Postbank Master Key Breach: Why Strong Key Management is Essential

In the last couple of months, facts regarding breaches that occurred during December 2018 at PostBank, the national postal bank operator of South Africa, have become known. This information is quite serious as it relates to a fraud that cost the bank millions of dollars and significantly damaged its reputation.

PostBank’s Master Key Breach

Many newspapers in South Africa have reported: “South African Bank to Replace 12m Cards after Employees Stole Master Key.“ The fraud in question involved the theft of a host master key, a 36-digit code, used by the bank to generate and protect all the keys of their platforms.

The host master key was located in the old personalization centre of the bank, in Pretoria. As early as December 2018, several rogue employees managed to steal it, decrypt it, and print the key on paper.

The bank gradually understood the gravity of the fraud over time. After stealing the key, the attackers used the master key to access the bank accounts directly. These criminals then made more than 25,000 fraudulent transactions that resulted in the theft of more than $3.2 million USD (56 million Rand) from customer balances. Many of these defrauded customers were receiving social grants from the South African Social Security Agency (SASSA). The master key was used mostly by the bank for SASSA's payment system.

The stolen master key protected all the other cryptographic keys. Therefore, the attackers could access all the ATM pins, home banking access codes, customer data, and credit cards inside the mainframe architecture.

As a result, the bank had to regenerate the master key and urgently replace around 12 million cards. The bank experienced a substantial loss equal to approximately 60 million US dollars. It also suffered considerable damage to its reputation since the story could no longer be hidden from the public.

Analysis

Currently, not all information about the details of the fraud has been disclosed. At the time when the fraud was committed, the PostBank of South Africa had modern security in place, including the latest PKI, video monitoring, and biometric controls. So how did it happen?

From what is known, the following might be assumed:

1. The fraud would have involved a number of the bank's employees at the time of the fraud.
2. Some local directors and/or people with administrative authority would have been among the group of employees.
3. Hence, the fraud was most likely an insider job.

It is not known if PostBank's key management was compliant with financial standards such as X9.24-1 or PCI DSS. However, it is believed that the bank’s master key should have been guarded on specific servers, with secure operating systems and disconnected physically from the bank's main network. Additionally, the key could not be reconstructed without the combination of a certain number of "special" employees provided with authoritative privileges. 

Such groups of authorized employees (key custodians) are permanently changed and refreshed. Therefore, it seems impossible that collusion between rogue employees could have happened at such a scale. It is believed that some employees copied the master key after it had been stored in clear text on one (or more) laptop.

It appears that the cryptographic system of PostBank had several flaws and was not consistent in using a secure cryptographic Key Management System (KMS). PostBank was likely using a very outdated approach (at least partially), e.g., printing key information and placing it in a safe as a backup to the master key. This could explain why something so horribly wrong happened. 

During the early generation of key management processes in the banking environment, key custodians were represented by a group of typically three people. Each one owned a part of the key, printed on paper, and stored in a dedicated safe under the key custodian's responsibility.

Most experts agree that, on this occasion, it is virtually impossible that PostBank used a modern KMS with robust practices at the time of the fraud. 

Conclusion

Dedicated key management systems (KMSs) and HSMs are costly, along with the maintenance and training fees for such systems. However, the example presented in this article demonstrates the damage that could occur if a bank decides that modern key management systems and HSMs are unnecessary and instead rely on older cryptographic management systems, either relaxed or customized systems. Hiring developers to build a custom KMS without a robust control may also lead to such situations, either during the development or after production.

A secure KMS protects keys from malevolent and rogue employees because of the strict built-in rules that are implemented. This prevents a group of insider attackers from accessing the keys. Therefore, KMSs & HSMs are necessary within a modern bank environment. 

References

• [1]  Out of Africa: Postbank scam hits 12 million South Africa bank customers (June 2020), by PaymentsNext
• [2] ZA: Postbank to replace 12m bank cards after security breach
  (June 2020), by "Dissent", PaymentBreaches.net
• [3] South Africa's Postbank Replaces 12 Million Bank Cards After Internal Security Breach Exposes Master Key (June 2020), by Byron Mühlberg, CPO Magazine
• [4] Postbank forced to replace 12-million bank cards after employees steal 'master key' (June 2020), by Sipho Masondo
• [5] Postbank to replace 12m bank cards after security breach
  (June 2020), by ITWeb