Johannesburg -
Forensic scientist Dr David Klatzow is planning a major class-action lawsuit to challenge what he perceives as a systematic failure by FNB to properly represent its customers’ interests in online banking fraud cases.
Klatzow has thrown down the gauntlet after discovering cyber investigators appointed by FNB itself could not confirm the bank’s version of how the online accounts of its client, Cape Town audiologist Gail Jacklin, were hacked in early January and more than R300 000 siphoned off.
“We need to get behind the cover-ups and evasions and the refusals by the banks to play open cards around online banking fraud. And we need the banks to acknowledge their responsibilities to their clients rather than buying them off to keep the truth out of the public eye. A class action would be a way of breaking through the veil of secrecy,” said Klatzow.
FNB’s representatives wrote off the theft from Jacklin’s account to “phishing” - a fraud in which the victim “compromises” secret login credentials such as passwords by responding to e-mails or engaging with fake websites purporting to be from (or represent) the targeted institution but is, in fact, sent out by the fraudsters.
Stephan Claassen, the Cape provincial head of FNB’s commercial division, said in a letter, dated March 4, that FNB’s sleuths had “thoroughly investigated” the online security breach, finding that the privacy chain had been broken at Jacklin’s end.
This letter, which the Saturday Star has seen, was aimed at initiating a process to settle Jacklin’s claim. The newspaper understands FNB offered a partial refund, on condition of confidentiality, and an admission of responsibility on Jacklin’s part.
However, after the issue of online banking fraud made headlines, and Klatzow demanded to see Claassen's proof, FNB then apparently agreed to reimburse Jacklin in full - if she acceded to a confidentiality agreement and exonerated FNB from culpability.
At the same time, the bank sent Jacklin’s computer to be examined by cyber-forensic investigators Cyanre Laboratories - although not before Klatzow had the hard drive mirrored for his client.
Cyanre Laboratories delivered its report earlier this month and their findings did not support Claassen’s diagnostics and the assertions in his letter.
The former police investigators now operating as Cyanre Laboratories reported traces of phishing e-mails and other malware were found having been sent to Jacklin’s inboxes. “No traces were found indicating that the malware had captured Mrs Jacklin’s online banking user credentials.”
Cyanre concluded “no evidence was found that the user had interacted or accessed the malicious URLs identified from the various e-mail messages”.
The findings were consistent with what Jacklin had asserted all along - that she had not responded to e-mails requiring she share logon details or other security information. This week Jacklin declined to respond, in light of her agreement with FNB.
Earlier this month FNB's own investigations had confirmed the “client’s login credentials were compromised and fraudsters gained access to her account”.
Adrie Stander, programme convenor for postgraduate computer forensics at the University of Cape Town, said scans by cyber investigators were usually relatively superficial, and malware often slipped through.
This was because running “deep” scans “would make a computer very slow and unpleasant to use”.
In a case such as Jacklin’s, the scan would “mainly look at browser history to determine the sites the user had visited. If the user did visit a phishing site, there would often be clear indications of such a visit...”
In such cases, the bank, having warned the client of the dangers of phishing, would not be liable and the user would carry at least some responsibility.
Stander noted: “The problem is (that) when they cannot find definitive evidence (which is often the case), the banks often speculate and accuse the user - it’s extremely unprofessional to rely on speculation in a forensic report, in particular if no concrete support for the speculation is offered.”
Speaking at a cybercrime summit on Friday, Faizal Docrat, an information, communication and technology adviser at Mazars, said South Africa was the third most gullible country to phishing scams, in the league of China and Russia.
Saturday Star