R300-million ATM heist ups the ante
With the data of 1 600 Standard Bank customers, fraudsters gave the banks a cybersecurity scare
It was a modern-day bank heist fit for the silver screen. Early on a sunlit summer’s morning in Japan, with the last cherry blossoms fading and the wisteria in bloom, more than 100 fraudsters strolled into convenience stores all around the country.
With fake credit cards cloned from the information of 1 600 South Africa Standard Bank customers, they made 14 000 transactions, drawing in total the equivalent of R300million in Japanese yen from 1 400 ATMs in just three hours, between 5.00am and 8.00am local time.
The authorities, the bank and its customers i n South Africa, still asleep, were none the wiser. The thieves had probably already skipped the country with the small fortune in yen, the most tradable currency in the world after the US dollar.
It was only a week later that a Japanese paper, Mainichi, reported on the theft, citing investigative sources. On Monday, Standard Bank confirmed it had been the victim of a sophisticated, co-ordinated fraud.
The bank said it had incurred a total R300-million loss, before any recoveries, but there had been no financial loss to customers. It added it could not say anything else because investigations are at a sensitive stage.
The bank’s share price wasn’t affected, and even rose following the news.
“Banks are victims of fraud all the time, they have a budget for it and work to prevent it,” said Nico Smuts, an analyst of 36ONE Asset Management, adding that this particular incident was more interesting — “more exotic” — than usual, as large co-ordinated fraud operations like it are rare.
But the loss of R300-million will have little effect on the bank’s earnings this year and, in the long run, was not material.
Banks typically budget for losses from a number of small incidents of fraud, which tend to add up to be consistent over time, Smuts said.
PwC’s latest major banks analysis found that criminality and technology risk are increasingly becoming a concern, and information technology (IT) spending continues to increase.
The firm’s global economic crime survey 2016 interviewed more than 6 000 participants in 115 countries and found the financial cost of fraud is on the rise and that 32% of respondents were affected by cybercrime, the highest ever level in the survey.
The Standard Bank incident points to some sort of vulnerability in the system but the quality of our banking infrastructure is very high, said Smuts. “The banks all take security very seriously and spend large amounts on IT and cybersecurity.”
Kalyani Pillay, the chief executive of the South African Banking Risk Information Centre, said there is no obvious reason why Standard Bank was targeted.
“All our banks take the security of their systems and information very seriously and it has always been and continues to be high priority.”
The recoveries Standard Bank mentioned in its Monday statement imply the bank will be able to claim from some or other party, such as correspondent banks in Japan or from insurers, Smuts said.
Kokkie Kooyman, a portfolio manager of Denker Capital, said most of the larger and smaller insurers would probably offer cover against cyberattacks. “Central banks would probably expect banks to cover themselves,” he said.
The banks can decide how much cover they want for small amounts, he said. “It’s like medical insurance — you can choose to have hospital cover only for severe situations. As a bank you can choose to have cover that kicks in only in cases of severe fraud or cyberattacks,” Kooyman said. “R300-million is fairly small in the bigger scheme of things, so it may be they would self-insure for that amount.”
Insurers such as Santam will offer cover for larger amounts, but they would reinsure a certain amount in case the size of a claim reached beyond a particular ceiling.
“Depositors are not affected and will never be affected by fraud. Well, unless the bank fails, but even then the Reserve Bank steps in,” Kooyman said. Even in cases of smaller fraud, such as phishing scams, customers are not alone in recovering their loss and can claim from the bank, unless they were exceedingly negligent.
Like vehicle cover, an insurer offering cover for cybercrime will look at the risk profile of any company. In the case of a bank, this would include its security and IT systems, its compliance and its track record.
In 2014, Standard Bank was victim of another large fraud involving aluminium in two ports in China. It was one of several financiers that had extended loans secured against the cargo.
Standard Bank’s exposure at the time was reportedly $170-million, or about R1.8-billion given the exchange rate at the time.
Although the bank successfully invoked its legal rights to recover from insurers, a material amount of the losses suffered from the fraud led directly to the remuneration committee reducing the remuneration of David Munro, the chief executive of its Corporate Investment Bank, by 62%. The remuneration for Ben Kruger, the group’s chief executive, was cut in half.
Professor Basie von Solms, director of the University of Johannesburg’s Centre for Cybersecurity, said the incident in Japan is a good case study of cybersecurity because it emphasised the international characteristics of such crime.
“You can steal information in country A, you can execute the crime and get hold of the money in country B, where there is less secure infrastructure, and then you flee to country C,” Von Solms said. “Even if you are caught, it’s a question of who you can charge in which jurisdiction and with what.”
Van Solms said the chances of breaking into the back end of the bank’s system were close to nil, and the information must have been taken at some other point. “There is no doubt that somehow this info should have been protected. The core questions now are how it leaked, and what further information has leaked.”
The deputy governor of the Reserve Bank, Kuben Naidoo, said on Wednesday that the Reserve Bank is constantly working with the banks on their ability to protect and repel cyberattacks. “You are always going to be subjected to these attacks and some of them are going to succeed,” Naidoo said.
The outgoing registrar of banks, Rene van Wyk, added that banks have to rely on outside vendors and external platforms. “The cyberattacks actually happen there, rather than what happens in the bank,” he said.