Banks on high alert after Dexter attack

The recent POS data breach highlights the need for businesses to institute security measures and become PCI DSS compliant.

---

SA's banks are on high alert after falling prey to a sophisticated cyber attack that cost them tens of millions of rands this year.

Part of one of the biggest security breaches in recent local history, the Dexter malware that was installed remotely on some of SA's top fast food and restaurant chains' point of sales (POS) systems went unnoticed for months. Now that it has come to light, SA's banks have had to do damage control as they try to quell customer fears.

The precise extent of the breach is still unknown, but Payment Association SA (PASA) CEO Walter Volker says the fact that fraudsters had months to garner card information from restaurant-goers, and produce copied cards, means it was extensive.

The banks have all confirmed they are now aware of the data compromise affecting certain food chain customers. They have assured their own customers that steps have been taken to secure systems and prevent further leakage of card details.

Volker notes SA's banks will bear the brunt of any financial loss suffered while consumers have the benefit of recourse.

Standard Bank says: "Standard Bank is aware of the breach of card data that has been stored, external to the bank, in select fast food outlets. This fraud impacted the banking industry as a whole, and some Standard Bank debit, credit and cheque card customers have been affected. Immediate and proactive steps have been taken by Standard Bank and at an industry level to identify and limit the extent of the potential exposure."

The bank says all cards that may have been impacted have already been placed under a "heightened level of monitoring" to detect unusual or fraudulent activity. "Should fraudulent transactions occur on any of these cards, cardholders will not be exposed to any losses and Standard Bank will replace the cards of affected customers."

Standard Bank says it views the Dexter breach in a serious light, and has committed resources and skills to ensure customers can transact safely. "The incident is regrettable and Standard Bank would like to reassure customers that there is no need for undue concern. The banking industry and PASA has well developed and sophisticated fraud and risk management systems in place to limit the exposure of our customers to criminal activity."

Should Standard Bank customers pick up any suspicious transactions through MyUpdates (SMS alerts), Internet banking, the mobile app, or on bank statements, they are urged to contact the bank on 0861 201 000.

Alan Scoular, CEO of First National Bank (FNB) merchant services, says the company has, through PASA - and in collaboration with the rest of the card industry - taken steps over the last few months to mitigate the extent of potential exposure caused by the Dexter malware, and has secured the relevant systems.

"FNB continually monitors all card transactions for unusual or fraudulent activity and take the necessary proactive measures to prevent fraud, including the re-issue of cards to potentially affected customers."

Scoular says, over the past few years, the bank has seen card fraud (measured as a percentage of turnover) drop significantly due to extensive investments in chip technology, "3Dsecure for e-commerce, risk monitoring capabilities, inContact transactional messaging and customer awareness initiatives [are some of these]."

He says customers need not be concerned. "As always we urge customers to remain vigilant and to monitor bank statements and FNB inContact messages. As is our practice, any customer who feels that their card may or could be compromised, should contact us by calling the number on the back of their cards and we will gladly re-issue them with a new card at no additional cost. We will also reverse any transactions committed fraudulently."

Head of Nedbank's card risk services, Rene de Villiers, says the number of incidents reported to the bank is limited. Where fraud losses have been reported, she says, Nedbank Card clients have been refunded and issued with new cards.

"Nedbank will continue to closely monitor all transactions acquired by third-party processors and Nedbank clients need not be concerned."

De Villiers says, should Nedbank customers suspect fraudulent transactions are taking place at all, they need to contact the bank immediately by phoning the fraud desk on 011 710 4710 or the Nedbank contact centre on 0860 555 111.

SA's biggest bank by customer numbers, Absa, says it too saw limited incidents resulting from the Dexter breach.

"It has come to light that the Dexter virus was identified at a contained number of terminals across a number of merchants where Absa has had very limited exposure to date."

The bank says banking fraud is a major concern for it and "significant investment is made in helping ensure customers are aware of safe banking practices".

With regards to the Dexter incident specifically, Absa says - supported by the South African Banking Risk Information Centre - it is working with authorities under the guidance of PASA to reach resolution.

"Absa still urges customers to remain vigilant and scrutinise their credit card statements for unusual or unfamiliar transactions. Absa provides its NotifyMe service to alert customers to transactions performed on their accounts and encourages customers to make use of this service to proactively identify unauthorised transactions which may be as a result of compromised card data."

Meanwhile, in the security and retail sectors, the latest Dexter breach has been seen as a reinforcement of how important it is for retailers to install and maintain security systems, as well as become fully compliant in terms of the Payment Card Industry Data Security Standards (PCI DSS).

Volker says the incident shores up the various "Internet and physical movements" being made towards creating a more secure ecosystem.

Andrew Kirkland, regional director at Trustwave, explains: "Dexter malware is known to target Windows POS terminals and steal track data and send it to central command and control servers."

He says the latest breach demonstrates why all businesses, including franchises, cannot overlook security.

According to the 2013 Trustwave Global Security Report, the primary targets of cyber criminals in 2012 were retail (45%), food and beverage (24%) and hospitality (9%).

Kirkland says there are a number of factors that contribute to this continuing trend, such as the sheer volume of payment cards used in these industries, and the fact that the main focus of organisations operating in these spaces is customer service, not data security.

"The retail space saw a 15% increase in 2012 compared to 2011, nearly equal to the 17% drop in food and beverage breaches. During the past three years, these two have been almost interchangeable, with similar network layouts due to the payment systems and software vendors used."

The report also found businesses were slow to "self-detect" breach activity. The average time from initial breach to detection was 210 days, more than 35 days longer than in 2011. Most victim organisations (64%) took over 90 days to detect the intrusion, while 5% took three or more years to identify the criminal activity.

In addition, the report confirms even basic security measures are still not in place. "Password1" is still the most common password used by global businesses. Of three million user passwords analysed, says Trustwave, 50% of users are using the bare minimum.

Kirkland says Trustwave hopes the new PCI DSS version (PCI DSS 3.0) - due to be announced next month - will address these areas of concern and risk.