Hacker takes 3 minutes to get your cash

Police warn internet banking unsafe, Private accounts of 1.3 million Kiwis at risk

A NEW ZEALAND computer hacker has accessed the private bank accounts of dozens of unsuspecting Kiwis, showing how easy it is to break into our internet banking system.

The hacker installed software in a Wellington internet cafe that allowed him to gather the user names and passwords of people banking online at the cafe.

Details of the incomes, savings and spending patterns of numerous Westpac, BNZ, ANZ, ASB, National, Kiwibank and PSIS customers were accessed, and police are warning the 1.36 million Kiwis who bank online that it is a “very risky” way of banking.

It took the hacker just three minutes to install the hidden software last month, and in the following weeks he accessed accounts with balances totalling more than $500,000.

You are equally at risk at home, as the software can infiltrate your computer via a rogue virus in an email attachment or when you visit an apparentely normal, but dodgy, website.

One bank has made a confidential settlement to one customer, an Auckland man, who lost $20,000 in one such sting last year.

The New Zealand hacker, known as “bofn”, gained access to the bank accounts to highlight the lax security around internet banking. He said he had tried to tell his bank how poor its security was compared with banks in Europe, but he got nowhere “waiting in telephone queues and being fobbed off by disinterested bank staff”.

He decided instead to use his computer skills to demonstrate the problem.

Consumers’ Institute director David Russell warns people to be “incredibly vigilant” at tracking their internet banking transactions because, “with the majority of big banks the system is not as secure as it should be”.

Banks acknowledge internet fraud is on the rise. Some have improved security, but Russell says others are “dragging their feet. They’ve got to do something about it, they’ve got to do something about it fast.”

The hacker was using a widely available “key-logging” programme that records every key typed on the computer. When anyone typed their bank’s web address, customer ID and password, these were automatically saved and emailed to the hacker.

The information he gained included:

  • The seven Westpac accounts of a Wellington computer consultant, containing more than $200,000, which showed where he shopped and ate, and transactions involving tens of thousands of dollars.
  • Details of customers’ private lives, such as the PSIS customer who could be followed through a dizzying series of bars, cafes and food outlets in Auckland and Wellington, and another PSIS customer who spent a quarter of his modest weekly income gambling mostly by direct credit to the TAB.

The key-logging technology has reportedly been used by American university students to find out exam questions on their lecturers’ computers, and jealous lovers have installed it to spy on their partners.

Police e-crime national manager Maarten Kleintjes says he has been urging banks “for years” to introduce systems that ensure internet banking is safe, but most have been slow to respond.

Kleintjes says the problem is that internet banking access relies on a simple password “which can easily be stolen”. Other countries use “two-factor identification” where, in addition to a password, the customer is given a new security password for each internet banking session.

Only two local banks, ASB and BankDirect, have a two-part identification system, where the customer is sent a text with a security password to use before transferring money.

Online bankers can follow the advice on bank websites about using anti-virus software to detect and avoid key-logging programmes on home computers, but the software provides no guarantees. Kleintjes says it is “unreasonable and unrealistic” to expect all customers to know how to do this. He said the banks should introduce safe systems that have been available overseas for years.