Japanese theft from Standard Bank – leak?

The news about the Japanese theft from Standard Bank using roughly 1,400 cash withdrawals from Japanese bank ATMs raises serious questions about Standard Bank’s security and the possibility of a data leak.

Alicia’s recent article about cyber risks is very timely. News of a massive Japanese theft from Standard Bank highlights some of the risks Alicia wrote about.

Defeat cyber risks, use the Force

At the same time, this is an interesting attack primarily because of its simplicity. Usually credit card fraud attacks are based on stolen credit card information and/or cloned cards but chip and PIN cards (which are probably the most prevalent type of credit card in use in South Africa these days) are usually too secure for that to work.

What went wrong?

It’s one thing to clone a credit card and swipe it as a way to obtain some sort of benefit but withdrawing so much cash means the thieves had access to a substantial number of PIN codes and were able to draw roughly R14 000 from each ATM.

It’s not clear if that is per withdrawal or cumulatively from each ATM. If it is per withdrawal, there could be a problem with withdrawal limits set for the cards which were cloned.

Instead, the Japanese theft uses something much simpler and old school: PIN codes to enable the thieves to draw cash from Japanese bank ATMs. According to Moneyweb:

Police believe more than 100 people may be involved, according to the report, which quotes anonymous sources as saying that approximately 14 000 transactions were used to draw a maximum of 100 000 yen (R14 247) from seven bank ATMs.

Was Standard Bank hacked?

The big question, though, is how the thieves obtained the PIN codes to facilitate the crime? This question remains unanswered, for now, but early indications point to an exploit or security breach of some kind at the bank.

According to The Mainichi, which broke the story in its article titled “1.4 bil. yen stolen from 1,400 convenience store ATMs across Japan” –

Police suspect that the cash was withdrawn at ATMs using counterfeit credit cards containing account information leaked from a South African bank.

This story is still developing so expect to hear more, particularly about this alleged leak.

Postscript:

I assumed the credit cards were cloned but some commentators have suggested that these are issued credit cards, although with fictitious card numbers.

Postscript 2 (2016-05-24)

According to Ars Technica:

The theft took place on May 15, a Sunday, between the hours of 5am and 8am. ATMs were targeted across Tokyo and 16 other prefectures in the country. Police said they believe up to 100 people were involved in the heist, according to the Kyodo News Agency. The thieves apparently went to ATMs like those found in 7-11s across Japan and swiped counterfeit South African credit cards, created using information from cards issued by South Africa’s Standard Bank.

So the thieves created fake cards using information from issued credit cards? I have a feeling we are going to learn something important about how credit cards work and how they are processed by banks by the time the key details of this story emerge.

Image source: Pixabay

No links please, we’re Standard Bank!

I was taking a look at various website terms of use a few days ago as part of my process of keeping up to date on what goes into these documents in different contexts and I came across this section of Standard Bank’s Conditions of Access (apologies, I can’t include the link to the page for reasons which will soon become apparent) which intrigued me:

Nobody may establish a hyperlink, frame, metatag or similar reference, whether electronically or otherwise (collectively referred to as linking), to this site or any subsidiary pages before receiving our prior written approval, which may be withheld or granted subject to the conditions we specify from time to time.

An application for linking must be submitted to webmaster@standardbank.co.za. Once received we will do our best to respond and enter into further discussions with you. If you don’t get a written response from us within five business days, consider your request as having been rejected.

Breach of these conditions entitles us to take legal action without prior notice to you and you agree to reimburse the costs associated with such legal action to us on an attorney and own client scale.

This didn’t really make a lot of sense to me so I posted the first paragraph on my Posterous blog (which automatically re-posted to Twitter – I have since removed the link to the Standard Bank page). My resulting tweet was re-tweeted a couple times by people who also thought this was a little silly (the tweets also appear in FriendFeed). Update (2012-09-05): I can’t find my original updates so I have removed the dead links.

I received an email this morning from Standard Bank online reputation management agency, Brandsh (an excellent company by the way), with the following feedback from Standard Bank:

We are very happy to have permanent links to our site provided that the website owner signs a linking agreement with us. This is for a few reasons…

  1. We need to make sure that the information they are linking to is relevant to their website and that they have a reputable website (we are currently having a problem with a gambling website that has linked to us which is not very reputable… not good for our customers to be misled like that)
  2. That the information on our site that they will be linking to is at least up to date
  3. That the information they are linking to is not syndicated or licensed and that, by sharing it, we are not breaking any contracts/laws (we can’t risk that kind of bad press)
  4. We need to have a record of who is linking to us so if we decide to move content we can tell them so their links don’t break (this just causes frustration and a bad experience of the “linkers” and our brand)
  5. We also like to ensure that our logo is applied correctly. It’s just part of good brand management really

We are actually very happy to have as many other sites link to our as possible (it’s great for SEO) but we just try to manage things properly… hence the written consent…

While I appreciate the need to protect a brand, this approach assumes that it is preferable to prevent people from linking if there is a risk they will do so incorrectly and that the bank has complete control over its brand. I don’t believe that the first assumption is correct, generally speaking, although I am not a marketer so I’ll leave that determination to the professionals. As for the second assumption, there are numerous examples of how companies are no longer in complete control of their brand and their customers or critics have the power to boost or trash those brands. The fact that my tweet merited a response is an indication of the potential value of that sort of feedback and my tweet was only re-tweeted a few times.

As a Standard Bank customer myself I have complimented and criticised the bank a few times on Twitter and elsewhere. My intention is to provide some form of feedback in the hope that problematic service could be improved and excellent service recognised and evangelised. Not being able to link to the bank is almost like not being allowed to mention the bank by name. I probably won’t link to the site any further but I will still talk about the bank when I have something to say about it. So will the bank’s other customers and critics. Even if those people don’t link to the bank or use its logo, they retain the ability to impact on the bank’s reputation. This is why the bank has appointed Brandsh to monitor what is being said about it. If anything, being told that you need to sign a linking agreement to be able to link to the bank dissuades people from linking in the first place and, worse still, simply not talking about the bank as much as they would have. I’ve been banking with Standard Bank for about a decade now and this leaves a bad taste in my mouth.

Bringing this back to a semblance of a legal discussion, these sorts of restrictions are typical of the disconnect between conventional legal protectionist thinking and the sort of thinking we should see more of when building legal infrastructures for the Web. Lawyers really need to understand the groundswell when they draft for the Web because the Web requires a different approach that takes customers into account and recognises that they wield a fair amount of influence over the brand.

I criticised FNB for its terms on its How Can We Help You site a while ago. I had an opportunity to chat to FNB’s people about the terms at the FNB Connect product launch and they showed me a revised set of terms which I felt were more comprehensive but just not very user friendly. They have since done a much better job formatting the terms so they are more readable and intelligible to the average person who reads them (I wasn’t involved in this process, I just gave some feedback). This is important because you have to consider who is accessing your site and how important it is that they understand what they are reading. FNB’s response is also a great example of how to respond to feedback and make great improvements (I’m almost kicking myself for moving my business account away from FNB to Standard Bank a while ago).

Bottom line here is that while there isn’t any really wrong with Standard Bank’s linking restrictions, legally speaking, it just isn’t appropriate for the social Web where people are accustomed to talking about the brands they love and dislike.