The Herald reported last year that cyber criminals had allegedly hacked the man’s accounts then used a secure messaging function to contact bank staff, posing as the man, and changed his cellphone number to circumvent SBS’s two-factor authentication security checks.
They then added several new payees before moving large amounts of money to six different accounts at four separate banks in 11 transactions over five days.
The man learned the money had been taken only when he logged into his internet banking to pay bills and found his revolving mortgage account had been drained to its $134,000 limit.
After SBS refused to reimburse him, he complained to the Banking Ombudsman, who launched an investigation into SBS’s handling of the man’s complaint.
Emails obtained by the Herald show the Banking Ombudsman’s office conducted a survey of other New Zealand banks to gauge how SBS’s security processes compared.
“The survey results show that two-thirds of banks surveyed would have required additional verification from the customer before accepting an instruction via internet banking to change a mobile phone number,” a March 13 email from a Banking Ombudsman investigator says.
“They would have verified this request by sending a code to the existing registered mobile number or by requiring the customer to undergo its telephone or branch identification processes.
“I’ve shared this information with SBS and inquired whether this impacts its position on [the man’s] complaint.”
Several months went by before a settlement was finally agreed.
The man said he was unable to comment on details of the agreement because of a confidentiality clause.
Weeks after the alleged theft was revealed, he suffered a serious heart attack and needed treatment in Dunedin Hospital’s intensive care unit. He believes stress linked to the episode was a factor.
Asked what toll the ordeal had taken on him, he said: “I don’t know because I’m not looking in from the outside. Mentally it’s shattered me. I’ve just got no tolerance, I’ve got no patience.”
Since the settlement came through, he had withdrawn his money from SBS, closed his accounts and gone to Kiwibank.
“I’m relieved to get something back but I still think they’re a bunch of a***holes.”
The Herald can also reveal that police have now identified several key suspects in the fraud, two of whom are behind bars on unrelated offences.
The man believes the bank statement was stolen from his home while he was out of town during Anzac Weekend last year.
He is still mystified as to how the criminals used the statement to glean his internet banking login and password, but suspects they “wiggled it out of SBS”.
He hoped those responsible would face justice, but said the police investigation was ongoing and he understood there were possible gang links.
“There’s various people involved and, as far as I know, the ringleaders are in jail.”
He hoped his case would spark a review of bank security, given the exponential rise of bank fraud and scams.
“Technology is moving that bloody fast. A poor old prick like me can’t keep up with it. I don’t think half the population can keep up.”
An SBS spokesperson said the bank was pleased the matter had been resolved “in a way that recognises respective responsibilities”.
“Situations like this are a reminder that, even with all of the security systems that banks have in place and continue to enhance, it is always critical for customers to protect their personal banking information.”
Police said the investigation was progressing.
“We remain in regular contact with the victim and appreciate how upsetting this matter is for him. We are not in a position to comment on specifics while the investigation is ongoing but can say we are continuing to follow positive lines of inquiry.”
Massey University banking expert Associate Professor Claire Matthews said the survey results suggested SBS’s processes “weren’t as robust as they could have been”.
The settlement did not necessarily mean SBS had acknowledged doing anything wrong, but may reflect that “perhaps there is some room for improvement”.
Gagging clauses were common in financial settlements to counter the risk of commercial information falling into the wrong hands.
Don’t be scammed
• Never disclose PINs or passwords or save them in any way – including in your internet browser settings or in disguise.
• Investigate recipients to ensure they are genuine before sending funds.
• Never accept money into your account for subsequent transfer to others.
• Check your accounts regularly to ensure money is going to the right places.
