
Postbank to replace 12M bank cards after employees steal 'master key' - zdw
https://www.timeslive.co.za/sunday-times/news/2020-06-14-postbank-forced-to-replace-12-million-bank-cards-after-employees-steal-master-key/
======
LeonM
Insane. Just think of the risk that this 'master key' exposed to the bank's
employees.

Having access to something as insanely valuable as a bank 'master key' puts
the employees at risk of blackmail, extortion, etc.

That's why you have HSMs, key ceremonies, Shamir's secret sharing etc. It's
not just for trust, it's also for protection of those involved.

Unauthorized wire transfers can be undone, or covered by insurance. Loss of
life cannot.

~~~
erikig
I appreciate this. I wasn't familiar with Adi Shamir's secret sharing scheme.
I found this video quite helpful in clarifying how it works for cases where
only a subset of the participants are required to confirm the secret.

[https://www.youtube.com/watch?v=iFY5SyY3IMQ](https://www.youtube.com/watch?v=iFY5SyY3IMQ)

~~~
jacobkg
The original paper on this “How to Share a Secret” by Adi Shamir is
incredible. You should absolutely read it.

\- The system is proven to be information theoretically secure (not just
computationally)

\- It uses only high school math

\- The paper is only TWO PAGES LONG

I highly recommend printing this out on a single sheet of paper (double sided)
and digging in.

[https://cs.jhu.edu/~sdoshi/crypto/papers/shamirturing.pdf](https://cs.jhu.edu/~sdoshi/crypto/papers/shamirturing.pdf)

~~~
the_svd_doctor
Thanks for sharing. This is indeed genius and so simple. Brilliant.

------
seesawtron
Note that this is a banking division of South Africa's Post Office. I was
confused it was the Deutsche Postbank.

They lost more than $3.2 million from fraudulent transactions and will now
have to replace more than 12 million cards for its customers after employees
printed and then stole its master key in December 2018. Took them long enough
to figure it out.

------
duxup
>The breach resulted from the printing of the bank's encrypted master key in
plain, unencrypted digital language at the Postbank's old data centre in the
Pretoria city centre

I can't read anymore. Is there anymore technical explanation?

Was it actually 'printed' ... on paper?

Was it even an actual encryption key or just a password or something?

~~~
gcbw3
People seem to forget why credit cards came into existence.

It was not for security. Ever.

Credit Cards were introduced as a less-secure-but-more-convenient-check.

The store then would have a stock of "blank checks" with absolutely no
security features where they would imprint with carbon paper and a pressure
roll the credit card information and pretty much "mint" the client a check on
the spot.

Over time the raised letters for the crude minting press morphed into a
magnetic strip, but the process was still 100% the same. _Outside of the US_
in the last decade (2yrs in the US) some little security was added with
encryption keys and PINs. Which is nothing more than a digital signature the
bank may or may not check (like it did with the actual signature on the
previous mentioned blank checks minted by the store). This is the step that
was compromised with the stolen keys. In other words, the few places where you
have to insert your card chip into a reader and type a pin had their security
degraded to the same level as places where you simply use your magnetic strip
or type your numbers on an online store.

~~~
aerostable_slug
Even more fun fact: we rely on mag stripes (vs. chip n pin / nfc / etc)
because of gas pumps. The cost of refitting gas pumps holds us back. Yay.

~~~
mschuster91
So why not limit the magstripe to gas pumps and give them a time frame of 5-10
years to upgrade existing pumps, and mandate chip capable card readers in new
pumps?

At the same time fees could be raised 2% for non-chip transactions to
incentivize upgrades.

~~~
AaronM
Looks like they have deadline of 10/2020 before visa and mastercard start
holding owners liable for fraud if they haven't upgraded to chip readers.

[https://www.latimes.com/business/technology/story/2020-01-07...](https://www.latimes.com/business/technology/story/2020-01-07/gas-
stations-rush-to-adopt-chip-card-readers-at-fuel-pumps)

~~~
GoblinSlayer
That's stupid. Just issue cards without stripe and the problem will solve
itself.

~~~
twunde
It's a chicken and egg problem. Gas purchases are on the of the most common
purchases in the US. Removing the ability to pay using a credit card would a)
piss of owners of the new credit cards, b) likely cause people to use their
old credit cards for longer and still wouldn't push gas stations to switch
over quickly as most have atms and gas stations could insist on cash payments.
Keep in mind that at least some of these gas pumps can't be upgraded but have
to be replaced in order to support the new chip cards. What should have been
done is a combination of good incentives for upgrading early (maybe reduced
fees?) and penalties for not upgrading within a time frame (fraud payments are
owners responsibility after n amount of time, increased fees for dealing with
fraud)

------
zlynx
Ah hah hah haha!

And our (USA) law enforcement agencies promise us that any encryption master
keys required by their grandiose plans will only be used in cases with proper
legal court warrants (ignore the FISA court warrant abuse based on lies and
deceit) and will be super secure and never stolen.

Just like those secret hacking tools stolen from the CIA.

Or these private master keys.

~~~
SamuelAdams
Don't forget the TSA travel master keys, which can now be 3-D printed by
anyone using this repo: [https://github.com/Xyl2k/TSA-Travel-Sentry-master-
keys](https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys)

~~~
hinkley
You can use a ball point pen to pop open the zipper on any luggage.

I understand that the illusion of control is very helpful for nervous
passengers, but your luggage is leaving your control and it's mostly nylon
fabric and plastic.

~~~
SamuelAdams
Yes, but you're missing the forest for the trees. A government entity (TSA)
had a thing built specifically for their needs ("secure" locks for luggage)
and promised they would be the only ones capable of unlocking it. Then somehow
the "secret" they promised to protect (physical keys) got leaked out somehow
and now the entire thing is security theater.

Also I think they used these locks on handgun / firearm containers that were
declared when travelers with a CPL or LEO people traveled. Those are typically
put into a hard container that is difficult to open unless you unlock the
lock.

EDIT: last paragraph is wrong, please ignore that. Thanks guys.

~~~
mulmen
I don’t think you have to use a TSA lock on luggage with a firearm [1]. If it
meets the legal definition of a “firearm” you trigger (get it?) the TSA rules
that allow you to use a non-joke lock. Since this includes just the legal
firearm you don’t even have to carry an actual gun to prevent the TSA from
sniffing your undies.

Deviant Ollam gave an (in)famous talk [2] about this at Defcon.

[1]: [https://www.tsa.gov/travel/transporting-firearms-and-
ammunit...](https://www.tsa.gov/travel/transporting-firearms-and-ammunition)

[2]: [https://youtu.be/KfqtYfaILHw](https://youtu.be/KfqtYfaILHw)

~~~
swimfar
That's a funny hack. However, this looks like conflicting advice:

"Only the passenger should retain the key or combination to the lock unless
TSA personnel request the key to open the firearm container to ensure
compliance with TSA regulations. You may use any brand or type of lock to
secure your firearm case, including TSA-recognized locks."

If you use a TSA lock, that means they have a key to open up the case and
access the firearm without you around. That's a big no-no and could result in
problems with the law.

You'd also probably want to show up an extra hour early because this could
cause long delays. Some airports are notorious for workers who don't know the
regulations, don't want to be responsible for any of it, and will refuse to do
anything to help you resolve the situation. Also, definitely don't try this if
you're flying through New York or New Jersey.

~~~
mulmen
I agree that paragraph seems contradictory. I guess I have a slightly lower
opinion of the TSA now.

What’s important is that you don’t have to use a TSA lock. You just have to
open it for them if they ask.

> Also, definitely don't try this if you're flying through New York or New
> Jersey.

Why?

~~~
SamuelAdams
CPL's are typically granted at the state level, but not all states need to
recognize your CPL as valid. So it's perfectly legal for me to fly from
Detroit to New York with a firearm, because the TSA staff in Detroit, MI
legally recognize my MI CPL.

However, the TSA agents in NY do not recognize my MI CPL. As a result when I
fly back from NY to MI, I could get arrested for carrying a firearm.

