It's when, not if, for online bank fraud

By RICHARD WOOD

It is only a matter of time before New Zealand has its first case of online banking fraud, a local police expert says.

While there have been no reported cases of such "identity fraud" involving online banking in New Zealand, there was a case a few weeks ago in Australia involving the Commonwealth Bank's NetBank.

"If it's happening in Australia, it will not be long before it's happening in New Zealand, if it's not already happening here,"said Auckland police electronic crime lab supervisor Barry Foster.

Forensic analyst Chris Budge, of e-crime New Zealand, agrees: "If you look at any area of identify fraud, if it hasn't already happened, then it will shortly."

He says at its most basic level, every keystroke typed on a computer is recorded on the hard disk, at least temporarily. Special software can be used to intercept passwords. A specific online banking security concern raised with the Herald by retired computer teacher David Rorke involves the online banks' "Pay Anyone" feature. Mr Rorke wanted access to his accounts online while on holiday to make particular payments, but did not want the open-ended ability of the Pay Anyone active - a feature that allows a person to pay money into any New Zealand bank account.

He was concerned that if someone got access to his password they could use Pay Anyone to make payments out of his accounts into other accounts, and then overseas. He banks with both WestpacTrust and ANZ.

WestpacTrust head of e-business Stu Woollett said the bank would consider having the ability to lock down Pay Anyone if a fraud issue arose. WestpacTrust has had the feature, with no daily limit, since it began offering online banking two years ago.

Mr Woollett said, in terms of Pay Anyone, the "risk profile" was not internet-specific and it could happen in telephone banking or at a branch.

"Unauthorised account access is the risk. We are assuring people that it is safe. It is people's perception of the internet that heightens security fears," he said.

But who takes responsibility in cases of unauthorised online account access? An electronic crime expert told the Herald there could be a problem in getting banks to compensate customers who claimed online fraud had occurred. He said if banks decided the onus was on the customer to prove their password had been stolen from their computer, then that would be beyond the capability of most people.