Banking Ombudsman: accessing unsecured public Wi-Fi risky

Banking Ombudsman: accessing unsecured public Wi-Fi risky

People who store personal information, including bank account details and documents with signatures, on their email accounts put themselves at risk if they access emails using unsecured public Wi-Fi, says Banking Ombudsman Deborah Battell.

“In a recent case, an overseas couple put a six-figure sum on term deposit with a New Zealand bank only to have it stolen from the account months later. Our investigation found the theft occurred due to an unfortunate combination of the couple’s use of public Wi-Fi and because their bank’s security practices regarding emailed instructions were not sufficiently robust.

“In this case, the couple accessed their emails via unsecured public Wi-Fi at an American airport. Unfortunately their account was hacked and the fraudster found separate emails – one that included bank account details, and another with a signed employment contract attached. This ultimately enabled the fraudster to pose as one of the customers and successfully email instructions to the bank transferring funds out of the couple’s account.

“The fraudster was able to make the email look as though it had come from the couple’s address and fooled the bank into thinking it was genuine.

However, scheme investigators found the signature copied from the employment agreement was not the same as the one held by the bank. And, after surveying other New Zealand banks on their processes for emailed instructions, also found the particular bank’s practice was out of step with the rest of the industry at the time.

Some banks simply do not accept email instructions, acknowledging the risk of email addresses being hacked. Other banks accept emailed instructions, but only after verifying the request has come from their customer by, for example, calling the customer back at a number held on file and asking a series of security questions.

“It is crucial banking best practice prevails to maintain customers’ confidence. Fortunately, our enquiries have shown this to be an unusual case, and we were pleased the bank concerned moved quickly to enhance its security procedures around emailed instructions,” Ms Battell said.

Customers need to know the risks of storing documents on email, and regularly clear out information that could be used to verify their identity. It’s also a useful reminder that security questions (including those due to the new anti-money laundering requirements) and banks’ restrictions on how they accept instructions help to protect customers from fraud.

”We found in favour of the couple in this case and the bank has now reimbursed the amount fraudulently withdrawn, paid the couple interest lost following the withdrawals, and placed their total funds back on term deposit,” Ms Battell said.

ENDS