Whats wronf with Standard Bank in Japan

Three hours, around 100 people, 1 400 Japanese ATMs and 1 600 counterfeit credit cards, was all it took for fraudsters to exploit Standard Bank in Japan.

The bank, which stands to lose up to R300 million, described the attack as a “sophisticated, coordinated fraud incident” and said “swift action to contain the matter” had been taken.

“It is evident that it is an incident of transnational organised crime that was well planned and executed,” said Kalyani Pillay, CEO of the South African Banking Risk Information Centre (SABRIC).

Security experts agree, saying perpetrators went to “considerable trouble” to pull it off.

The gang is believed to have targeted Japan due to bank security measures, which permit the use of credit and debit cards with magnetic strips as opposed to the newer and more secure chip and pin technology, said Frans Lategan an IT Security Consultant at SensePost, which exposes vulnerabilities and weaknesses in computer-based systems.

According to The Yomiuri Shimbun, Japanese police believe the cash was withdrawn outside South Africa, the country in which the cards were issued, in order to delay the scam’s detection. That the withdrawals took place between 5am and 8am on Sunday, 15 May, is believed to be another delaying tactic. Seven Bank ATMs, located in 7-Eleven convenience stores, were also targeted as they are of only two Japanese banks that allow withdrawals on foreign-issued credit and debit cards. Each of the 14 000 transactions saw the gang withdraw ¥100 000 or roughly R14 300, the maximum withdrawal limit set for ATMs. However, transacting below a floor limit, could have also delayed detection as these transactions can be processed without bank authorisation, Lategan said.

The news site reported Japanese police are attempting to identify suspects by analysing security camera footage. Japanese and South African authorities are also said to be working together, via Interpol, to determine how the gang obtained the credit card data.

“In order for external parties to gain access [to credit card information], there usually involves some sort of collusion,” said Steven Powell, co-head of forensics at ENSafrica. He added Standard Bank would have to investigate whether its security measures were compromised internally or externally as well as whether the security breach was isolated to Japan.

“Unless we know what security measures were in place, it is hard to know what method was used,” said Lategan. He said the gang could have obtained the data from an inside source, merchant or other third party records or by exploiting numeration vulnerabilities.