Eminent forensic scientist David Klatzow is planning a major class action lawsuit to challenge what he perceives as a systematic failure by a leading bank to properly represent its customers’ interests in online banking fraud cases.
Klatzow has thrown down the gauntlet after discovering cyber investigators appointed by FNB could not confirm the bank’s version of how the online accounts of FNB client, Cape Town audiologist Gail Jacklin, were hacked around new year and more than R300 000 siphoned off.
“We need to get behind the cover-ups and evasions and the refusals by the banks to play open cards around online banking fraud. And we need the banks to acknowledge their responsibilities to their clients rather than buying them off in order to keep the truth out of the public eye. A class action would be a way of breaking through the veil of secrecy,” Klatzow said.
FNB’s representatives wrote off the theft from Jacklin’s account to “phishing” – a fraud in which the victim “compromises” secret login credentials (passwords, etc) by responding to emails or engaging with fake websites purporting to be from or represent the targeted institution (FNB in this case), but in fact sent out by the fraudsters.
Stephan Claassen, provincial Head of FNB’s commercial division, said in a letter dated March 4 that FNB’s sleuths had “thoroughly investigated” the online security breach, finding that the privacy chain had been broken at Jacklin’s end.
This letter was aimed at initiating a process to settle Jacklin’s claim. Weekend Argus understands FNB offered a partial refund – on condition of confidentiality and an admission of responsibility on Jacklin’s part.
Subsequently, however, after the issue of online banking fraud made headlines – and Klatzow demanded to see Claassen’s proof – the ante was upped. Weekend Argus understands FNB then agreed to reimburse Jacklin in full if she acceded to a confidentiality agreement and exonerated FNB from culpability.
At the same time, the bank sent Jacklin’s computer to be examined by cyber-forensic investigators Cyanre Laboratories, although not before Klatzow had the hard drive mirrored for his client.
Cyanre Laboratories delivered its report earlier this month and its findings did not support Claassen’s diagnostics and the assertions in his March 4 letter, which Weekend Argus has seen.
Cyanre Laboratories reported traces were found of phishing emails and other malware having been sent to Jacklin’s inboxes. But “no traces were found indicating that the malware had captured Mrs Jacklin’s online banking user credentials”.
Cyanre concluded “no evidence was found that the user had interacted or accessed the malicious URLs identified from the various email messages”.
The investigators’ findings were consistent with what Jacklin had asserted – she had not responded to emails requiring she share logon details or other security information.
This week Jacklin declined to answer Weekend Argus’s questions in the light of her agreement with FNB.
Earlier this month FNB reaffirmed to Weekend Argus the bank’s investigations had confirmed the “client’s login credentials were compromised and fraudsters gained access to her account”.
Michelle Scott, FNB’s digital banking spokeswoman, said the bank “takes the security of its customers very seriously” and is “continuously upgrading” digital security systems.
After Weekend Argus read the Cyanre report, additional clarifications were sought from FNB about the seemingly anomalous claims made by Claassen.
Scott conceded the Cyanre investigators “could find no evidence that the user had accessed the malicious URLs identified from the various phishing email messages” .
However, she said the report had stated that in the four months between the fraud and the Cyanre analysis, the malware might have been wiped by an anti-virus program that was run subsequently.
But Erin Plante, program director at Integrity Labs, told Weekend Argus: “An anti-virus would remove malware from a computer if the user ran a scan and chose to remove it. But this history would be tracked in the anti-virus program.”
Adrie Stander, program convener for postgraduate computer forensics at UCT, said it was relatively rare for forensic specialists to access evidence of phishing or engagement with other malware.
He said scans by cyber investigators were usually relatively superficial and malware often slipped through.
He said in a case like Jacklin’s the scan would “mainly look at browser history to determine the sites the user had visited”.
“If the user did visit a phishing site, there would often be clear indications of such a visit.” In such cases, the bank, having warned the client of the dangers of phishing, would not be liable and the user would carry some responsibility.
“The problem is, however,” Stander noted, “when they cannot find definitive evidence (which is often the case), the banks often speculate and accuse the user.”