Diana Clement: Traps for unwary in world of online banking

Photo / Thinkstock

A feeling of helplessness overcame me at New Year when my credit card maxxed out.

The problem was that I was holidaying in Rotorua and the local ASB branch was closed for a couple of days, so I couldn't nip down to transfer money from my savings account into my Visa or current account.

I sat in front of the public computer at the iSite (having left my laptop behind), muttering "should I, or shouldn't I?" log on to the ASB website. The issue is that public computers can be loaded with "keylogger" software to record every keystroke typed into the computer - enabling a hacker to steal passwords.

According to NetSafe, New Zealanders reported online frauds to theorb.org.nz amounting to $750,000 in the year to last August. I didn't want to become one of them. Logically, I'm more likely to have my car stolen than my bank account hacked, yet the idea of someone emptying my accounts and even racking up credit fills me with the heebie-jeebies.

I feared that using a public computer would breach the terms and conditions of my accounts, which I didn't have in front of me to double check. If hackers subsequently accessed my account and stole money, I presumed the ASB could argue against reimbursing my losses. Eventually, I used telephone banking to solve the problem, but I'm not a fan of that service.

Last weekend I was back in Rotorua, and with my laptop availed myself of free Wi-Fi at the lovely Abracadabra Cafe. But the same feeling of impending financial doom hit me. If I logged on via public Wi-Fi and a hacker subsequently got access to my accounts, would the ASB indemnify me?

It turns out that the ASB's terms and conditions don't ban customers from accessing online banking from public computers or Wi-Fi. Michael Ramsay, head of web and mobile at the ASB, recommends using Netcode (a security system that sends a code to your mobile phone before it releases the money to ensure that it's you making the transaction) if you're likely to use public computers. If you do use them, change your passwords regularly, he says.

The really important word when it comes to banking is "negligence". Kiwibank, for example, points out that under the terms and conditions of its MasterCard products, customers will not be liable for any losses, providing they have not acted "fraudulently" or "negligently" while using their card, and providing they tell the bank within a reasonable timeframe of discovering a fraudulent transaction.

If you give away your PIN or internet log-in negligently, however, then the banks could argue they are not liable for your losses.

Online shopping also makes me nervous about the possibility of being "negligent". I'm happy to buy something on Trade Me using my Visa, or from a big international company such as Amazon. Smaller offshore and especially virtual retailers are another issue.

Back in September I NEEDED to buy a Manchester United cake topper for my son's birthday. At the time, the potential ire of the 9-year-old was a worse fate than the fear of Nigerian hackers, so I used my Visa at Easycaketoppers.co.uk.

The site didn't offer "Verified by Visa", which is an additional level of security like MasterCard SecureCode, which the banks like us to use. I'm told, however, that I wasn't being "negligent" by shopping on the site, which means the bank would have paid out if the website had been a front for hackers.

The comments in this article don't relate just to the ASB. All bank customers need to be aware of the terms and conditions of their accounts when using credit and debit cards, ATMs, and internet banking.

Rereading the terms and conditions for my credit card and internet banking this week has been very interesting. It became obvious that my internet-banking password didn't pass muster because it was the same as my Trade Me login with a few extra digits after it. It was changed immediately.

The Banking Ombudsman Scheme has heard cases about this exact problem. One bank customer used the same password for his bank account and his internet service provider, and his bank refused initially to reimburse him, although the ombudsman had a different view.

One rule in the ASB's terms and conditions that jumped out at me is that I should "Consider using a different PIN for different cards", although I wonder how the word "consider" might be interpreted in court.

And this one never would have occurred to me: "If your ... registered mobile phone has been lost or stolen you must let us know immediately." In retrospect it makes sense. "Never email your card number" was another I'm sure I've been guilty of more than once in my life.

I know that some people log in to their bank accounts successfully from their smart phones, which is a good option. I find mine a bit fiddly, but I'm going to try the new ASB Android application, which would negate the use of public internet when I'm on holiday or away on business. Most banks have similar offerings.

Another case heard by the Ombudsman was Mr G, who failed to notice that his debit card wasn't returned when he bought a hamburger. Case notes on the Banking Ombudsman's website show that he didn't usually use that card so he didn't realise for five weeks that it was missing. In the meantime just over $100,000 had been stolen from his account. The money had been earmarked to buy a house.

The bank offered to refund $71,700 to Mr G, arguing he had taken too long to notify them of the theft. That amount was eventually increased to $96,250 after the Ombudsman got involved, leaving the man $5700 out of pocket.

That word negligent could be argued until the cows come home. Also, what is a "reasonable timeframe". If my Eftpos card was stolen or the details intercepted online and a clone of the card made, I may not notice for a fortnight or more, because I use it rarely.

BNZ spokeswoman Erica Lloyd recommends that customers check regularly for unusual transactions on their accounts. "This can be done by checking the monthly statement, or logging into internet banking," she says. "If they notice any irregular transactions on their account, they should contact us immediately."

I've learned a lot reading the Ombudsman's case files. In one case an elderly man had no idea that his Eftpos card, which had been entrusted to a young woman who did his shopping, was linked to his savings account as well as his current account. She withdrew $27,000.

If there is a lot of money in the savings account, unlinking the two could be a good security measure. The Ombudsman's investigation in this case found that there is no legal duty on banks, nor is it common practice, for them to monitor customers' accounts for this type of fraudulent activity, although the bank did eventually agree to reimburse $15,750.

In another case, an overseas student gave copies of her bank statement and passport to an immigration consultant. The fake consultant used the information to set up internet banking on the student's account and stole $20,000 from her.

It's not unusual to be asked to post copies of your passport and utilities bills to financial services and other companies. The Ombudsman ruled that the student had not been careless with her personal information and that the bank had no authority from her to set up internet banking.

The good news is that banks' software often picks up unusual transactions and may automatically stop the use of a card or internet banking if a transaction seems unusual compared with the way you usually operate your accounts. Banks regularly upgrade their systems to keep up with or ahead of criminals, but they don't pick up all unusual transactions.

There are ways to make your account more scam-proof. They include using security software on your computer, not disclosing PINs, logging into your bank accounts and checking them regularly, shielding transactions at the ATM, changing your passwords regularly, and so on.

The ASB has general tips for safer banking here: https://www.asb.co.nz/story991.aspx