[LINK] SMH: 'Citibank / NAB Fraud'

Scott Howard scott at doc.net.au
Thu Oct 20 09:41:34 AEDT 2011

As an Australian living in the US I have been through the "fax authority"
process with both of the banks listed here - and it really is a joke, at
least for NAB.

The process to setup a fax authority with NAB is to fill out a fax authority
form, and then mail it to them.  (ie, no need to do it in person to confirm
identity).  Part of the form is that you need to provide the fax number that
your instructions will be sent from. Of course, that's not the actual
caller-id number, but the number programmed into the sending fax.  How's
that for security?

As I don't have a fixed fax number, I put "any" in the sending fax field,
and then gave specific instructions that they were to call me on a fixed
number to confirm all transfers.  Of the 2 NAB branches I did this to, one
outright refused to accept the form without a sending fax number.  Trying to
convince them that this number was trivially forged and pointless was a
losing battle, so I simply gave up.

Citibank on the other hand gave much more flexibility (eg,I can email or fax
requests), but all transfers require a confirmation call to a fixed number,
including answering a number of security questions when they call.


On Wed, Oct 19, 2011 at 3:02 PM, Roger Clarke <Roger.Clarke at xamax.com.au>wrote:

> [We agonise over risk-managed authentication for Internet Banking and
> ePayments generally.  And so we should.
> [But six-figure transactions are still done using facsimile
> signatures - and in this case, they were 'facsimiles' in both senses
> of the word.
> [Do FIs never use the confirm-with-client approach, or the
> two-channel authorisation approach?]
> Citibank left with $500,000 fraud bill after impostor scam
> Leonie Lamont
> The Sydney Morning Herald
> October 20, 2011
> http://www.smh.com.au/business/citibank-left-with-500000-fraud-bill-after-impostor-scam-20111019-1m83q.html
> CITIBANK has been left $500,000 poorer and the National Australia
> Bank has been spared the financial embarrassment of an international
> fraud perpetrated on it by an impostor, according to an intriguing
> judgment in the NSW Supreme Court.
> The incident happened in November 2010, when Citibank's Sydney branch
> received a fax purporting to be from client William Co-Buchong,
> instructing the transfer of $US500,000 from his multi-currency at
> call account, to an NAB account jointly held in his name.
> Using the SWIFT international clearing house system of international
> funds transfers, Citibank transferred the money to the NAB account. A
> few days later, NAB's World Square branch received faxes of three
> international telegraphic transfer application forms, each ostensibly
> signed by Mr Co-Buchong.
> The first form, dated in October, requested a transfer of $15,000 to
> an HSBC Hong Kong account for a Ma Susana Velarde Palon, who had a
> Philippines address.
> The second and third forms, dated November, both requested $225,0000
> transfers to HSBC Hong Kong accounts held by Rosy Teresa Mendoza and
> Molina Rommel Tuazon, also from the Philippines.
> The NAB assistant branch manager checked the signature on the forms
> against Mr Co-Buchong's signature on its verification system, and as
> there were sufficient funds, transferred the sums.
> However, the faxed instructions to both banks were false. Justice
> David Hammerschlag said Mr Co-Buchong, and the joint signatory on his
> NAB account had sued the banks, and had since settled and had their
> money returned.
> All that remained was the cross-claims between the banks as to who
> should bear the loss.
> ''This involves the question whether Citibank is entitled to be paid
> back the money it paid over to NAB,'' Justice Hammerschlag said.
> After canvassing contradictory legal case history, he concluded:
> ''Both parties were duped. However, Citibank paid out first without
> the customer's authority, as a result of which NAB credited the
> customer's account, rendering it vulnerable to the fraud to which it
> succumbed.
> ''In these circumstances and where neither party criticises the other
> for falling for the fraud, it would lead to an inequitable result
> were Citibank to be made whole at the expense of NAB.''
> Judy Hitchen, a spokeswoman for Citibank said the customers were
> ''the unfortunate victims of a sophisticated identity theft''.
> ''The court noted that there was no allegation of negligent conduct
> or failure by the banks to meet relevant banking standards. In fact,
> through verification and control systems in place at the time, we
> were able to constrain the losses by detecting and preventing a
> subsequent attack on the customers' account,'' she said.
> ''Banks are acutely aware of the growing sophistication of fraudsters
> and their ability to obtain detailed personal information of
> individuals.  Citibank is constantly reviewing and enhancing its
> controls to reduce the incidence of fraud and reminds consumers to be
> ever vigilant in the protection and security of their personal
> information.''
> The case is being investigated by Australian and overseas police.
> --
> Roger Clarke                                 http://www.rogerclarke.com/
> Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
>                    Tel: +61 2 6288 1472, and 6288 6916
> mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/
> Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
> Visiting Professor in Computer Science    Australian National University
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list