Bank’s duty to protect customers
Internet fraud victims turn to court
VICTIMS of internet banking fraud are increasingly fighting their banks in court. They’re demanding access to key information to determine who is liable for losses from defrauded accounts.
Banks typically hold you, the client, liable when internet banking fraud occurs, arguing that you have assumed the risk of a compromise of your pin and password, even when there is no evidence of negligence on your part.
Cape Town businessman and Absa client Johan Holtzhauzen, who was defrauded of R1.6-million after his wife’s paid-up bond account and his business accounts were plundered this year, is one of the latest victims to have brought an application for a court order in the High Court in Cape Town to compel Absa to give him pertinent information.
In September last year, Cape Town High Court Judge Babalwa Pearl Mantame ordered Standard Bank to give businessman Leon Huson information he was seeking to establish how fraudsters managed to steal R500 000 from his bond, credit card and cheque accounts.
Huson’s attorney, Johan Victor, who is also representing Holtzhauzen and his companies, says that before the bank complied with the order, Huson and the bank came to a confidential arrangement, with which Huson was very satisfied.
The information sought in both the Huson and Holtzhauzen matters included computer logs of any and all access to their bank accounts, financial information and/or personal information; access log details and information (for the six months leading to the fraud) on any and all bank employees and/or outside contractors who had, or could have had, access to their bank profiles, details and statements; and the banks’ computer logs of any “red flags” raised due to unusual activity on their accounts and a full report of what subsequent actions, if any, were taken by the bank.
Holtzhauzen’s court application was in two parts.
The first part was an urgent application and resulted in a consent order in June.
In that application, Holtzhauzen requested information, which the bank has since supplied.
Banks argue that you fall victim to internet banking fraud because you compromise your pin and password.
But for many years, security experts have been saying the one-time password (OTP) system is flawed.
In the event of an illegal sim swap, internet banking fraud is unlikely to be detected by the client because the fraudsters get the OTPs being generated, enabling them to:
● Increase payment limits your accounts; ● Set up new beneficiaries; and ● Make payments to new beneficiaries.
The second part of the application seeks a court order for Absa to credit the bank accounts that were debited due to the unauthorised payments made from them.
Victor, who is representing about 70 victims of internet banking fraud, all of them Absa and Standard Bank clients, says he’s hoping that Holtzhauzen’s case will be precedenton the issue of liability when money is stolen by internet banking fraud. He’s seeking to establish that in the relationship you have with your bank, you are a creditor and your bank is the debtor, and therefore it’s not your money that gets stolen but the bank’s.
He’s also arguing that the onus is on the bank to make sure that when it acts on an instruction, the instruction was from you, its client.
In November last year, George businesswoman Monica Kruger launched an application against both her bank and her mobile network provider seeking a wide range of records and information after R1.8-million was stolen out of her Absa home loan and credit card accounts in an internet banking fraud involving an illegal sim swap.
Absa eventually provided the information, and the application against the bank was withdrawn.
Kruger’s attorney, Mark Heyink, who specialises in information security, is acting for 33 victims of internet banking fraud. Twentynine of them are Absa clients and four bank with Standard Bank.
Banks claim that you have contractually agreed to assume the risk and responsibility for all transactional activity incurred through a third party unless and until the bank has been notified by you that your online banking profile has potentially been compromised.
But Heyink says that does not absolve the bank of its obligation to act diligently in protecting you.
The banks established the onetime pin sent to your cellphone as a security measure to protect you from unauthorised payments.
“Without a compromise of this measure it is highly unlikely that perpetrators could succeed in channelling unauthorised payments to accounts that they control. This measure can be defeated by a sim swap, a fact that has been known to banks for years,” Heyink says.
“Despite this, in the matters I am dealing with, the banks have failed to inform clients of the increased risk that sim swaps constitute, or to take appropriate measures to mitigate this risk.” — DDC on