal would read the customer’s card number and send this to an international syndicate. Typically in these situations, the syndicate then sells the numbers to another syndicate, which then produces plastic cards that can be used in physical stores. Because the “card verification value” security numbers on the backs of the cards were not compromised, criminals were not able to use the cards to buy online goods and services.

Volker says authorities have already picked up incidents of South African card numbers, compromised by the Dexter variant-infected POS terminals, being used to make in-store purchases in the US. This has led to arrests.

But he says South African banking customers should not panic. “All the fast-food retailers have been cleaned out as far as possible,” he says. “We’re still looking at some sites that are questionable, but they are a very small minority. I don’t think there’s any need for panic or concern at this stage and certainly no one will be out of pocket [as the banks will honour losses].”

Banks won’t necessarily replace compromised cards, Volker adds, saying that they’ll simply be closely monitored for fraudulent activity. Banks will be alerted automatically if transactions take place outside the country and customers queried immediately as to whether they’ve made the purchase or not. “We haven’t had anyone making fraudulent cards domestically based on this. At this stage, the thing is really well under control,” he says.

“I don’t think there’s any reason for concern, but obviously if you detect something on your statement that you don’t recognise, you should contact your bank immediately,” he says. “And any person who doesn’t have a chip card should ask their bank to replace their mag-stripe card with a chip card.”