The incident reportedly was as a result of printing the bank’s master key in plaintext at the Postbank’s old data centre in the Pretoria city centre in 2018. The master key is a 36-digit code (encryption key) that allows its holder to decrypt the bank’s operations and even access and modify banking systems. It is also used to generate keys for customer cards.
The 36-digit encryption key “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards”.
The stolen master key was used to “access accounts and make more than 25,000 fraudulent transactions, stealing more than $3.2 million (56 million rand) from customer balances” in 9 months as cited by Zdnet .
As a result of this breach, Postbank will have to replace all customer cards that have been generated with the master key. This will cost the bank about $58 million to replace all the exposed cards.
A bank’s master keys is the bank’s most sensitive secret and has to be adequately protected in an HSM using 4-eye principle that ideally involves at least 2 persons to perform a sensitive operation.
Security controls such as periodic key rotation , separation of privileges and other organisational security hygiene could have prevented this breach.
Discover more from Cyber Insights
Subscribe to get the latest posts sent to your email.