Hack attack a costly lesson for banks
The recent credit card breach involving PayGate, a local payment service provider, has exposed a weakness in the national payment system that the regulator, the banks and service providers are fixing, fast.
The international syndicate responsible for the hack may have accessed the card details of hundreds of thousands of users. But the banks say there’s no need to panic: they are covering any losses you incur from fraud related to this incident – and if you’re at risk, your bank is monitoring your credit card account.
The Payments Association of South Africa (Pasa), the body responsible for regulating the national payment system, is checking the compliance of about 50 operators that facilitate payments from your bank account to a retailer’s bank account when you shop online.
Walter Volker, the chief executive of Pasa, says one of the “major lessons learned” is that there’s a need for a better way of checking the compliance of operators such as PayGate, which fell victim to a hacker’s attack.
“Unfortunately, in this case PayGate was acquired by four of the major banks and it seems that each assumed that compliance was taken care of. This is one of the major lessons learned. We need a more formalised, explicit way of checking compliance.
“We have a set of criteria that covers a number of things, but the plan is to extend that list to ensure adherence to the Payment Card Industry Data Security Standards (PCI-DSS).”
The PCI-DSS is a security standard for the payment card industry.
Volker says while there is a weakness in regulating operators, ultimately “the risk is with the banks. And we expect our banks to comply with PCI-DSS.”
He says Pasa is in the process of reviewing Pasa-registered operators that are card-enabled, to determine how many are PCI-DSS-compliant. He says once this is done, those operators that aren’t yet compliant will be given a deadline to comply.
PayGate is not yet fully compliant with PCI-DSS, and the hack occurred three months before the company was due to be audited, Peter Harvey, managing director of PayGate, says.
Harvey says PayGate reported its compliance status to the major banks on a regular basis, and in 14 years the company has never had an incident.
“We’re optimistic we caught it quickly and locked it down 100 percent,” he says. The breach was by way of hidden files found on PayGate’s server, which has subsequently been replaced. Since the breach, PayGate has had two PCI-DSS companies run scans on the system and has passed both, he says.
If you’re one of the “hundreds of thousands” of customers whose credit card details were on the database that was compromised, you won’t necessarily be notified of this by your bank.
Pasa has given the individual banks the discretion to decide whether to contact you with a view to replacing cards that might have been exposed, or rather placing your cards on a “heightened level of monitoring”.
Last week, Pasa issued a media release that broke the news of the security breach, which, Harvey says, took place in August. He says the banks and the card associations were notified at the time.
This week, the message from the banks was unanimous: there is no need to panic; the number of incidents is “limited”.
None of the banks is willing to divulge how many of their customers have been victims of credit card fraud as a result of the breach, and nor will they disclose the extent of their losses.
Johan Maree, chief executive of First National Bank’s credit card division, says disclosing such information will only “create unnecessary panic”.
“It’s not that we’re withholding information, but it would create panic if we were to alert every customer on that list,” he says.
The banks are not seeking to hide anything from customers, he says, but they have to exercise discretion because an investigation is under way.
The commercial crime unit is investigating the incident.
Maree says the incident has presented “massive learnings” for the banking industry and highlighted the need for tighter regulations in the payment system.
“There will definitely be some changes and a tightening of regulations,” Maree says. “We have to close the gaps. As an industry, we can’t let this happen again.”
In response to online news reports, some customers have said their banks ought to have notified them about the breach sooner, and at least one lawyer has said that Pasa and the banks are fortunate that the Protection of Personal Information Bill (POPI) is not yet law (see “New law to protect you”, below).
An “operator” (such as PayGate) or a “responsible party” (such as your bank) can face fines of up to R10 million or up to 10 years in jail for failing to comply with the POPI law.
Although Absa elected to contact all of its customers whose details were on the list of credit card users affected by the breach, Arrie Rautenbach, head of retail markets at Absa, says a statement notifying customers in general would be “highly irresponsible” in the circumstances. “Mass communication to all customers would have been counter-productive, as this would have exposed more customers to opportunistic fraud attempts, causing concern for the large percentage of customers who were not affected,” he says.
Rautenbach says that although it became known to the industry that some data at PayGate may have been breached, the extent of the breach was only reported to the bank by the card associations in October. “At this stage Absa received the details regarding specific card customers and began notifying them as soon as we reasonably could.”