More on this here: [https://www.theblaze.com/news/2018/01/18/colorado-woman-
decl...](https://www.theblaze.com/news/2018/01/18/colorado-woman-declares-gun-
in-luggage-gets-arrested-at-new-york-airport-and-folks-are-frustrated)

~~~
mulmen
That has to do with concealed carry. Putting a firearm in your suitcase does
not require a CPL, nor does it require concealed or even open carry. I'm sure
it's still legal to transport a firearm in New York.

To be clear, this rule can be triggered by a flare gun or starting pistol.
Traveling with those seems perfectly reasonable and I don't see why a CPL
would be required.

------
Havoc
Postbank is a subsidiary of South Africa's Post Office.

An entity that is bankrupt and barely functional despite having a state
mandated monopoly on an entire country's postal system.

As per article they're also running the SASSA social grant system which is a
train wreck in itself and has been buried in legal disputes for years (not
random small cases...a challenge to the legitimacy of their core mandate on
grants).

Someone walking out the door with printed encryption keys sounds about right.

~~~
gsnedders
> An entity that is bankrupt and barely functional despite having a state
> mandated monopoly on an entire country's postal system.

To be fair, plenty of state-mandated monopolies of postal systems still aren't
profitable, often because they don't significantly control their revenue
stream insofar as they don't set the prices of their products.

~~~
Havoc
Your argument is broadly sound, but not applicable in this particular case.

Currently people are paying a massive premium to utilize private courier to
have their stuff privately couriered. People are literally going f that I
don't care what it costs I don't trust the postal system.

A sane postal service would review this situation and try to understand why
the people think "f you". SAPO has decided that the correct solution to this
situation is to simply legally mandate that everyone has to use their useless
service thus making couriers illegal for this category. Literally:

[https://mybroadband.co.za/news/business/346729-online-
stores...](https://mybroadband.co.za/news/business/346729-online-stores-may-
be-forced-to-use-the-sa-post-office-and-they-are-not-happy.html)

I personally take a pretty dim view on "nobody wants this...fine...so we'll
just force it by law" dynamics

------
ipnon
It seems ridiculously cheap, relative to payout, to attack financial
institutions by joining them as employees. Couple this with the fact that
"white collar" crimes are punished with relatively lenient sentences.

~~~
closeparen
When IT leadership talks a big game about security, as a skilled practitioner
on the ground I still see plenty of opportunities. When you delve into
details, a lot of that “serious business regulated entity with compliance
auditing requirements” stuff is brain dead. Like, running vulnerability
scanners that don’t even speak the same wire protocols as a the applications
under test. Enforcing strict ACLs on UIs while it’s trivial to SSH and curl
the backend APIs.

I sometimes wonder whether accounting is like this too. Is financial audit
just as much of a fig leaf? Can a skilled accountant also spot dozens of ways
to embezzle?

~~~
ipnon
We are truly saved by our better angels. If all people were ruthless economic
competitors, and took every efficient financial opportunity available to them,
criminal or legal, a cooperative society would be unmaintainable. We should
consider ourselves lucky (perhaps blessed) that the anti-social among us are a
tail end minority.

------
ScarZy
This is quite surprising to me. Some of the banking technology and practices
in Germany are extremely tight and their infrastructure seems problematic.
Living there for a while as a non-native and being with PostBank, it was
insanely difficult to login and understand. Germany is also heavily marred
with bank cash groups, meaning you get charged elsewhere.

It was great to see N26 come along and change that, and thank god for their
native translations.

~~~
netsharc
They really should add "[South Africa]" the title, since my first thought was
"Is this Germany or might they mean PostFinance in Switzerland?"...

How do you summmon dang, with @dang?

~~~
selimthegrim
I think burning sage and eye of newt is involved too.

------
intsunny
Shouldn't this be the kind of key/info/data where it is divided into N pieces,
and all of the pieces are stored separately?

~~~
ppierald
Shamir Secret Splitting divides a secret into M pieces requiring N parts to
reconstitute. This does not absolutely prevent this attack, but requires
collusion between attackers who are presumably trusted insiders, but trusted
insiders can be compromised by blackmail, coersion, greed, or other angles.

