By Charlie Osborne for Zero Day
In what may be a case of “if we ignore it, it will go away,” South Africa’s largest electricity company has become the subject of the public exposure of customer data after ignoring researcher pleas to resolve the problem.
Eskom is South Africa’s state-owned electricity company which generates approximately 95 percent of the region’s electricity, as well as roughly 45 percent of all of the electricity used across the African continent.
On Tuesday, cybersecurity researcher Devin Stokes sent a public tweet to Eskom which appears inlaid with frustration at non-communicativeness from the electricity provider.
Stokes said, “You don’t respond to several disclosure emails, email from journalistic entities, or Twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view!”
The following image contains a screenshot of what appears to be customer and service-related data, including account IDs, start and end service dates, and meter information:
Several hours later, Stokes published a further screenshot with a live timestamp, commenting, “OK. It got worse.”
It appears that this database entry contained some of the financial data of a customer, including name, card type, a partial card number, and CVV, the three-digit security code which is required for purchases in-person or online.
According to the researcher, the electricity provider has left its billing software database exposed, lacking so much as a password.
The most recent customer estimates available, published in 2016, claim that Eskom accounts for roughly 5.7 million customers across South Africa. It is not known how many customers may have been involved in the reported breach.
However, this may not be the only security failure Eskom needs to grapple with — as one of the company’s own employees may have complicated matters further in their gaming enthusiasm.
In a screenshot posted by MalwareHunterTeam, another Twitter user warned Eskom of the existence of a Trojan on one of their networked, corporate machines. The user reported that the Trojan infected the machine through a fake SIMS 4 game installer.
The Twitter user, going under the handle “@sS55752750,” added that the offending employee is a “senior infrastructure advisor.”
While there has been no news on the exposed database, Eskom did thank the researcher who disclosed the Trojan’s existence, saying, “This has been investigated and the necessary actions have been taken. Thank you for bringing it to our attention.”
“Accidental breaches of this type further drive home the point that every company should have a formal process to accept vulnerability reports from external third parties,” Jon Bottarini, Lead Technical Program Manager for HackerOne told ZDNet in response to the news. “Exposing the vulnerability details on Twitter seems to have been the last-ditch attempt on behalf of the security researcher to try and get in contact with someone who can resolve the issue.”
Eskom told ZDNet that the company is “conducting investigations to determine whether sensitive Eskom information was compromised as a result of this incident,” but will not comment further until the investigation has been concluded.
Amazon is planning to offer a credit card to U.S. small-business customers, furthering its push to supply companies with everything from reams of paper to factory parts, according to people with knowledge of the matter.
The e-commerce giant has been in talks with banks including JPMorgan Chase on a co-branded credit card for small-business owners who shop on its website, said the people, who asked not to be named discussing private negotiations. An Amazon spokesman declined to comment.
Seattle-based Amazon (AMZN, -0.68%), the world’s largest online retailer, has been looking for a way to replicate in the workplace the success that’s made it a go-to shopping destination for households. In October, the company launched a Prime membership program offering fast free delivery for businesses, which was seen as a way to grab market share from factory-equipment providers such as WW Grainger and Fastenal and office-supply stores like Staples (SPLS, +0.00%) and Office Depot (ODP, -3.53%).
Amazon is hoping the new credit card, which will feature rewards points for purchases, will also let it eventually add offerings such as business insurance through a portal designed for its small-business customers, according to one of the people familiar with the matter. Amazon could use customers’ transaction data to help tailor the rewards, this person said. The retailer has already lent $3 billion to more than 20,000 small businesses that sell via its marketplace in the U.S., U.K. and Japan, Amazon said last year.
The battle for small businesses’ spending has also been heating up among U.S. card issuers such as JPMorgan and American Express. Over the past few years, those lenders have debuted retooled proprietary small-business cards as well as new co-branded offerings for such customers.
A representative for JPMorgan (JPM, -1.24%) declined to comment.
