Sometimes it's easier to manipulate an employee than to breach a bank's systems

Jan 17, 2012 12:23 GMT  ·  By

During the holidays cybercriminals kept themselves busy, hacking websites and stealing all the data they could find. South African Postbank, a financial institution owned by SA Post Office, is one of the victims, the hackers stealing around $6.7 Million (€4.6 Million).

Fin24 reports that the National Intelligence Agency, which offers assistance when a government institution is compromised, has launched an investigation to precisely determine the causes that allowed for the incident to occur.

Preliminary reports revealed that the cybercrime ring responsible for the theft opened a number of Postbank accounts all across the country and then, in the period between January 1 and January 3, they managed to access a Post Office employee’s computer from where they deposited money from other accounts into their own.

The next days, the gang withdrew the money from several ATMs in Gauteng, Free State and KwaZulu-Natal.

Bank representatives state that none of their customers are affected by the breach, but security experts believe that Postbank’s systems desperately need an upgrade.

The irony is that the institution invested a large amount of money in their anti-fraud systems. However, as we can clearly see, anti-fraud systems aren’t worth much if the company doesn’t have a strict policy for the way their employees handle computers.

If the reports are true, then it means that an employee with privileged rights must have fallen victim to a scam email designed to spread a malicious Trojan.

Crooks don’t necessarily have to hack into a bank’s systems to gain access as it may be much easier to manipulate someone into handing over some information that can be utilized to just waltz in without being detected.

Lately, we’re presented with many cases in which a little bit of social engineering can perform much more efficiently than even the most sophisticated piece of malware.