Unite Union advocate Mike Treen is questioning the security of online banking platforms after thieves stole $13,000 from his Kiwibank account. Photo / Alex Burton
Unite Union advocate Mike Treen is questioning the security of online banking platforms after thieves stole $13,000 from his Kiwibank account. Photo / Alex Burton
A high-profile union boss is questioning the security of internet banking platforms after fraudsters accessed his online Kiwibank accounts and drained $13,000.
However, Kiwibank is defending its systems as robust and says the man was most likely victim to a scam.
There are also suspicions information on the man's phone may have been compromised when the device was serviced at a shop, providing thieves with potential access to his log-in and password details.
Unite Union advocate Mike Treen was shocked to receive an email on July 21 from Kiwibank's fraud department.
He rang the call centre and learned $13,000 had been siphoned from his cheque account that day in three separate transactions - $5000 and $3000 to different ANZ accounts and $5000 to an account registered with SBS Bank in Southland.
The cyber criminals had also secretly moved $5000 from Treen's credit card to his cheque account to enable the theft.
Treen told the Herald he did not authorise the money transfers, or receive an authentication text alert from Kiwibank to confirm the transactions were legitimate.
He claimed bank staff initially suggested he may be responsible.
"They treated me like I was an idiot, like I had essentially done something to give my password to somebody over the phone.
"They made it very clear that it was up to me to try and fix it."
Treen - who has since been refunded the stolen money - is adamant he did not share his internet banking log-in details or personal information with anyone.
Kiwibank told him the thieves gained access to his accounts through the Kiwibank app and correctly answered several personal security questions.
Unite Union's Mike Treen had $13,000 stolen from his Kiwibank account by cyber criminals. Photo / Alex Burton
Just three weeks before the fraud, his phone was rescreened at an Auckland store and he suspects staff somehow cloned the device's contents and harvested his personal details.
"They had it for 45 minutes so I was a bit suspicious of that."
Treen has filed a police complaint which has been passed to the financial crime unit.
An August 3 email from a detective asked whether Treen recalled communicating with any scammers, or disclosing his account access details in response to phishing emails, phone calls or text messages.
"This offending is predominantly committed by offenders that are based overseas and have gained access to your bank account via the methods mentioned above. Because these offenders are overseas police can do little to identify them."
The detective said the only course of action for police was to investigate the bank accounts that received the stolen money. However recipient accounts were often used to launder money through "mules" who may also be fraud victims.
Police planned to get court production orders to force ANZ and SBS to hand over the account holders' details to help track the money.
The detective reiterated that banks and legitimate companies would not ask customers to provide their internet banking details via text or email.
"Those requests are sent by scammers. Delete them immediately."
An email to Treen last month from a Kiwibank fraud investigator confirmed that ANZ had returned the $8000 unlawfully removed from Treen's account, "however the $5000 transaction to an SBS bank account we were unsuccessful in retrieving".
Kiwibank offered him a $5000 refund "as a gesture of good will", but warned that each case was treated on its merits, and any similar future situation may not result in the same outcome.
In another email last week, the investigator said that based on the thieves' access to Treen's personal information and the phone being serviced just weeks before the theft, Kiwibank believed "the fraud occurred as a result of a scam rather than an extremely sophisticated technological hack".
"However, as you have vehemently denied that you have been scammed, we have ruled the source of the compromise as "inconclusive" (unless other evidence comes to light)."
A Kiwibank spokeswoman said it took security and scams seriously with "appropriate action" taken through bank and police investigations.
Kiwibank was doing its bit by educating customers and providing regular warnings so they didn't become fraud victims.
The spokeswoman said malicious apps downloaded on to mobile phones could compromise personal data. Remote access scams could also result in phones becoming compromised.
Treen said he was now considering shutting his Kiwibank accounts because no one was certain how the thieves gained access to his money.
The irony was he'd worked for the Alliance Party when it was part of the Government that created the state-owned bank and he was a founding Kiwibank customer.
A pensioner has lost $134,000 after cyber criminals hacked his online bank accounts. Photo / 123RF
Treen said he decided to speak out after reading a Herald story last week about an Invercargill pensioner who lost $134,000 when cyber criminals hacked his SBS Bank account.
He questioned how secure people's money was in online bank accounts and how commonly innocent people were being fleeced.
"Maybe there should be obligations on banks to report how often this happens and what steps they're taking to protect people's money.
"I'm an old pensioner who's battle-hardy. But what if you're an old pensioner who's been beaten around in life and gives up? I was utterly determined I was going to get my money back."
SBS Bank said it followed standard protocols to assist Kiwibank, but the SBS account holder had immediately transferred Treen's $5000 after receiving it.
"Unfortunately this means that when Kiwibank approached SBS to recover the funds they had already been transferred and were unable to be recovered."