AmEx (AXP, -2.33%) says it is the top card issuer for U.S. small businesses and that its portfolio is larger than its five nearest competitors combined, according to a presentation last week. The New York-based company doesn’t disclose total purchase volume for the category. In 2016, small businesses spent about $72.9 billion a year on JPMorgan’s credit cards, $46.7 billion on Capital One Financial’s and $15.6 billion on Citigroup’s, according to a June 2017 edition of the Nilson Report.
AmEx shares slipped on the news, declining 1.4% to $97.67 at the close of trading on Monday. The report also rattled stocks of AmEx credit-card rival Discover Financial Services and Amazon supply-chain competitors Grainger and Fastenal.
Amazon already offers two credit cards for consumers with JPMorgan and Synchrony Financial. Those cards come with as much as 5% cash back on purchases. The retailer is also in talks with JPMorgan and Capital One about a product similar to a checking account that could help it lower the amount it spends on card fees every year.
Source: Bloomberg / Fortune
The National Credit Regulator (NCR) will investigate Standard Bank’s new credit card fee, according to a report in the Sunday Times.
The bank has been charging a standalone monthly “card fee” of between R10 and R210 to customers who use its credit cards only, with the fee depending on the type of card the customer uses.
The card fee was implemented at the beginning of 2018 and is charged in addition to the monthly service fee of R40.
According to the NCR, the Credit Act has a closed list of charges a credit provider can levy on customers – and the card fee is not one of them.
The NCR said it would investigate Standard Bank’s card fee and take approporiate action if the fee is found to be illegal.
According to Standard Bank’s pricing guide for 2018, the card fees are as follows:
Gold, Blue, and Access cards – R10.00
Titanium standalone – R25.00
Platinum standalone – R40.00
World Citizen standalone – R210.00
The report follows SA Consumer Satisfaction Index results in 2017 showing that Standard Bank customers are the least satisfied.
Standard Bank did not respond to requests for comment sent by the Sunday Times.
An internationally co-ordinated fraud attack involving forged bank cards used at ATMs in Japan has stripped Standard Bank of about R300-million.
Standard Bank and authorities remained mum on the progress of investigations and the whereabouts of the syndicate, as investors appeared largely unconcerned by the bank’s loss.
Spokesman Ross Linstrom of Standard Bank, which made just more than R22-billion in headline earnings across the group in 2015, said on Monday a sophisticated and co-ordinated syndicate had created a “small number of fictitious cards” and proceeded to draw a total amount of R300-million from ATMs in Japan.
He said investigations were at a sensitive stage, but that bank customers would suffer no adverse effects if their details had been stolen and used in the Japanese fraud.
Japanese media have reported that about 100 individuals hit 1 400 ATMs in just three hours on a day when banks are closed for business, with one withdrawal transaction at each ATM up to the daily limit amount set in Japan.
According to Japanese media, no arrests have been made and the individuals who made the withdrawals may no longer be in the country.
The fraud fits an international trend involving hit-and-run withdrawal schemes in which fraudsters may be jetting into countries in different time zones to buy themselves time to collect the cash and run.
The South African Banking Risk Information Centre confirmed the Standard Bank matter was under investigation, and CEO Kalyani Pillay said the local industry would provide full support to both the bank and law enforcement, where possible.
“The industry’s card losses for 2015 were in the region of R778-million across all card types for South African-issued cards.
“This was a 4% decrease compared to 2014. Banks have robust systems in place to monitor and detect fraud, but some risks lie with bank clients themselves,” Pillay says
Southern African Fraud Prevention Services executive director Manie van Schalkwyk said his organisation stops about R3-billion in fraud every year.
“Identity fraud is declining, and the main reason is the use of biometrics,” he says.
Van Schalkwyk said banks were making use of various databases and methods to try keep up with and combat such fraud, as criminals continued to evolve their modus operandi.
By Brendan Peacock for www.bdlive.co.za