Skip to content Skip to main navigation

News

Skilled legal advice with
accessible & personal attention

A Theft – but Stupid?

By cranky - 1 August 2008 47

Discovered today that someone has overnight managed to empty one of my bank accounts to the tune of $1500+. Bank (ANZ) and Police advised.

In the absence of any other explanation, it would appear that access details were probably garnered by tapping into our home wireless network.

The transaction popped up as an Internet bank transfer, so both access code and password were required to do the deed.

If anyone knows of a Benjamin John McKay, the name of the apparent recipient of this transaction, who is walking around with a $1500 smile on his gob, the Police would be very interested.

I’ma bit less than impressed with the ANZ’s method of dealing with this occurrence. No feedback, and more interested that the fraud is in Police hands and stat decs (very carefully worded) are received than apparently tracking down the above perp.

Bank holiday Monday cannot help.

Police were excellent.

What’s Your opinion?


Post a comment
Please login to post your comments, or connect with
47 Responses to
A Theft – but Stupid?
aronde 9:50 am 02 Aug 08

DJ said :

I had huge problems years ago with ANZ causing me to take my business elsewhere. I traveled to Africa in 1997 and used my ANZ Visa while over there. .

That is amazing. I was in Africa in 1997 with an ANZ card and had a similar issue when the ‘merchant’ (in this case a bank for a cash advance!) decided to process it with an extra zero on the end (old paper based transaction with the ‘clacker’). Only noticed when back in Australia and despite having my clear copy of the handwritten voucher I had enormous problems getting ANZ to reverse it. They said they could do nothing about it and the now accruing interest until they sighted the original from Africa which could take weeks (by now this was the only transaction left to pay on the account). I said fine, I just wont pay anything until you sort it out, they said we will have to apply penalty fees and it could affect your credit rating and could take you to court. I said yes please and they suddenly decided to place it in a ‘hold’ and then eventually reversed it. Needless to say I cancelled the account and have had nothing to do with them since!

johnboy 9:28 am 02 Aug 08

About a year ago the bank (Commonwealth) spotted a fraudulent international call on my credit card and automatically refused the payment and froze the account.

Yes it was a pain getting the card re-issued but can’t fault them for dilligence.

Also the day I went to civic and bought $1,000 in clothes from John Hanna and a new Playstation it was nice to get a phone call from the bank checking it was me going on a shopping spree.

captainwhorebags 8:56 am 02 Aug 08

Banks aren’t interested in fraud, unless they lose money themselves.

A friend of mine had a cheque taken out of her chequebook and then used to steal $2000. When she got the cheque back from the bank, the signatures were obviously completely different. The attitude of the bank was “not our problem, refer the matter to the police for court action”. So much for checking a supposed security device.

That being said, I once had some transactions charged to a visa card by an overseas party. No idea how they got the number, it could have been from a credit card generator (these were the days before CVV2 validation). When I rang Commbank they said to fax them a written declaration that they weren’t my purchases, and they put a hold on those specific items. I was told that they would request a signature for the purchases and if one wasn’t forthcoming that they’d be removed from my account. All very easy to deal with.

cranky 8:14 am 02 Aug 08

JC,

1) I would like some indication from the bank that they have the means to track the transaction.
2) I would like some indication from the bank on the chances of my being reimbursed the missing amount.
3) I would like to know if the bank is going to honour or bounce my rent cheque.

ANZ have a fairly effective wall between their fraud department and the customer. It would appear that all contact after the initial complaint is to be conducted by e-mail and fax.

I am 100% certain I have never been to a spoof page. I have a well developed scepticism for the strange.

VYBerlinaV8_the_one_ 7:27 am 02 Aug 08

Agree with JC here – the network used to access the bank website won’t have been particularly relevant simply because the SSL session encrypts the data (including logon credentials) independently of the network itself. You have probably been stung with a keylogger. These days, it’s critical to keep antivirus and antimalware up to date, and bear in mind that not all antivirus products are created equal, so ask around a bit to find one people generally regard as good.

JC 5:00 am 02 Aug 08

All the wireless security advice is very valid, but when logging into a bank or any other secure site the data, including the passwords etc would be encrypted anyway so no great worry there. In cases like this it is more likly that a keylogger has found it’s way onto a PC used to access the bank or the person has gone to a spoofed web page where the deatils were stolen.

