In December 2018, an employee of Postbank in South Africa printed a copy of the bank’s master key from a data center in Pretoria. Over the following year, the employee made more than 25,000 fraudulent transactions and stole over $3.2 million from the bank’s customers.
In addition to suffering those direct losses, the bank also had to replace 12 million cards generated by that key, at a cost of about $58 million. This embarrassing and costly debacle underscores the importance of keeping your master key secure, but what are the most effective ways to protect your master key? Check out these tips.
Manage Your Master Key on Dedicated Servers
The host master key is the most sensitive piece of information in most financial institutions. This key allows you to access ATM pins, customer data, credit card details, access codes, and the rest of the sensitive information stored by your bank. To protect the key, you need to manage it on a dedicated server with a dedicated operating system.
Don’t Give the Complete Master Key to Any Individual
Ideally, a single person should never have access to the entire master key. Instead, you should divide the information between multiple people from your financial institution’s management team.
Splitting the master key between several people makes the information much less susceptible to fraud — while a single person could easily decide to steal the master key on their own, a group of people is a lot less likely to collaborate and steal the information together.
Change the Key Periodically
To protect your master key, change the number periodically and also mix up which employees have access to portions of the key. Just as changing passwords regularly helps to secure access to software and applications, changing your master key also helps to prevent unauthorized access.
Share Information With Third Parties Carefully
In some cases, your financial institution may need to share master key information with a third party such as Visa. In these situations, you should also split up the information between multiple people. Typically, this involves sending the key in three parts to three different people in the organization that requires this information. Once they receive their portions of the key, they can hold a “key ceremony” where they each enter their information separately and privately into the hardware security module.
Store Physical Backups in Different Locations
In cases of a failure with your hardware security module, you need to store backup information so that you can restore or upgrade the module as needed. Generally, hardware security modules store master keys in a way designed to reduce the risk of compromise, and to assemble the full key, you need to enter several different pieces of information.
To ensure the physical copy of this information is as secure as possible, store each piece of information in a different safe, use safes in multiple locations, and do not allow any single person to have access to more than one safe. Again, by splitting this sensitive information between multiple people, you reduce the risk of compromising your key because multiple people are much less likely to collaborate in a theft than a single person is to act on their own.
Stay Compliant With Payment Card Industry Data Security Standards
The Payment Card Industry (PCI) Standard outlines the rules financial institutions need to follow to keep their customers as safe as possible. To ensure the safety of your master key and to prevent your financial institution from fines or penalties, make sure to stay abreast of this organization’s rules and consider doing regular audits to ensure you’re compliant with best practices and recommendations.
Work With a Quality Fraud Prevention Partner
Unfortunately, no business is immune to internal theft, and often, this type of fraud is hard to discover because the thieves have such intimate knowledge of how the business functions. To minimize your risk of both internal and external fraud, you need to work with a dedicated fraud prevention and detection partner who can help you implement tools that search for signs of fraud across all payment channels, accounts, databases, and other assets of your financial institution.
At SQN Banking Systems, we provide real-time fraud analysis for financial institutions. Our hosted solutions allow you to enjoy the benefits of top level bank security without having to invest in new infrastructure or hire more IT personnel. We handle anti-fraud measures so that you can focus on running the other aspects of your financial institution.
To learn more about how our services can help protect your financial institution, your customers, and your bottom line, contact us today.