Victims of online bank fraud hit back
Is the bank liable for not keeping your accounts safe - or did you let security slide?
Victims of internet banking fraud are increasingly fighting their banks in court. They're demanding access to key information to determine who is liable for losses from defrauded accounts.
Banks typically hold you, the client, liable when internet banking fraud occurs, arguing that you have assumed the risk of a compromise of your pin and password, even when there is no evidence of negligence on your part.
Cape Town businessman and Absa client Johan Holtzhauzen, who was defrauded of R1.6-million after his wife's paid-up bond account and his business accounts were plundered this year, is one of the latest victims to have brought an application for a court order in the High Court in Cape Town to compel Absa to give him pertinent information. In September last year, Cape Town High Court Judge Babalwa Pearl Mantame ordered Standard Bank to give businessman Leon Huson information he was seeking to establish how fraudsters managed to steal R500,000 from his bond, credit card and cheque accounts.
Huson's attorney, Johan Victor, who is also representing Holtzhauzen and his companies, says that before the bank complied with the order, Huson and the bank came to a confidential "arrangement", with which Huson is "very satisfied".
The information sought in both the Huson and Holtzhauzen matters included, among other things, computer logs of any and all access to their bank accounts, financial information and/or personal information; access log details and information (for the six months leading to the fraud) on any and all bank employees and/or outside contractors who had, or could have had, access to their bank profiles, details and statements; and the banks' computer logs of any "red flags" raised due to unusual activity on their accounts and a full report of what subsequent actions, if any, were taken by the bank.
Holtzhauzen's court application was in two parts.
The first part was an urgent application and resulted in a consent order in June.
In that application, Holtzhauzen requested information, which the bank has since supplied.
The security system that has failed
Banks argue that you fell victim to internet banking fraud because you compromised the pin and password used to access the bank's online banking platform.
But for many years, security experts have been saying that the one-time password system is flawed.
In the event of an illegal sim swap, internet banking fraud is unlikely to be detected by the client because the fraudster, and not you, get the OTPs being generated, enabling them to:
• Increase payment limits on your accounts;
• Set up new beneficiaries; and
• Make payments to new beneficiaries.
Without the one-time passwords, it would prove difficult, if not impossible, for fraudsters to make payments to beneficiaries you have not authorised.
The second part of the application seeks a court order for Absa to credit the bank accounts that were debited due to the unauthorised payments made from them.
Victor, who is representing about 70 victims of internet banking fraud, all of them Absa and Standard Bank clients, says he's hoping that Holtzhauzen's case will be precedent-setting on the issue of liability when money is stolen by internet banking fraud. He's seeking to establish that in the relationship you have with your bank, you are a creditor and your bank is the debtor, and therefore it's not your money that gets stolen but the bank's.
He's also arguing that the onus is on the bank to make sure that when it acts on an instruction, the instruction was from you, its client.
In November George businesswoman Monica Kruger launched an application against both her bank and her mobile network provider seeking a wide range of records and information after R1.8-million was stolen out of her Absa home loan and credit card accounts in an internet banking fraud involving an illegal sim swap. Absa eventually provided the information, and the application against the bank was withdrawn.
Kruger's attorney, Mark Heyink, who specialises in information security, is acting for 33 victims of internet banking fraud. Twenty-nine of them are Absa clients and four bank with Standard Bank. He says no clients from any other banks have been referred to him.
Obligation to protect you
Banks claim that you have contractually agreed to assume the risk and responsibility for all transactional activity incurred through a third party unless and until the bank has been notified by you that your online banking profile has potentially been compromised. But Heyink says that does not absolve the bank of its obligation to act diligently in protecting you.
The banks established the one-time pin sent to your cellphone as a security measure to protect you from unauthorised payments being made from your account.
"Without a compromise of this measure it is highly unlikely that perpetrators could succeed in channelling unauthorised payments to accounts that they control. This measure can be defeated by a sim swap, a fact that has been known to banks for years," Heyink says.
"Despite this, in the matters I am dealing with, the banks have failed to inform clients of the increased risk that sim swaps constitute, or to take appropriate measures to mitigate this risk."
In the bank's answering affidavit to Holtzhauzen's application, Absa's attorney Roxanne Francis-Pope says the contractual position between the bank and the client is clear: "While the bank can control and protect the online banking platform and can seek to influence and educate its clients, it cannot control the manner in which its clients conduct themselves in protecting their pins and passwords.
"It also cannot control the manner in which clients deal with their own information technology systems and devices, in particular whether they do so in a manner that means the clients' systems ... are rendered vulnerable to fraudsters," she argues.