Japanese theft from Standard Bank – leak?

The news about the Japanese theft from Standard Bank using roughly 1,400 cash withdrawals from Japanese bank ATMs raises serious questions about Standard Bank’s security and the possibility of a data leak.

Alicia’s recent article about cyber risks is very timely. News of a massive Japanese theft from Standard Bank highlights some of the risks Alicia wrote about.

Defeat cyber risks, use the Force

At the same time, this is an interesting attack primarily because of its simplicity. Usually credit card fraud attacks are based on stolen credit card information and/or cloned cards but chip and PIN cards (which are probably the most prevalent type of credit card in use in South Africa these days) are usually too secure for that to work.

What went wrong?

It’s one thing to clone a credit card and swipe it as a way to obtain some sort of benefit but withdrawing so much cash means the thieves had access to a substantial number of PIN codes and were able to draw roughly R14 000 from each ATM.

It’s not clear if that is per withdrawal or cumulatively from each ATM. If it is per withdrawal, there could be a problem with withdrawal limits set for the cards which were cloned.

Instead, the Japanese theft uses something much simpler and old school: PIN codes to enable the thieves to draw cash from Japanese bank ATMs. According to Moneyweb:

Police believe more than 100 people may be involved, according to the report, which quotes anonymous sources as saying that approximately 14 000 transactions were used to draw a maximum of 100 000 yen (R14 247) from seven bank ATMs.

Was Standard Bank hacked?

The big question, though, is how the thieves obtained the PIN codes to facilitate the crime? This question remains unanswered, for now, but early indications point to an exploit or security breach of some kind at the bank.

According to The Mainichi, which broke the story in its article titled “1.4 bil. yen stolen from 1,400 convenience store ATMs across Japan” –

Police suspect that the cash was withdrawn at ATMs using counterfeit credit cards containing account information leaked from a South African bank.

This story is still developing so expect to hear more, particularly about this alleged leak.

Postscript:

I assumed the credit cards were cloned but some commentators have suggested that these are issued credit cards, although with fictitious card numbers.

Postscript 2 (2016-05-24)

According to Ars Technica:

The theft took place on May 15, a Sunday, between the hours of 5am and 8am. ATMs were targeted across Tokyo and 16 other prefectures in the country. Police said they believe up to 100 people were involved in the heist, according to the Kyodo News Agency. The thieves apparently went to ATMs like those found in 7-11s across Japan and swiped counterfeit South African credit cards, created using information from cards issued by South Africa’s Standard Bank.

So the thieves created fake cards using information from issued credit cards? I have a feeling we are going to learn something important about how credit cards work and how they are processed by banks by the time the key details of this story emerge.

Image source: Pixabay

Leave a Reply