As for the bank, what do you want them to do? It is a police matter more than anything now.

caf 10:45 pm 01 Aug 08

The best thing you can do is, when you connect to your bank’s web page:

1. Make sure that the connection is using SSL.

2. Check the SSL certificate, and make sure it is valid matches the expected domain name for your bank.

Even this isn’t enough if your computer is infected with a keylogging trojan.

A few more things to ponder: “Benjamin John McKay” is quite possibly an innocent party, whose account has also been hijacking and is being used to launder the amounts, and the criminal(s) are quite possibly outside Australian jurisdiction.

utah 10:14 pm 01 Aug 08

It’d be worth checking your PC for spyware/trojans as well – it could be they got your details directly from your PC, rather than the network. In fact, given that the communication between you and your bank would be encrypted by HTTPS even over an unsecured wireless network, it’s the most likely line of attack. Try Lavasoft Adaware (which is free), Spybot Search and Destroy (which is free), or the Windows Malware removal tool (which comes with Windows). Bear in mind some of these sneaky little beggars will hide through all that.

If you really want to be sure, back up your data (just data, not programs), make a list of your applications, reformat the hard drive, re-install your OS and apps, update them (to patch up any security flaws) and then load your data back on.

DJ 10:06 pm 01 Aug 08

I had huge problems years ago with ANZ causing me to take my business elsewhere. I traveled to Africa in 1997 and used my ANZ Visa while over there. In 2001 some smart cookie in Botswana started using it again. The ANZ eventually suspended the account after the same amount was charged five days in a row and then on the sixth the limit was reached and the transaction declined.

It took me over four months to convince them that it wasn’t me and that I wouldn’t pay them anything more than what the balance was before the African fraud occurred. They threatened court action and I welcomed it… they eventually advised me they were not proceeding and that I only had to pay the outstanding balance on my original purchases plus some interest… ok I said but when I asked for the calculations for the interest it included interest on the amount I was not responsible for! Eventually all was sorted but it wasn’t nice dealing with them.

mooliganbags1 9:31 pm 01 Aug 08

Keep at the bank. They’re usually pretty keen to maintain trust in their internet banking services and your case sounds like a breach of security beyond anything you could control or foresee.

I’d be interested to see what happens.

kenneth 9:30 pm 01 Aug 08

Hidden SSID’s can affect performance though and still can be found.

MAC addresses can also be spoofed.

Basically having WPA-PSK with a strong phrase (eg. This is a very long phrase!!! is better than cat) is what you want.

Tons of posts on Whirlpool about security.

Jonathon Reynolds 8:10 pm 01 Aug 08

Base minimum for security for Wireless networks:

-turn off SSID (it doesn’t help to be openly broadcasting that you have an access point)
-turn on encryption (if your Access Point and wireless access nic that doesn’t support the newer WPA standards buy one that does)
-ensure that you only allow access via known MAC addresses (nothing to do with Apple systems – this is the “unique” identifier of the network adapter in your PC – if your access point doesn’t support locking down access by MAC address get one that does)
-ensure that you are using strong password encryption on the Access Point (the password you use to log in to your access point is something like “P@Ss\/\/0rd” – all your password should be ‘strong’)
-enable the event log on your Access Point (will allow you to see who and what is connecting and when)

The other thing to watch is “spoofed” internet banking login pages. It is a well know ploy for hackers to spoof the login page, you enter the correct details as if you are logging in. In this process the hacker grabs your login and password, directs your to a page as if you have entered the wrong details (in the mean time they have your details). You are then dropped back to the genuine log in page where you enter your credentials again and this time you get to log in. How to avoid this… make sure you are running latest Anti Virus, firewall and anti-spam software. Never accept that the bank will email you to update or confirm your details.

Finally the banks are just as much to blame by allowing simple authentication credentials. (just username/password). They could fix this by using insisting of token identification as part of the log in process. With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring. I enquired about getting something similar from my bank and they advised it was only available for a “business” account.

Hope that helps.

Headbonius 7:55 pm 01 Aug 08

Cranky wrote “Police were excellent.” Nyssa76 please take careful note. I don’t believe there is anything ambisguous about this. ;P

cranky 7:40 pm 01 Aug 08

I really don’t know. I’m checking – but I believe the network is well locked down.

johnboy 7:32 pm 01 Aug 08

Was your network encrypted Cranky?

1 2 3 4

Related Articles

CBR Tweets

Sign up to our newsletter

Top
Copyright © 2017 Riot ACT Holdings Pty Ltd. All rights reserved.
www.the-riotact.com | www.b2bmagazine.com.au | www.thisiscanberra.com

Search across the site