The news that has dominated South African newspapers in recent weeks has been the reports about a hacker who has targeted a number of people in the Western Cape area of Bellville. The hacker has been able to access and remove funds using these people’s Internet banking details with ABSA bank. The media has picked up on this particular topic and has run with it, and talk shows have allowed fairly wild speculation and complaint on a daily basis. The issues related to this particular instance of hacking are actually quite simple.

A hacker sent emails to people who opened them and without them knowing it an attachment on those emails installed a program on their computer. This programme (called ‚spyware‛) then starting recording every single key that they pressed on their keyboard, and sent this information back to the hacker, who would then sift through the particular set of information and was able to extract from that the user’s Internet banking details, including account number, login name and password.
In other words the security that the bank actually has in place was not compromised. The purpose of Internet banking is that you, using your username, password and account number should be able to log in from a computer anywhere in the world and proceed with banking. Essentially the hacker simply stole an identity document and was able to go to the bank as if they were the person who owned the account. There is now widespread panic about Internet banking, with many people cancelling this facility.
We need to stay calm and sensible about this particular instance and there are a few responses we can make:
“This particular approach to fraud is nothing new. This may be the first documented case of this happening in South Africa, but it has happened overseas and is certainly something that somebody with half an understanding of computers should have known would happen sooner rather than later. In fact, in the June 14, 2003 edition of New Scientist magazine, a small news item warned that a new variant of an old virus, known as BugbearB, is now doing the rounds, and is specifically designed to capture bank login details on user’s machines (i.e. exactly what has happened to ABSA). The bank’s responsibility in this regard should have been to warn their clients about this potentiality and to get them some info on how to ensure it would not happen to them (see Keith Coats’ article on information at http://www.tomorrowtoday.biz/article_026.htm). In case you haven’t been concentrating as the banks have responded, the two major things that you should do to ensure that this does not happen, is:
1.Take care of viruses. This means not opening emails from people you do not know, and certainly not opening suspect attachments from anyone. It involves making sure that you have the latest anti virus software on your PC and that you keep that antivirus software permanently updated with the latest downloads of the antivirus definitions. It also means running virus scans regularly on your PC.
2.Understand the nature of the Bugbear-type spyware software used in this scam. It is possible to record the keystrokes on your computer. So, to protect yourself, do not type in your account number. I copy and paste my account number from a text file which I keep somewhere on my computer. I continually change my passwords as well – on a monthly basis, if not more, to make sure that if someone is watching me, either physically or electronically, it is slightly more difficult to get into my accounts.
“These things are the responsibility of the user, and not the bank. However, the bank did have a responsibility to warn their clients about the possibilities of this type of fraud. Unfortunately the banks have a trade-off between ease-of-use on the one hand and the security of their system on the other. Right now there is such competition to get people onto Internet banking that the banks have made it too easy and have not wanted to scare off potential customers for their Internet based services. At that level the banks should take responsibility. However, that responsibility is limited. These are known risks with using Internet banking and these are risks that people using this channel should have been able to foresee themselves and should have been ready to take.
“We need to understand that using Internet Banking is just another channel for banking services. It is not a different type of bank you are dealing with – it is simply a new channel for your old bank to do business with you. And so, for instance, if somebody stole your ATM card or your credit card, and used it without your knowledge, you would be in exactly the same position as you are if someone steals your Internet identity. You would be in a position of having to prove to the bank that someone had stolen from you and had defrauded you, rather than you taking out the cash from the ATM or using your credit card. Of course banks have had these channels of ATM cards and credit cards for some time and have systems in place, like call centres, where one can query transactions. Maybe banks need to institute some sort of querying facility for Internet banking. But I am assuming that they do have these available through their normal call centres. Our responsibility as banking users is to safe guard our information and our access codes (be that electronic access code, an ATM pin number, a credit card, or a cheque book). If we were walking around with cash between our car and our bank we would need to be equally vigilant and could not hold the bank liable for any fraud that took place while those instruments were in our hands. So, the lesson then is that every new technology brings new risks and require changed behaviours and new understanding.
