The Government considering paid placements for nursing students, why a second Harbour Bridge could be better than a tunnel & major midterm Republican upset in the latest New Zealand Herald headlines. Video / NZ Herald
Police investigating a $134,000 theft from a pensioner’s online bank accounts have identified several suspects who received the money but believe they were used as “mules” as part of a sophisticated scam.
A detective says the case raises questions about the security of online banking systems if cyber criminals can access someone’s accounts so easily and “clean out” the victim’s funds within days.
The Banking Ombudsman has now launched a formal investigation into the case after SBS Bank refused to refund the elderly man’s retirement savings, claiming it was not liable because the recent heart attack victim failed to take adequate precautions.
The victim is an Invercargill retiree who recently underwent triple heart bypass surgery, which he attributes to the stress. He says he did nothing wrong and the bank’s hardline stance is “heartless” and unfair.
Fraudsters accessed the man’s online accounts then used a secure messaging system to change his cellphone number to circumvent SBS’s two-factor authentication security checks.
They then added several new payees before moving large amounts of money to six different accounts at four separate banks in 11 transactions over five days.
The victim only learned the money had been taken when he logged in on July 20 to pay bills and found his revolving mortgage account had been drained to its $134,000 limit.
Southland CIB Detective Donald Ward sought court orders to force the banks to provide details of the recipient account holders.
He told the Herald he had now identified several suspects who he believed had acted as mules, allowing their bank accounts to be used to transfer the stolen money.
“The people above them are the ones I need to identify... the ones involved in getting the money out of [the victim’s] accounts.”
Ward said there appeared to be a high level of sophistication to the scam. He was still trying to determine whether the fraud involved international players and if the money had been wired overseas.
“This is not a fly-by-nighter thing. Whoever has ultimately targeted the man, they’ve known what they were doing and they have managed, because of that and because of the information they had, to access his accounts.”
Ward did not believe the victim had misplaced his wallet or that someone had broken into his home.
He was now awaiting the results of a digital forensic investigation on the man’s electronic devices and investigating whether the culprits were linked to other high-profile scams known to police.
“It all comes back to [the victim] and how they’ve managed to get his password. Has he shared it with anybody? Has he answered any email that purported to be his bank and in fact wasn’t? That’s the $4000 question.
“[The victim] is saying he hasn’t given out his password or personal details to anybody. He’s an honest man and I’m trying to help him the best we can.”
Ward said the case raised questions about the security of online banking systems.
“The banks seem to have a, ‘Nah, we don’t refund you policy unless we’re at fault’.
“SBS, in my view they should be looking at their security features because this affects all of their customers. If it’s that easy once you’ve got a password to get in and access someone’s account, it’s probably not the most secure in my view.”
The Banking Ombudsman has now taken up the case. A senior investigator wrote to the victim’s advocate this week expressing sympathy for the man’s distressing experience and recent health problems.
“Banks are required under the Code of Banking Practice to reimburse customers for unauthorised payments - provided the customer has complied with the bank’s terms and conditions and taken reasonable steps to protect their banking.”
The investigator noted SBS considered the victim had not taken “reasonable care”.
“However, the basis for that conclusion is unclear to me. I will independently investigate the circumstances around the funds stolen from [the victim’s] account to determine if SBS is required to compensate him for this loss.”
A pensioner has lost $134,000 after cyber criminals hacked his online SBS bank accounts. Photo / 123RF
The man told the Herald he hoped the Banking Ombudsman would clear him of fault and force SBS to repay the money.
“Hopefully they’ll point the finger at SBS and say, ‘Come on you buggers’. Personally, I think their system has let us all down.”
SBS said it could not comment while the matter was under investigation by police and the Banking Ombudsman, but was assisting and supporting those processes.
The bank previously said it took the man’s complaint seriously and conducted a thorough internal investigation.
A letter informing the man it would not reimburse him cited delays informing staff of the transactions, and the existence of a notebook containing “passwords and user names for various online accounts you hold”.
“Based on the above information we have concluded that you have not taken sufficient steps to protect your banking adequately.”