------
PopeDotNinja
My accounting professor used to say the mirrors and security cameras in stores
were to monitor the employees more than the customers.

~~~
minikites
Employers steal _far_ more than employees:
[https://upload.wikimedia.org/wikipedia/commons/c/c4/Wage_the...](https://upload.wikimedia.org/wikipedia/commons/c/c4/Wage_theft_versus_other_property_crimes.png)

[https://www.gq.com/story/wage-theft](https://www.gq.com/story/wage-theft)

[https://www.epi.org/publication/employers-steal-billions-
fro...](https://www.epi.org/publication/employers-steal-billions-from-workers-
paychecks-each-year/)

[https://www.epi.org/publication/wage-theft-bigger-problem-
th...](https://www.epi.org/publication/wage-theft-bigger-problem-theft-
protect/)

~~~
Agenttin
Wage theft is hard to monitor with cameras and mirrors.

------
DiffEq
How exactly would one use this key nefariously? It seems to do so would
require a whole chain of capabilities.

In any case it would make sense to have multiple master keys...say use a
different master key for each batch of so many cards.. then if one key was
compromised it wouldn't affect 12M cards.

------
irjustin
I have this fantasy that there was some security engineer who said, "hrm this
looks like you could steal/reconstruct this master key by..." raised it up to
management and subsequently ignored or shot down because changing the solution
was too expensive.

------
EwanToo
There's a non-paywall article on the subject at:

[https://hotforsecurity.bitdefender.com/blog/south-africas-
po...](https://hotforsecurity.bitdefender.com/blog/south-africas-postbank-is-
replacing-12-million-bank-cards-after-major-security-breach-23503.html)

~~~
afrcnc
A better one here: [https://www.zdnet.com/article/south-african-bank-to-
replace-...](https://www.zdnet.com/article/south-african-bank-to-
replace-12m-cards-after-employees-stole-master-key/)

------
jokoon
That proves my point again that there are not enough regulations on electronic
security standards that applies to private companies.

All you have are white hat security consultant experts that only have their
dollars and reputation to work with. The public is highly vulnerable on those
things yet I don't see politicians really caring.

~~~
devcpp
Quite the opposite: the free market will deal with this just fine, giving a
big penalty to companies that don't care enough. The government, on the other
hand, imposes bad businesses, enables regulatory capture and has proven many
times that it has no idea how to handle infosec. These white hat consultants
aren't perfect but through competition they're still better than lobbied
lawmakers.

~~~
bbaumgar
Do you think that the free market worked as desired in the case of Equifax?

~~~
flareback
Do you think we actually have a free market?

~~~
mitchdoogle
If we don't have a free market, it doesn't do much good to say the free market
will solve any of our problems.

~~~
baddox
Huh? Presumably the suggestion is to make the market freer.

~~~
IggleSniggle
Or perhaps to acknowledge that the assumptions about a free-market ignore the
realities of human psychology, and thus a free-market inherently cannot exist
because humans are not capable of producing a free market without regulation,
and regulation is antithetical to a truly free market?

------
annoyingnoob
Humans are a real security risk.

------
tibbon
Is there no equivalent of PCI in South Africa?

------
gjmacd
and why was there a "master" key?

~~~
theandrewbailey
They probably rolled their own encryption, because it was over 20 years ago.

~~~
selimthegrim
[https://classicprogrammerpaintings.com/post/148027314949/we-...](https://classicprogrammerpaintings.com/post/148027314949/we-
rolled-our-own-crypto-pieter-bruegel-the)

------
solinent
Would you build a castle with a back-door?

~~~
fatbird
Actually, castles almost always had back doors.

[https://en.wikipedia.org/wiki/Postern](https://en.wikipedia.org/wiki/Postern)

~~~
solinent
Almost always? Source for that? Very interesting, I guess during a siege
there's a tradeoff there. If your postern is on the other side of a mountain
range, then definitely it's not so bad.

------
kamil3141
Do you mean the “main key”?

------
z3j4e
Does anyone have a link without a paywall?

~~~
lioeters
[https://www.zdnet.com/article/south-african-bank-to-
replace-...](https://www.zdnet.com/article/south-african-bank-to-
replace-12m-cards-after-employees-stole-master-key/)

------
urza
*main key

~~~
jsisto
If they used main key this wouldn't be a problem