“Part of the big problem now is that people are using the Internet channel which they do not fully understand. Users should not just go through the motions when it comes to technology but gain a real understanding of how the technology works and what the risks and implications are of using that technology.
“Nobody seems to have commented on the issue of how easy it should be in theory to track down the person who perpetrated this fraud. The media are reporting that nearly half a million rands were taken from ten accounts at ABSA. It is impossible to take money ‚out of the Internet‛ – I don’t know what that means. Does it mean that the person printed it out on his colour printer and cut out these notes and took them to the shops? No! Clearly not. The only way this person could have taken this money was do an electronic transfer (or EFT transaction) and taken the funds out of the people’s account and fraudulently putting it into another account. The bank would have a record of who owned that account, and the electronic data trail would be very clear. Even if the person who committed this fraud has already taken the money (i.e. actually withdrawn that cash from the bank) the bank would certainly have a record of who owns the account and would be able to track the person. Now fraud could also have been perpetrated at that level, with an account in a false name. Back in the old bricks and mortar system, the bank requires you to fill out a pile of documentation signing in multiple places and giving them numerous copies of your ID book. We have all been there and we have all sworn at the bank under our breath as to how out of date they are in terms of needing those pieces of paper. But in this particular instance it will be those pieces of paper that will protect the bank and be able to assist them in tracking down this fraudster. In fact, this is what has happened â€? two suspects have already been tracked down and one is in custody and being questioned by police at the moment. The point is that this type of electronic fraud, far from being more problematic, is actually easier to trace.
“We should not get over concerned about this new channel. I heard an interview with one of the woman who was defrauded, who rightly was in an emotional state who basically indicated that she has completely cancelled her internet banking subscription and will now never do banking by internet again. That seems crazy to me. If somebody defrauds you by misusing a cheque book, would you stop using cheques completely? If somebody defrauded your credit card would you stop using them? If somebody ever stole cash from you would you stop using cash? If that is your attitude to the world you might as well just crawl away and hide. Internet banking may have new risks attached to it, but they are no higher than any other risks that we carry today with any channel or financial interaction. All we need to do is make sure that we understand the risks involved and mitigate against them as far as possible.
“My final point relates to ABSA and what ABSA needs to do now. At TomorrowToday.biz we contend that society is in an historical transition from an information economy to an emotional economy. We are in a transition from an era where technology and computers and the control of information were what gave the companies and individuals competitive advantage. We are moving to an era now where information technology is necessary but not sufficient to give the competitive advantage. Today the competitive advantage is in relationships. In the light of this, what is ABSA to do now that they have been the first bank to be stung by hackers?
1.ABSA need to realise that there might be the odd person who is so scared that they cancel their Internet banking. There might be a few people that, having not understood or thought through the issue correctly, believe that it was ABSA systems that let him down and may transfer to another bank. But these will be minimal. ABSA are not going to be stung by this particular hacker much because ABSA (together with all the big banks) understands that it is not the technology and the information that impress people, but it is their relationships with these people that are going to keep their clients at the bank. ABSA and the other banks moved incredibly quickly to help people understand the nature of the problem. They put information and free downloads onto their websites. They were prepared to spend a lot of money on media, radio and TV ads giving the same information. They also sent out emails to their clients. The focus must be to preserve the relationships and trust with clients.
2.The other banks better not sit back and gloat and say that ABSA are in trouble. The other banks are equally open to this particular approach to fraud. These days people do not bank with a bank because it offers a good product at a good price with good service. Every bank in the world offers essentially the same or similar services at the same or similar price, to same or similar customers. They advertise in a same or similar way through the same or similar media and they even swap staff every few months. So why is it that we choose the banks we bank with? Well largely it is not on the basis of what the bank does, rather it is about who the bank is. At a time of crisis like ABSA has currently experienced, you get to discover the true nature of who the bank is.
How ABSA responded to these ten people and others that may emerge who have been defrauded will be critical in the perception that the market has of who ABSA is. Our message to ABSA is to make sure that in this crisis you focus on the relationships with the customers rather than the technical aspects of the information technology that have been compromised on those individual’s computers.

TomorrowToday Global