Sugendhree Reddy, head of personal markets at Standard Bank, says that when the bank becomes aware of fraud on a customer’s account, it will contact you, cancel the card and issue a new card. You will not be liable for the fraud if you are not at fault – for example, if you have not compromised your personal identity number. This instance is no different, she says.
Maree says the banks are in constant collaboration in the ongoing fight against fraud.
Credit cards are still safer than cash, he says, and no matter how strong the regulations, crime will continue.
NEW LAW TO PROTECT YOU
The breach in the security of information held about credit card holders may be handled differently when the Protection of Personal Information (POPI) Act is in place.
The POPI bill was recently adopted by Parliament’s committee on justice and will now go to the National Council of Provinces and National Assembly.
It is expected to be enacted next year, and will give those who collect your personal information time to comply, Peter Hill, the director of IT Governance Network, an IT governance and data privacy consultancy, says.
If passed into law, the bill will oblige parties who collect your personal information, such as the bank, to inform you that your information is being collected, what it will be used for and who will be able to process it, Hill says.
The bill obliges those who collect your information to ensure that it is stored securely and stipulates what parties must do in the event of a breach of the security of private information.
One of the provisions of the bill is that you must be informed if your data has been accessed or lost “as soon as reasonably possible after the discovery of the compromise”.
The bill provides that where there are reasonable grounds to believe that your personal information has been accessed or acquired by any unauthorised person, the entity that collected your information (such as your bank) and allowed an operator (such as PayGate) to process your personal information under their authority, must notify the Information Regulator and every person affected.
The bill provides that a Information Regulator be set up to protect your rights.
Hill says when enacted the bill will require banks to inform every affected person about a security breach and to provide them with a description of the possible consequences of the breach, the measures the bank will or has taken to address the compromise and the measures those affected can take to mitigate any adverse effects of the security compromise.
The only reason a bank can have for not releasing the information immediately is that it will impede a criminal investigation by the police or a similar body.
The bill provides for certain contraventions of its provisions to be criminal offences punishable by a fine of up to R10 million or imprisonment of up to 10 years.
TIPS FOR TRANSACTING SAFELY ON THE NET
When you become the victim of credit card fraud, it is usually the result of a security weakness in your browser. In other words, it’s because of spyware on your computer or a phishing attack – which occurs when you respond to an email from fraudsters posing as your bank, for example, and in doing so disclose some or your confidential information.
Security breaches such as the one at PayGate are rare, Peter Harvey, PayGate’s managing director, says.
The banks advise that the most effective ways to protect yourself from cyber fraud are to ensure that you receive SMS updates from your bank notifying you of any activity on your accounts, and opt to receive a one-time password (OTP) for each online transaction. (With some banks, you receive an OTP when you shop on a 3D Secure site.) These services should alert you to any fraud or attempted fraud on your account.
Arrie Rautenbach, the head of retail markets at Absa, says customers are also advised to deal with reputable organisations that make every effort to maintain the best standards of data protection and consumer privacy.
There are numerous ways that you can determine whether or not a website is safe to use for online payments:
* Pay attention to the website address. When an internet address is prefixed with http:// it is not as safe as a site address prefixed with https:// (the “s” indicating a secure site). Note, however, that many safe website addresses start off with “http://”, but when a payment needs to be made, a new page may open, which starts with https://.
* Make sure that the site is 3D Secure – in other words, a site that prompts you to register for Verified by Visa or MasterCard Secure Code. If a website uses these services, their emblems are normally displayed somewhere on the site.
* Look out for SSL (Secure Socket Layer) certification on the site. There are various SSL certifications on the market, the most well-known being Secured by Thawte and Norton Secured. Emblems for these certificates will also be displayed on the website.
* Opt for websites that make use of reputable third-party payment processors such as PayPal.
Sugendhree Reddy, the head of personal markets at Standard Bank, says that apart from signing up for MyUpdates and OTPs on all e-commerce transactions, customers are advised to visit Standard Bank’s security centre website (www.securitycentre.standardbank.co.za), which offers a range of tips and advice on how to bank safely and protect yourself from falling victim to criminal activity.
* Always scrutinise your bank statements, including your credit card statements, and check all transactions.
* Keep your personal information private. Never tell the merchant your ATM or any other PIN. Your PIN should never be shared with anyone.
* Keep a record of your transactions. Save and/or print the online confirmation of your orders.
* Never send payment information, such as your card and CVC number, via email. Information that travels over the internet as regular email is not fully protected from being read by outside unauthorised parties.