Share

Japan an alluring target for Standard Bank ATM thieves

Tokyo - Criminals who stole millions of dollars from automatic teller machines across Japan in a three-hour spree probably chose the country because banks consider it a low fraud risk, security experts say.

The gang used counterfeit Standard Bank credit cards to withdraw 1.4bn yen ($13m) in 14 000 transactions from ATMs at 7-Eleven convenience stores over three hours on a Sunday morning, according to a source familiar with the matter.

Most ATMs in the 7-Eleven stores belong to Seven Bank, a Japanese bank part-owned by Seven & I Holdings which runs the store chain in Japan, one of only two Japanese banks that allow withdrawals on foreign cards.  

Read: Standard Bank victim of R300m fraud in Japan

The thieves are still at large.

"They were smart in selecting Japan," said one banking security consultant who asked not to be identified.

"They found a badly protected ATM network in a low-risk country, guessing that the fraud analytics software would not automatically block the transactions."

South Africa's Standard Bank said on Monday it had suffered the losses, not its customers, and that it had alerted the authorities. It estimated its total loss at R300m ($19m).

The bank declined to comment further on Tuesday.

Seven Bank said it was cooperating with police. Japan's banking regulator, the Financial Services Authority (FSA), and Japanese police declined to comment.

Read: Standard Bank Japan scam ‘well planned’ - Sabric

Seven has about 22 000 ATMs across the country. Japan Post Bank also accepts overseas credit cards, but only about 540 of its 27 000 are open 24 hours a day.

Reports in Japanese media said the withdrawals were made on May 15 at ATMs in Tokyo and 16 prefectures across Japan's main island Honshu and neighbouring Kyushu. That would have taken a substantial number of "mules" to make the transactions and ferry the cash, said experts.

"($13m) in a matter of hours is nothing short of blinding," said Dan Kelly, a Hong Kong-based cybersecurity researcher at Dragon Threat Labs.

"The use of loopholes in the bank's procedures makes sense, but trying to rustle up a mule network in one country without making too much noise can't be easy."

Flood of transactions

Experts said both banks should shoulder some blame for failing to monitor the flood of transactions, saying they should have had systems in place to catch spikes in unusual activity in so many locations at the same time during what would usually be a quiet period.  

"The liability is on the issuing bank, which is Standard Bank, but as the case gets further investigated, more blame will fall on the acquiring bank," said Subhashish Bose, head of anti-financial crime in Asia-Pacific for FICO, a U.S.-based software company that also scores consumer credit risk.

The criminals may have harvested the data in a variety of ways, said the experts - possibly by "skimming" cards - but they would have had limited options when it came to using them to withdraw cash.

For one thing, they would have to pick a country that still uses magnetic strip card technology, not the newer and more secure "chip and pin" system, which would have ruled out South Africa itself.

"If they would have gone to any of the surrounding countries, they would risk detection (and blocking) by Standard Bank's fraud analytics software", which would consider any transaction in such countries to be high risk, the banking security consultant said.

The same risk assessment would have ruled out most other African countries, Eastern Europe, the Middle East, Central Asia and Russia, the consultant added.

Japan, meanwhile, is considered low-risk because of low crime rates and its banks, most of which do not accept foreign cards in their ATMs, the experts said.  

Japan has long been ignored by criminal gangs and cybercrime groups because of its relative isolation. But that is changing, say specialists, and the country has yet to catch up.

"They are less experienced in dealing with these frauds and are behind in terms of monitoring, detection and response," said Stephen McCombie, an Asia-Pacific cybercrime specialist at RSA, the security division of data storage firm EMC.

Last year hackers broke into Japan's pension system and leaked more than a million cases of personal data.

We live in a world where facts and fiction get blurred
Who we choose to trust can have a profound impact on our lives. Join thousands of devoted South Africans who look to News24 to bring them news they can trust every day. As we celebrate 25 years, become a News24 subscriber as we strive to keep you informed, inspired and empowered.
Join News24 today
heading
description
username
Show Comments ()
Rand - Dollar
18.87
+0.3%
Rand - Pound
23.85
+0.2%
Rand - Euro
20.38
+0.2%
Rand - Aus dollar
12.31
+0.2%
Rand - Yen
0.12
+0.2%
Platinum
908.05
0.0%
Palladium
1,014.94
0.0%
Gold
2,232.75
-0.0%
Silver
24.95
-0.1%
Brent Crude
87.00
+1.8%
Top 40
68,346
0.0%
All Share
74,536
0.0%
Resource 10
57,251
0.0%
Industrial 25
103,936
0.0%
Financial 15
16,502
0.0%
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders