News broke recently that thieves stole about $13M in cash from the South African Standard Bank Group in just two short hours by using forged credit cards at ATMs across Japan. Some of the forensic evidence, including the fact that the cards were printed with Chinese characters, points to a criminal group that most likely input customer data from Standard Bank customers into China-issued cards. But in some ways, the actual perpetrator is really beside the point. As criminal organizations increase their sophistication, and as customers expect and demand access to their banks from wherever they are in the world, how can banks protect themselves from these kinds of rapid, sophisticated, global attacks?
First, some more background. Seven Bank, the bank where the fake credit cards were used, is one of only two Japanese banks that currently accept foreign-issued cards. Seven Bank has said it did not suffer financial loss as a result of the incident and reassured clients that their funds are safe. This indicates that the cybercriminals did their homework – understanding which bank, in a country they could access, was likely to be the best target from which to withdraw the cash. Furthermore, the criminals might have intentionally chosen to attack outside of regular business hours for time zones in both Japan and South Africa with the hope of going undetected.
This piece of the challenge is likely to grow in the future, with more banks allowing overseas use and creating agreements for this. Just this month, China UnionPay made agreements with numerous banks in a number of countries (including South Africa), creating greater convenience for their customers travelling internationally, but also opening themselves up to greater potential exposure.
It will benefit banks on both sides of these transactions to improve their anomaly detection capabilities. It is highly suspicious to have multiple transactions of the maximum amount of 100.000 yen, using South African cards from a single bank, drawn on a single bank in Japan. The distributing banks, such as Seven Bank in Japan, should have been able to spot and at least question, if not stop, such a pattern. Even though it is not their end funds, it benefits them to provide an additional layer of security to notify member banks of any suspicious transactions.
And equally importantly, since qualification of a transaction is done by the cardholder’s bank (in this case Standard Bank), the ability to spot patterns, conduct checks on criteria such as IP/location and behavior, may have stopped such a blatant attack even outside of regular business hours.
It is also interesting to note that South Africa has long had EMV (Chip and PIN), the standard being applied in the US today, in the hopes of reducing credit card fraud. As we predicted last year, EMV does not necessarily reduce the rate of fraud, but instead moves it to other online or non-EMV enabled channels. It is now clear that one of these channels is the targeting of banks in foreign countries that do not yet use EMV or allow fallback for foreign transactions. As the criminals evolve their methods, banks must evolve too if they want to maintain or reduce their fraud rates and keep their customer confidence.
For more information about DetectTA, Easy Solutions’ behavioral anomaly detection solution for banks, visit https://www.easysol.net/products/easy-sol-products/detectta.