The Postbank is having to replace about 12-million bank cards at a cost of R1bn after a major security breach that exposes the personal data of millions of social-grant beneficiaries and other account holders.
The breach resulted from the printing of the bank's encrypted master key in plain, unencrypted digital language at the Postbank's old data centre in the Pretoria city centre.
According to a number of internal Postbank reports, which the Sunday Times obtained, the master key was then stolen by employees.
One of the reports said that the cards would cost about R1bn to replace. The master key, a 36-digit code, allows anyone who has it to gain unfettered access to the bank's systems, and allows them to read and rewrite account balances, and change information and data on any of the bank's 12-million cards.
The number of Sassa and Postbank cardholders
— 12-million
Those who have been affected by the breach include between 8-million and 10-million beneficiaries who receive social grants from the Postbank every month. About 1-million more Postbank account holders have also been affected. Their personal data is now in the hands of the "criminals" who stole the master key.
An internal Postbank financial crime overview report, dated December, which the Sunday Times also obtained, shows that between March 2018 - three months after the master key was generated - and December 2019, the bank recorded about 25,000 fraudulent transactions in which R56m was stolen from grant beneficiaries. The money was stolen from social grant cards.
'Create panic'
The Postbank, a division of the South African Post Office, distributes about 10-million grants for the Social Security Agency of SA (Sassa).
Despite documents the Sunday Times obtained containing claims to the contrary, the Post Office denied that the Postbank's master key had been compromised. Post Office spokesperson Bongani Diako said: "These unfounded stories only seek to create panic among the clients, customers and the shareholder of the bank."
Social development minister Lindiwe Zulu told the Sunday Times that she had convened a number of meetings to address the security breaches.
"We have been engaging with the Reserve Bank. We can't afford security breaches. Compromising Sassa cards is not good. We are busy trying to fix the issues."
Documents show that in response to the security breach, the Reserve Bank in September gave the Postbank 18 months to replace all 12-million cards that are linked to the stolen master key. To mitigate the risk, the Bank also banned contactless offline transactions for cardholders for 18 months.
An internal Postbank report, compiled in January, titled Major Operational Risk Event Report: Postbank Card Compromise, says that on February 20 and 21 last year, risk and fraud experts from Absa and Standard Bank tested two Postbank-issued Sassa cards. The report says the experts concluded that the balances in the two cards had been changed using the master key.
"The significant internal control failures and weaknesses around card management and issuing has introduced major risks to the broader financial industry and the national payment system," the report says.
The report, written by the Postbank's former chief risk officer, Benjamin April, says that in February last year the Reserve Bank ordered an investigation after it was discovered that fraudulent transactions had been committed using Sassa's Postbank cards.
April, who declined to comment, left last month when his contract expired, leaving the bank without a chief risk officer.
The investigation, completed in July last year, was done by investigators from forensics firm Foregenix. Its report found that the master key had been "exposed" in March 2018 and had to be destroyed, and that "Sassa card parameters have certainly been compromised and are in the hands of criminals".
Foregenix's dossier, which the Sunday Times has also obtained, reveals that the encrypted master key "was exposed during the July 2018 data centre move and subsequently compromised after being stored in clear text on one laptop [at a minimum] and remains compromised to the present day."
The amount stolen from Sassa cardholders in 25,000 fraudulent transactions between March 2018 and December 2019
— R56-million
Investigators said storing the master key in unencrypted, clear-text form was a "catastrophic event" and had resulted from a "catalogue of systemic failures".
An employee had copied the master key to a memory stick, which has been lost, says the report. "We have received conflicting and confusing statements and it would be prudent to conclude that all of the keys stored on the laptop and subsequently transferred should be considered compromised as they resided in clear-text form."
The official who copied the master key to her laptop and to a memory stick was suspended, but has returned to work. Two other officials have been suspended and are in disciplinary hearings.
However, a trail of e-mails between senior Postbank staff shows that its former CEO, Hannes van der Merwe, who retired at the end of last month, had also removed a memory stick containing the master key and stored it at his house in October.
The e-mails said that the master key was meant to be destroyed in the presence of witnesses in about October, but this did not happen because it was in Van der Merwe's possession. On March 12, April wrote to Van der Merwe asking him to return the master key so it could be destroyed.
"You have the USB containing the card master keys in the clear since 31 October 2019. Can you return it for it to be destroyed? During the time the USB was in your possession, give us reason why you required it, what purpose was it required for, and the evidence of how it was stored and secure," the e-mail said.
Van der Merwe responded, saying: "You are correct. I do have the flash drive and it is locked in a safe at my house. The reason why I took it is because I didn't trust anyone else to keep it in safe custody while there may still be need for it during the investigations. I will bring it to the office sometime next week to be destroyed."
Van der Merwe declined to comment.
The investigation Van der Merwe referred to was into officials implicated in printing the master key in clear text and copying it to the memory stick that was subsequently reported lost.
Returned the master key
April told Van der Merwe to return the master key and hand it to him in the presence of internal and external auditors, and the Postbank's head of IT security.
Diako did not respond to detailed questions about why Van der Merwe had removed the master key from the bank and whether he had returned it. He denied the allegations contained in the internal reports, but confirmed an entirely separate matter of the theft of 250 Sassa cards from the Postbank, saying the bank was dealing with it.
"In line with industry standards and practice, Postbank has been working in collaboration with the Payments Association of SA, the South African Reserve Bank [SARB] and the industry in developing a permanent solution which Postbank will implement in accordance with the timelines agreed to with the SARB," he said.
Tim Masela, head of national payment systems at the Bank, said he was aware of the fraud at the Postbank. "The SARB was, in January 2019, made aware of fraud that was being committed in the national payment system using some of the Sassa-issued cards. The SARB initiated a forensic audit of the card issuance process of the Postbank, which led to a number of findings and recommendations."
Masela said the Reserve Bank expected the Postbank to meet the deadline to replace the cards by March 31 next year.
Sassa spokesperson Paseka Letsatsi said the agency was working with the Post Office to ensure that grant beneficiaries were not compromised. He said it was the intention of Sassa and the Post Office to ensure a "lasting solution" to maintain the integrity of the system.
In his January report, April accuses the bank's executives of failing to grasp the seriousness of the situation.
"It seems that the significance of magnitude of this card breach may not have been comprehended by Postbank operations and IT senior management. The Sassa master-key compromise is a significant failure for the Postbank and also for the national payment system.
It is the first time in South African card and payment history and Visa that both a magstripe and chip-card master-key breach has occurred simultaneously and so soon after a card being launched."
Systems wide open to fraud
An internal Postbank report dated January this year, "Overall IT Security Register", says Postbank has "very high security risks" and no systems in place to audit the activity of a number of employees who have access to its banking systems.
It says there are no audit logs and trails, and no controls to safeguard privacy or manage users. This means that if anyone steals money from account holders and welfare recipients, they will be almost impossible to catch.
"Database activity by privileged users is not audited and as such in the event of improper and unauthorised actions performed there will be no ability to identify and reconstruct what was modified or accessed," the report says.
A Postbank executive, who spoke on condition of anonymity, said that "in simple language it means that we are not able to tell who accessed which account, transferred how much, when, how and why. This is a risk that no bank can ever afford. It is just as bad as not being able to reconcile and settle."
The number of fraudsters who registered themselves on the Postbank’s integrated grant payment system,
according to an internal Postbank report
— 1,600
A fraud and financial crimes report published by Postbank in December last year states that about 1,600 fraudsters, not employed by the bank, had registered themselves as users on the integrated grant payment system (IGPS) software and granted themselves administration rights.
Meanwhile, according to e-mails between senior executives and seen by the Sunday Times, Postbank has no accounting software to record how much money was paid and to who. The bank reconciles all accounts manually.
Every month, the South African Social Security Agency (Sassa) transfers millions of rands in social grants to Postbank for payment to beneficiaries.
The executive said Postbank is "not able to tell Sassa how much has been paid to whom, where, and how much should be returned."
Post Office spokesperson Bongani Diako said: "It is on record that systematic difficulties were uncovered with the IGPS's reconciliation functionality during its inception. Sapo, Postbank and Sassa have been working together with payments industry role players in devising a permanent solution and we can confirm that the reconciliation issue has been resolved."
He said Postbank is "operating a core banking platform for its day-to-day banking services to all its customers, and in line with banking industry practices, Postbank's core banking platform is equipped with all necessary functionalities including automated reconciliations, as well as fully participating within the National Payments System".
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.