About one month ago, on May 15, 2016, between the hours of 5 and 8am Japan time, using compromised card details of customers from a Tier 1 bank in Africa, well over 100 people made physical cash withdrawals to the tune of almost 13Million USD at specific ATM cash points (7-Eleven cash machines; +/-1400 transactions).
This incident is no far different from the numerous cyber breach making the rounds on the corridors of cyber reportage e.g. Bangladesh bank.
According to the CEO of SABRIC, Pillay Kalyani, 2015 recorded a 778Million Rand loss to crime across all card types in South Africa. Generally, what we notice is the media often speaks heavily about the sad outcomes: How much data was stolen/compromised and often few times the intelligence behind the breach; as to how the crime skipped the security measures that the victim/breached institutions put in place. Needless to point out the numerous regulatory guidelines on data security e.g. POPI Act, PCI DSS etc. that favor concepts such as Encryption or Tokenization of card details in Applications. Could it be that there is but little information for cyber journalists to work with to complete these types of reportage? Or cybercrime forensics remains “confidential”? Or perhaps never have any conclusions in Africa?
In this write, I try to suggest possible chronicle of the attack by making some assumptions on the conditions of the Tier-1bank pre-attack
To attempt to answer the big question of how the heist was a success from an external observer perspective without making the uncertain certain would to shoot into the dark. Still, going by the assumptions above and without any privileged details, I will start by eliminating some possible calls that don’t add up to explain the “how”.
Just as is with most broad cyber breach forensics, the key to understanding what may have happened is to narrow down the numerous attack vectors, eliminate the unlikely possible method by which the attacker would have perpetrated their actions and then drill down further on the possible attack methodology. In order to try to guestimate the method of attack in this Tier 1 African bank, one needs to examine all attack vectors. Having read some press release from online media agencies I stand to rule out some assertions in mainstream media.
Having ruled out ATM hack and Compromised merchants, this leaves us with one question, where would you probably find all the card details hosted in numerous quantity from a single source? And together with, having all complete information view of all the parameters that could allow anyone easily re-create the cards (Card numbers, Expiry dates, CVV, CVV2, CVC2 & CID). Potentially, this would be the Banking Application that the bank uses. In our assumption – say SAP.
But wait a minute: The Tier-1 bank has NGFW, IDS/IPS, Endpoints Security and the entire perimeter fencing capabilities! The Ponemon institute conducted a research and found out that organizations continue to invest so little or nothing on Application layer security when compared with other areas of enterprise security. Also, just recently, an SAP statement on Forbes magazine claimed that 84% of cyber-attacks now occur on the application layer.
Taking us back to our search for answers, you would be surprised to find out that even with PCI DSS regulations in place, we see a number of people already have the capability to decrypt credit card data in Applications like SAP even as far back as 2011 (http://scn.sap.com/thread/2027341). If your guess is as good as mine: After 5 years of this post, there would have been faster ways of achieving decryption of credit card details in SAP (Not discussed in this write). Whilst technology has also moved to tokenization, you may find out that there are vulnerabilities in applications that allow you escalate privilege into tables that contain the raw credit card details and afterwards decrypt the cards details in cases of encrypted data.
To be frank, with the method of this heist – over 100 people and 14,000 transactions, I can bet that my suspicions of potentially more card details exposed is a valid suspicion. So…what probably happened at the Tier-1 Bank?
To simply hope as we do in Africa that no such heist happens again is simply not wise, rather as there would be more likely attacks of this nature, we advocate checking all areas of Application Security in mission critical applications benchmarking them against 3rd party frameworks.
I leave you with some more questions: Could it be that application vulnerability in SAP or Open Source was exploited in this heist? Could it be that some unfamiliar strings of malware was also used as a wider toolkit in this attack? I guess we will never know until a time when and if the Tier -1 bank releases an actual documentation of the forensic report. However, what I know for sure is that these types of attacks could play a long-term and huge impact on the confidence of investors, customers and partners of the Tier 1 bank in Africa.
Beyond Reputational damage and loss of confidence, the trends that follow this attack cannot be too far-fetched, while S&P rated south Africa high, we see a decline in the Tier 1 Banks rating
As most readers are aware by now, Firewalls, Intrusion Detection/ Prevention Systems and anti-virus software are main go-to mechanisms for blocking attack vectors, but no protection method is totally attack-proof.
In conclusion, we must note that while the Tier-1 bank, like any forward thinking bank will continue to do many things aright from a cyber - security perspective, we must come to terms with our new world reality: With 84% of cyber breach occurring at Application layer, a defense method that is effective today may not necessarily be so by tomorrow; obviously because hackers are constantly updating attack vectors, and seeking new ones (0-days), in their quest to gain unauthorized access to Applications (Most ignored in terms of actionable budgets) and networks alike, thereby affecting the economic balance of corporations as well as nations.
This write is based on many assumptions and does not reflect any fact on what may have happened at any bank in Africa. As you will note, the views presented here are simplistic in nature, though revealing, yet bears the thoughts of the writer alone. It is neither to bad mouth any Application in favor over another, but aimed at giving an opportunity to the public on cyber reality of the increasing rise in the discovery of vulnerabilities on the Application layer. We hope it will assist other institutions operating under similar assumptions to strengthen their cyber initiatives from an application security perspective.
DeltaGRiC Consulting is the leading Applications Security consultancy helping African businesses running on SAP, Open Source Applications, and PeopleSoft Enterprise Applications to mitigate cyber-security risks and compliance violations using the Industry’s multi-award winning methodologies and most credible solutions.
DeltaGRiC’s niche proposition is SAP Vulnerability Assessment, SAP Forensics & Penetration test and also Open Source Vulnerability Assessment.
About one month ago, on May 15, 2016, between the hours of 5 and 8am Japan time, using compromised card details of customers from a Tier 1 bank in Africa, well over 100 people made physical cash withdrawals to the tune of almost 13Million USD at specific ATM cash points (7-Eleven cash machines; +/-1400 transactions). This incident is no far different from the numerous cyber breach making the rounds on the corridors of cyber reportage e.g. Bangladesh bank.Banking Advisory 1382
The Capital Markets Authority (CMA) has limited individual shareholding in the listed Nairobi Securities Exchange Ltd (NSE) to five per cent in a move that may force sell-offs by some investors. Investors whose shareholding is currently above the set limits have a six-month period to comply with the regulation. A shareholder can seek exception from CMA to hold more than the prescribed levels. The authority will determine if the applicant meets the requirement, which entails integrity, financial standing and absence of criminal record before granting an exception.Banking Advisory 1002
As the high-powered presidential delegation returned from China and the post-summit euphoria dissipated. Nigerians are coming to terms with the reality or otherwise of the mega swap transaction. As they say, Exchange is No Robbery. The big question, therefore is that do people really understand what this means? Or is this exercise that will end-up in a crisis of false expectations? Let’s try and keep this simple.Banking Advisory 1282
The Nigerian and Angolan governments’ decision to approach the World Bank and the African Development Bank (AfDB) for concessionary loans could lead to a devaluation of the countries’ currencies. Both countries, Africa’s biggest oil producers, desperately require support to help survive the regime of low crude oil prices and strained public finances.Banking Advisory 1671
Following the euphoria of December and consequent heightened consumer activity during the festive period, January has brought many an elated individual back to mother earth with a thud.Banking Advisory 1748