You are currently viewing our desktop site, do you want to download our app instead?
Moneyweb Android App Moneyweb iOS App Moneyweb Mobile Web App
Join our mailing list to receive top business news every weekday morning.

How fraudsters may have exploited Standard Bank in Japan ATM heist

How credit card information is exploited and what you can do to protect your details.

Three hours, around 100 people, 1 400 Japanese ATMs and 1 600 counterfeit credit cards, was all it took for fraudsters to exploit Standard Bank in Japan.

The bank, which stands to lose up to R300 million, described the attack as a “sophisticated, coordinated fraud incident” and said “swift action to contain the matter” had been taken. 

“It is evident that it is an incident of transnational organised crime that was well planned and executed,” said Kalyani Pillay, CEO of the South African Banking Risk Information Centre (SABRIC).

Security experts agree, saying perpetrators went to “considerable trouble” to pull it off.

The gang is believed to have targeted Japan due to bank security measures, which permit the use of credit and debit cards with magnetic strips as opposed to the newer and more secure chip and pin technology, said Frans Lategan an IT Security Consultant at SensePost, which exposes vulnerabilities and weaknesses in computer-based systems.

According to The Yomiuri Shimbun, Japanese police believe the cash was withdrawn outside South Africa, the country in which the cards were issued, in order to delay the scam’s detection. That the withdrawals took place between 5am and 8am on Sunday, 15 May, is believed to be another delaying tactic. Seven Bank ATMs, located in 7-Eleven convenience stores, were also targeted as they are of only two Japanese banks that allow withdrawals on foreign-issued credit and debit cards. Each of the 14 000 transactions saw the gang withdraw ¥100 000 or roughly R14 300, the maximum withdrawal limit set for ATMs. However, transacting below a floor limit, could have also delayed detection as these transactions can be processed without bank authorisation, Lategan said.  

The news site reported Japanese police are attempting to identify suspects by analysing security camera footage. Japanese and South African authorities are also said to be working together, via Interpol, to determine how the gang obtained the credit card data.

“In order for external parties to gain access [to credit card information], there usually involves some sort of collusion,” said Steven Powell, co-head of forensics at ENSafrica. He added Standard Bank would have to investigate whether its security measures were compromised internally or externally as well as whether the security breach was isolated to Japan.

“Unless we know what security measures were in place, it is hard to know what method was used,” said Lategan. He said the gang could have obtained the data from an inside source, merchant or other third party records or by exploiting numeration vulnerabilities.

Banks follow a pattern when issuing 16-digit credit card numbers. The first six digits denote a Major Industry Identifier like Visa or MasterCard as well as a Bank Identification Number based on the type of card issued such as gold or platinum, in some cases the second to last digit denotes the number of times that a card has been issued and the last digit, a function of the first 15 digits, is based on the Luhn formula.

“Just by knowing eight digits, I can probably guess the other eight straight away,” Lategan said, adding that this method was the least likely to be used. With credit card details – including card numbers, valid expiry dates and Card Verification Value (CVV) numbers – going for as little as $1 each on the black market, he said it would have been much easier to for the gang to have paid for the data. Powell said it is also possible that the gang coded the cards themselves.

That the gang used only 1 600 fake credit cards, a relatively small amount, and only scammed one bank is also telling. “They went to considerable trouble to filter them and make sure that they had valid details,” Lategan said. It is likely the gang “fine-tuned” their processes by conducting similar, smaller scale scams at other banks, so as not to raise alarm, and “Standard Bank just happened to be last”, he said.

Lategan said the heist shows that credit cards are reasonably safe for cardholders as the gang withdrew the “bank’s money” and the burden of proof related to credit card fraud lies with banks instead of cardholders.  

“The fault doesn’t lie with the cardholder,” said Global Technology Security Provider’s Jacques van Heerden. Still, he advised cardholders to protect their information making use of chip and pin cards, not allowing cards out of their sight and by not entering their credit card details on any third party web application unless they intend to pay for something.


Sort by:
  • Oldest first
  • Newest first
  • Top voted

You must be signed in to comment.


Getting hold of the credit card numbers and CVVs is one thing, but to draw money you need the PIN as well? Any explanation on how that was possible?

“The gang is believed to have targeted Japan due to bank security measures, which permit the use of credit and debit cards with magnetic strips as opposed to the newer and more secure chip and pin technology, said Frans Lategan an IT Security Consultant at SensePost, which exposes vulnerabilities and weaknesses in computer-based systems.”

Rubbish – Banks lose hundreds of millions every year, through fraud (often involving internal staff), stupidity, greed and write off even more to politically connected BEE fronts and tenderpreneurs.

They recover all that and more, simply by hiking the interest rates charged on our credit, fat bank charges and paying us less interest on our deposits.

The money changers NEVER admit their shenanigans until and unless exposed by the press. Tellingly, the story emanates from the Japanese media. Our are too busy swapping cosy stories with their friendly brokers, insurers and bankers to even notice.

Shame on you, SA financial media.

The big questions are………???

1) If Standard bank cannot even protect their own systems how can we expect them to be effective custodians of our money
2) Next time a client loses money at an ATM or on Internet banking how can they be sure that the bank is not 100% to blame. The bank will deny it of course and make you jump through 1 million hoops.

Why do they and other companies ie MTN have to do business in a country where they don’t understand the language or the culture. stick to like minded countries where culture and language is similar to what they are familiar with and you will find less burnt fingers. But I suppose these loses like this one and MTn’s nonsense in Nigeria will be paid for by clients and customers. So win sometimes but always recoup losses. There is no such thing as a write off, some one pays and it is the customer.

I have cancelled every single one of my on line shopping accounts and I will only use my Credit card online if the payment is one time password dependent in every single case. Vendors have proved that they cannot protect your info. I take cash to all restaurants in fact I use my Credit card as little as possible and it never leaves my hand. I put into the machine and I take it out. Staff sometimes take offence and that is just tough

Cant believe there were no Red Flags….

End of comments.





Follow us:

Search Articles:Advanced Search
Click a Company: