One Online Click Can Be Financial Disaster

Sun Herald

Sunday September 17, 2006

Debra Cleveland

Online fraud is costing Australians $25 million a year. Debra Cleveland tells how to avoid the traps.

IF YOU'VE ever had your home burgled, you probably felt violated and defenceless knowing an intruder had broken into your personal space. Imagine how much worse it must be when the theft is online and you've no idea how the perpetrators got in.

Internet banking and online shopping have become hugely convenient for many households, but along with the increase in their use are jumps in online fraud as well.

About $25 million is lost each year in Australia to online fraud, says David Bell, chief executive of the Australian Bankers' Association.

"That's still low compared to other forms of fraud in the banking sector - for example compared with $100 million for credit-card fraud. Our concern is not so much the number but the fact that people are having their accounts compromised."

The banks are investing heavily in infrastructure and prevention, but there are precautions you can take at home.

Protect yourself

"If you're doing your banking online you do need to be careful because criminals are targeting money in your bank account," says Matthew Aburn of Australia's Computer Emergency Response Team (AusCERT).

Whether it's online banking you're using or your credit card for purchases via the web, caution is required.

Take the elderly woman from Western Australia who had $25,000 stolen from her bank account recently after she unwittingly replied to a "phishing" email - a hoax email purporting to be from her bank and asking her to reconfirm her password details.

"The email asked her to go to the bank's website to reconfirm her password details, and provided a website link," says Indira Naidoo of the Australian Consumers' Association.

"But it was a false site and they took her password and user details." The woman was refunded by her bank, Naidoo says.

Twin dangers online

The two main forms of online banking fraud are hoax phishing emails and trojan viruses.

To avoid being hooked by the former, don't respond to emails claiming to be from a financial institution. Just delete them, says the Australian Securities and Investments Commission.

Your bank would never contact you by email to confirm confidential information.

Avoiding trojan viruses, says AusCERT's Aburn, is a bit trickier because you usually don't know they're being downloaded.

The goal of the attacker is to install "malicious" software on to your computer, after which it can record your key strokes and hijack your bank accounts.

"If your software isn't up to date, simply visiting a webpage is enough to give complete control of your computer to an attacker," Aburn says. "The most common ones we see are emails saying you've 'got an e-card from a friend, click here'. Or they might try to lure you with a sexy picture, or send you an email telling you your order has been confirmed at a shop you've never heard of."

While curiosity may be a natural reaction in many of these instances, hit the delete button instead. Because once you've let a trojan through the door, it's game over, Aburn says.

What you can do

The first rule of internet banking is not to reply to emails requesting your password or PIN (personal identification number). "No matter what tricks they use, don't reply to them," says Delia Rickard, acting executive director of consumer protection at the Australian Securities and Investments Commission.

Email scams are changing, she says, citing a recent one claiming to be an online survey from the Commonwealth Bank and offering $25 to those who completed the exercise. "It's a new variation," she says, "and a few people probably fell for it."

"We get quite a lot of protection when we do bricks and mortar banking - there are security cameras, guards outside the door," Naidoo says. "But consumers need to know a similar sense of security is there when they do online banking."

Crucial to your protection is firewall and anti-virus software as well as the upgrades, says John Alfano, a consultant in the forensic division of Deloitte Touche Tohmatsu, which in June published a global survey on internet banking fraud. "As new viruses or scams are identified, most providers then upgrade their software reasonably quickly," he adds.

How the banks respond

Check what your bank has to offer. Alfano says some banks offer free protective software. Others, such as St George, offer discounts to its customers - for example $20 off a $89.95 software package.

Westpac has tried to counteract keylogging (recording what you type in) by offering customers an on-screen keyboard for password entry. Other banks have opted for authentication services such as tokens (little devices that generate one-time passwords) or SMS-generated passwords before transactions can proceed.

NAB's SMS payment security initiative has saved many customers from being defrauded, says the bank. Ean van Vuuren, head of NAB internet banking, cites one example where a customer received an SMS at 2am, querying a transaction - and stopped a theft of $2400.

Shopping online

Be careful about giving out bank account or credit card details, says online auction house eBay. Entering these details on several different merchant websites lifts the chances of your personal details being misused.

Don't use wire transfer services such as Western Union or MoneyGram, advises the auctioneer in Websmart, its newly launched guide to safe online shopping. That's because they provide no protection if things go wrong.

By contrast, using PayPal, an online payment service, your account information is hidden from the seller. Depending on the seller's feedback, if there is a PayPal shield you will be covered for up to $1500 if the item is not received or is significantly different from its description. If you're buying more expensive items, place your money in trust with an escrow service until the purchase arrives. Don't use an escrow service recommended by the buyer, advises eBay. If the seller is not covered by PayPal protection or you've paid by direct deposit or credit card, you'll be covered for up to $375 under eBay buyer protection

In terms of shopping online elsewhere, a site that has the prefix https://www is a secure site, says the ABA's Bell. Another signal of a safe site is the symbol of a padlock on the screen.

Other scams

When it comes to credit cards, the possibilities for fraud are endless. Like online banking, exercise caution and good sense. If possible, lock your mailbox, suggests Naidoo. "Often when your credit card is being renewed the card is posted to you for signature although it's already active. We came across a scam recently where mailboxes were being monitored and it was easy to spot plastic cards in letters."

Be wary of passing on all your personal details. "I recently applied for a video card membership and was asked for 100 points of ID, which would have involved my passport, driver's licence, credit card, mail showing my address," says Naidoo. "We need to ask why this is required and where this information is going."

Don't let your credit card out of your sight, suggests Deloitte's Alfano. Even at the petrol station or at a restaurant, it's possible for someone to skim your card a second time and "steal" the details off the magnetic strip. Shred your documents, says Lorna Johnson, head of deposits and electronic channels at St George, to avoid your identity or personal details being stolen.

While overseas, says Bell, don't toss your credit card receipts in the bin - you may be giving a fraudster valuable information since some countries' receipts contain the full account number. In Australia these are truncated on the receipt.

PROTECT YOURSELF

? Do your online banking on a computer that only you use - avoid shared machines.

? Make sure you have anti-virus software, anti-spy software and a personal firewall on your computer, and update the software often.

? Never use a link to access your bank's website - type in the address yourself.

? Vary your passwords - don't use the same password for your bank account as your video card, for example.

? Ignore emails that request your account details and passwords - delete them immediately.

? If you're online for much of the time, go offline just before going back on to connect with your bank's website. Do the same after you've finished your online banking.

? Check your statements - if there any irregularities contact your bank immediately. If you are innocent, out of pocket and your bank does not reimburse you, contact the banking ombudsman.

? If you're going to be away, ask your bank whether you can "freeze" or lock internet access to your accounts.

? Banks track unusual spending and will contact you if they spot anything unexpected. So if you're going overseas, it's probably worth letting your bank know to avoid any mishaps.

CASE STUDY: THE MISSING MOBILE PHONE

A disconnected phone was all David De Aquino found when he tried to track down the Nokia 6101 mobile phone he'd bought on eBay. He paid $350 for it via direct deposit last October but never received it. A week later he emailed the seller - no response. Then he contacted eBay's security centre and was given the seller's contact number, which had been disconnected. After placing a claim through eBay's buyer protection program, which covers purchases paid via credit card or direct deposit for up to $375, he was reimbursed a few weeks later. He is now really careful about checking feedback on sellers to avoid a similar experience. "I bought a pair of genuine Von Zipper sunglasses the other day," he says, "and now I'm looking for another mobile phone."

CASE STUDY: THE TEA SET

A month after buying a rare Royal Albert Old English Rose tea set on eBay for #250 (more than $600), antiques enthusiast Sharon Taylor was thrilled to be refunded the full amount by eBay payment system PayPal after it failed to arrive. Four weeks after sending payment through PayPal, Sharon contacted the seller, who claimed to have posted her item, but still it didn't turn up. After lodging a complaint, she was refunded the full amount as the seller was unable to prove he had mailed her purchase. "There were no problems with the resolution process," Sharon says. "Now I will only ever make a purchase using PayPal. If a seller doesn't offer it as a payment option I don't buy from them." She recently bought a $500 tea set from the US.

© 2006 Sun Herald

Back to News Index | Back to Home