The news about the Japanese theft from Standard Bank using roughly 1,400 cash withdrawals from Japanese bank ATMs raises serious questions about Standard Bank’s security and the possibility of a data leak.
At the same time, this is an interesting attack primarily because of its simplicity. Usually credit card fraud attacks are based on stolen credit card information and/or cloned cards but chip and PIN cards (which are probably the most prevalent type of credit card in use in South Africa these days) are usually too secure for that to work.
What went wrong?
It’s one thing to clone a credit card and swipe it as a way to obtain some sort of benefit but withdrawing so much cash means the thieves had access to a substantial number of PIN codes and were able to draw roughly R14 000 from each ATM.
It’s not clear if that is per withdrawal or cumulatively from each ATM. If it is per withdrawal, there could be a problem with withdrawal limits set for the cards which were cloned.
Instead, the Japanese theft uses something much simpler and old school: PIN codes to enable the thieves to draw cash from Japanese bank ATMs. According to Moneyweb:
Police believe more than 100 people may be involved, according to the report, which quotes anonymous sources as saying that approximately 14 000 transactions were used to draw a maximum of 100 000 yen (R14 247) from seven bank ATMs.
Was Standard Bank hacked?
The big question, though, is how the thieves obtained the PIN codes to facilitate the crime? This question remains unanswered, for now, but early indications point to an exploit or security breach of some kind at the bank.
The theft took place on May 15, a Sunday, between the hours of 5am and 8am. ATMs were targeted across Tokyo and 16 other prefectures in the country. Police said they believe up to 100 people were involved in the heist, according to the Kyodo News Agency. The thieves apparently went to ATMs like those found in 7-11s across Japan and swiped counterfeit South African credit cards, created using information from cards issued by South Africa’s Standard Bank.
So the thieves created fake cards using information from issued credit cards? I have a feeling we are going to learn something important about how credit cards work and how they are processed by banks by the time the key details of this story emerge.
Cyber risks are a real and present danger. They are often hidden and misunderstood so I wrote this article just for you. I’m also a Star Wars fan and couldn’t resist the Force.
When I think of the words “cyber risks”, I don’t think of anything immediately tangible nor anything immediately threatening. What those words, (especially together) mean to me is far more ethereal and a lot more entertaining…
My thoughts digress to a Jedi fighting a Sith, Ewoks and Jabba the Hutt. I think of Darth Vader – the famous “I am your father” scene. All very “other wordly” and “galactic”. Something a true Star Wars fan can fully and truly appreciate. But this is not Star Wars and I am no Princess Leia.
“Luke, I am your father”
Just like the “Luke I am your father” scene inevitably shocked Luke into a new reality, growing Cyber Risks are doing the same for businesses across the Globe. And that is actually my point – Is Cyber Risk really in a “Legality” far, far away or is it closer to home than we think?
What do I mean? Well I will give you some examples.
In the Price Waterhouse Cooper’s January 2016 Top Issues publication, the following was outlined
“The biggest challenge for insurers is that cyber isn’t like other risks. There is limited publicly available data on the scale and financial impact of attacks and threats are very rapidly changing and proliferating. Moreover, the fact that cyber security breaches can remain undetected for several months – even years – creates the possibility of accumulated and compounded future losses.”
“Cyber risks are increasingly frequent and severe, loss contagion is hard to contain, and risks are difficult to detect, evaluate, and price.”
“Whatever your industry, cyber security is a worldwide concern. As you hold more data, and your staff use their own devices, you can become more vulnerable to security breaches.
Those breaches can have significant legal and reputational effects upon companies. As shown by recent data breaches, and related litigation, this is not just an IT issue.”
There has even been a full article written on the Hedgeweek website entitled “Cyber security – a Global Persceptive” ,(the title alone has a sense of doom and seriousness about it). This article sets out the lengths the US Legislature is taking to ensure the protection of companies against cyber-crime, which includes the House of Representatives passing a new cybersecurity bill –
“the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking.”
