[LINK] SMH: 'Citibank / NAB Fraud'

Roger Clarke Roger.Clarke at xamax.com.au
Thu Oct 20 09:02:38 AEDT 2011

[We agonise over risk-managed authentication for Internet Banking and 
ePayments generally.  And so we should.

[But six-figure transactions are still done using facsimile 
signatures - and in this case, they were 'facsimiles' in both senses 
of the word.

[Do FIs never use the confirm-with-client approach, or the 
two-channel authorisation approach?]

Citibank left with $500,000 fraud bill after impostor scam
Leonie Lamont
The Sydney Morning Herald
October 20, 2011

CITIBANK has been left $500,000 poorer and the National Australia 
Bank has been spared the financial embarrassment of an international 
fraud perpetrated on it by an impostor, according to an intriguing 
judgment in the NSW Supreme Court.

The incident happened in November 2010, when Citibank's Sydney branch 
received a fax purporting to be from client William Co-Buchong, 
instructing the transfer of $US500,000 from his multi-currency at 
call account, to an NAB account jointly held in his name.

Using the SWIFT international clearing house system of international 
funds transfers, Citibank transferred the money to the NAB account. A 
few days later, NAB's World Square branch received faxes of three 
international telegraphic transfer application forms, each ostensibly 
signed by Mr Co-Buchong.

The first form, dated in October, requested a transfer of $15,000 to 
an HSBC Hong Kong account for a Ma Susana Velarde Palon, who had a 
Philippines address.

The second and third forms, dated November, both requested $225,0000 
transfers to HSBC Hong Kong accounts held by Rosy Teresa Mendoza and 
Molina Rommel Tuazon, also from the Philippines.

The NAB assistant branch manager checked the signature on the forms 
against Mr Co-Buchong's signature on its verification system, and as 
there were sufficient funds, transferred the sums.

However, the faxed instructions to both banks were false. Justice 
David Hammerschlag said Mr Co-Buchong, and the joint signatory on his 
NAB account had sued the banks, and had since settled and had their 
money returned.

All that remained was the cross-claims between the banks as to who 
should bear the loss.
''This involves the question whether Citibank is entitled to be paid 
back the money it paid over to NAB,'' Justice Hammerschlag said.

After canvassing contradictory legal case history, he concluded: 
''Both parties were duped. However, Citibank paid out first without 
the customer's authority, as a result of which NAB credited the 
customer's account, rendering it vulnerable to the fraud to which it 
''In these circumstances and where neither party criticises the other 
for falling for the fraud, it would lead to an inequitable result 
were Citibank to be made whole at the expense of NAB.''

Judy Hitchen, a spokeswoman for Citibank said the customers were 
''the unfortunate victims of a sophisticated identity theft''.

''The court noted that there was no allegation of negligent conduct 
or failure by the banks to meet relevant banking standards. In fact, 
through verification and control systems in place at the time, we 
were able to constrain the losses by detecting and preventing a 
subsequent attack on the customers' account,'' she said.

''Banks are acutely aware of the growing sophistication of fraudsters 
and their ability to obtain detailed personal information of 
individuals.  Citibank is constantly reviewing and enhancing its 
controls to reduce the incidence of fraud and reminds consumers to be 
ever vigilant in the protection and security of their personal 

The case is being investigated by Australian and overseas police.

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list