The SA Postbank, part of the SA Post Office, became the target of cyber crime this month, losing R42 million when the system was accessed illegally and funds transferred into mule accounts. They say in war, the first casualty is the truth, and during information warfare this is even more the case. This has been the case with the ongoing media speculation, and at this stage, the truth about what actually happened is still uncertain.
However, there are two things that should be highlighted. Firstly, there is an urgent need for the approval of the South African National Cyber Security Policy, which has been pending for nearly two years and which would not only clearly defines minimum security standards, but also establishes incident response teams to handle similar incidents.
Secondly, organisations need to consider the impact of the Protection of Personal Information Act, which requires mandatory disclosure of unauthorised access to personal information, as was clearly the case.
The initial report stated there were two suspects being investigated; however, this was later updated to suggest that keystroke loggers were used to steal the login credentials of the two users. This modus operandi has been present in South Africa for more than five years, and is designed to bypass the separation of duties controls that are put in place to protect financial systems.
The Post Office Trust Centre was designed to address these security concerns by introducing strong authentication technologies; however, it appears that the technology was never rolled out within the Post Bank environment. The use of two-factor authentication such as smart cards has been available for many years, and should be a minimum standard for all government financial transactions. It is currently deployed in high-security environments, such as the US Department of Defence, the Department of Homeland Security and the US State Department.
However, no technology is a silver bullet. Just days before the Post Bank incident was publicised, security researchers revealed that they had uncovered a new variant of malicious software called Sykipot that targets smart cards used to access restricted servers and networks. Previous Sykipot strains have been traced to command-and-control servers in China, and the researchers said they discovered Chinese characters in a small snippet of code.
Sykipot used an e-mail campaign to lure victims into opening an infected PDF attachment, so the pertinent question is how exactly did the Post Bank computers get infected with a keystroke logger?
The Cyber Crime Research Group's philosophy is that offence should inform defence, and our approach is to understand actual South African security incidents in order to provide guidance as to how to better protect South African organisations. South African organisations are very lucky that they do not have to repel some of the cutting-edge hacking techniques used internationally. Unfortunately, it is also clear that cyber criminals do not need them to compromise our systems.
To join the Information Security Group of Africa's Cyber Crime SIG (Special Interest Group), please contact Iain Campbell on iain@criticalid.net.
Share
Editorial contacts