Cyber Risks – a clear and present danger
If it is not clear already, let me spell it out for you – cyber risks are here. It is a risk that is not only very real but one that can be truly devastating to a company should their systems and data be hacked thereby revealing company trade secrets. Can anyone say “huge liability claim”?
Speaking of huge liability claims, Insurers and Re-insurers are discovering that there is a growing and real need to insure Companies across all industries against these potentially devastating risks and that means increased premiums for those Insurers and Re-insurers eager to tuck into a slice of the proverbial cyber pie. According to PWC –
“Cyber insurance is a potentially huge but still largely untapped opportunity for insurers and reinsurers. We estimate that annual gross written premiums will increase from around $2.5 billion today to $7.5 billion by the end of the decade.”
But thats Insurance and therefore inevitably a safety net should things go awry but where Law is concerned, prevention is often better than the cure.
Understanding leads to prevention
In order to even start combating Cyber Risk, we first need to understand what it actually entails. According to Kennedy’s “Cyber risks – an insurance perspective” article cyber risks can be understood quite simply:
“Two of the most common forms of cyber risks are Cyber-attacks and data breaches. Cyber-attacks can take many forms:
Hacktivism – where a company’s website is hacked into and used as a platform to promote views.
Denial of service attacks (DoS) – when a site is bombarded with millions of emails from a bogus source, thereby blocking access to the site by legitimate users. This happened to the Amazon and PayPal sites recently, when they were forced to stop online trading as a result of DoS attacks by people protesting against the arrest of Julian Assange.
Cyber-extortion – where attackers threaten to carry out a DoS attack or to implant viruses in a company’s website or network.
Data breaches can occur as a result of human error – for instance, unencrypted data is lost or sent to the incorrect recipient – or by hackers, employees or others stealing or otherwise gaining access to sensitive data.”
A call to arms
What is abundantly clear is that this is not just an IT issue, something you can “dial a nerd” for and consider your job done. What this is, is a global risk. Something as legal practitioners we need to get ahead of. It is all well and good to have the insurers and reinsurers making their mark in this currently untapped risk market but we need to prevent the risk from happening in the first place. A seemingly daunting and almost impossible task to be sure. However with everything, you can tackle this “one bite at a time”.
With that in mind, how do we fight Cyber Risks?
Identify the specific risks to the business and what needs the most protection. For example, in a company like Coke, intellectual property might be the most important asset which is vulnerable to cyber attack. For Bid or Buy, the stability of online platforms and the security of customers’ personal data may be paramount.
Assess the potential consequences of the various types of possible attack. Essentially, what would the impact to the company’s reputation be, to its share price, to its goodwill? What is the litigation risk? What would be the impact on the business be if its activities were disrupted for a short or for a sustained period of time? How much risk can the business accept? This is a really important balancing act and from a legal perspective will need some risk management. For example, ensure senior management in all areas of the business are fully aware of the IT security and all the risks that potentially exist.
Devise a strategy to address the identified cyber risks. This is likely to involve preparation of both a cyber risk management plan and an incident response plan. A cybersecurity review is vital.
Ensure that the systems and security measures are properly and regularly tested (here you can most certainly get a hold of “dial a nerd”),
Implement appropriate staff training and education. Many attempts to compromise information involve what is known as “social engineering”, which is effectively the skilful manipulation of people and human nature to trick information out of a company. Online social media platforms need to be properly monitored and staff trained here according to what they can say and what they can’t say with regards to the company online. A social media policy will most definitely be needed. Proper training can help reduce or prevent completely this type of risk.
Clearly, cyber-security is more than just tightly worded policies and endless procedures. It is a legal risk management exercise which undoubtedly entails keeping your eyes wide open, ears to the ground and your paper trail well and truly up to date -if there is any significant attack, the legal team needs to be properly armed with their trail of governance to ensure real combative steps are taken.
“May the force be with you” indeed does come to mind.