September 12, 2018 07:50:38
Adelaide musician Andrew Baldino had just returned from overseas when he discovered his bank accounts drained of money.
He first noticed something odd when he arrived home to find a new debit card. He called his bank and was invited into a branch to sign a statutory declaration stating he never ordered it.
“I’m there sorting out that fraudulent debit card and we look at my accounts on screen and I’m shocked.
“All this money has gone out of all my accounts the day before.”
Mr Baldino also had unauthorised transactions made through his eBay account while he was overseas, had an application for a $10,000 loan made in his name, as well as a credit application and a Telstra sim card ordered and sent to Victoria.
After dealing with his financial institutions to freeze his accounts, Mr Baldino contacted police.
They referred him to the Australian Cybercrime Online Reporting Network (ACORN), a portal that does not undertake investigations itself, but refers cases it deems suitable to law enforcement agencies for consideration.
Cyber crime on the rise
According to ACORN, scams or fraud were the top reported cybercrime in the April to June quarter, amounting to more than half of 13,687 reports made — up from 10,810 made during the same period two years ago.
It would not give details on how many of those reports were investigated or resulted in arrests. It referred the ABC to local law enforcement agencies which, in turn, referred enquiries to ACORN.
Banks such as the Commonwealth Bank (CBA) undertake their own investigations into scam claims and, if the customer is deemed not at fault, will refund a victim’s money.
“We invest in state-of-the-art fraud prevention and detection technology and have a dedicated team who actively monitor unusual or suspicious activity,” a spokesperson said.
However, if a customer had offered their password and account details to a third party, such as a password manager app, they may be considered at fault.
“Customers should never give their PIN, account details or NetBank details to anyone,” the spokesperson said.
“Likewise, they should only send money to people they know and trust.”
CBA is investigating Mr Baldino’s case and have confirmed with him the transactions took place from his old iPhone 6 which he said had been stolen.
Cyber crime crossing borders
A spokesperson for the Australian Crime Intelligence Commission, which oversees ACORN, said cases were investigated based on the type of incident, where a suspect was located, and whether the report included “sufficient information about the offender”.
“Unfortunately, due to the nature of cybercrime, not all reports can be investigated,” she said.
“Many perpetrators are located overseas and often money cannot be recovered if sent via wire transfer services.”
Mr Baldino has since been contacted by South Australian Police, which said victims could still report fraud deception along with “ID crime and cybercrime” to their local police station.
But a spokesperson said ACORN was the preferred reporting method because it gave a bigger picture for authorities dealing with offences that crossed state and international boundaries and contributed to an intelligence database.
“Despite the challenges posed by investigating cybercrime, due to its borderless nature globally and in the cybercrime environment, SA police have had steady results in this space, both in terms of arrests and in preventing further victimisation,” she said.
“Also in connection with this type of crime, a number of people have faced charges in SA courts for allowing their bank accounts to be used to process money before it is sent offshore.”
‘IT security is dead’
Australian Privacy Foundation chair and University of NSW privacy and surveillance stream leader David Vaile said the concept of IT security was all but “dead”.
“You’ve got personalised attack tools that are generated on an industrial, automated AI scale, and the distribution of them is very, very sophisticated, often relying on things like botnets and malware, but also the human factor in scamming mechanisms,” he said.
Mr Vaile said ID fraud or theft, when a person’s authentication and validation credentials are compromised, was increasingly common, with much of it going unnoticed.
“It’s almost impossible to keep out a well-motivated intruder, partly because they’ve only got to find the slightest little loop or chink in the armour,” he said.
“No-one now can promise they can keep out motivated intruders, and the more networked things are, and the more centralised and automated they are, potentially the larger the rewards if you get through it.”
He said in the age of phone apps and online banking, there was a conflict underway between security and convenience.
“But the more secure something is, very often, the more inconvenient it is and the more demanding of the users,” Mr Vaile said.
One of the problems, he said, was IT security was invented by some of the “smartest people in the world” who can remember a lot of technical information in their heads such as multiple sets of numbers, complicated passwords and arcane commands.
“It doesn’t really work well with normal humans,” Mr Vaile said.
“But the idea you can use password management aids, which in themselves become vulnerable, a lot of people don’t want to do that.”
Transfer tactics bypassing detection
In Mr Baldino’s case, the thieves transferred large sums of money from his CBA accounts to his credit union account before transferring the money into unknown accounts.
Mr Vaile believes the initial transfer into Mr Baldino’s own credit union account meant the thieves were probably able to operate under the radar of CBA’s high-powered automatic detection technology.
What disturbed Mr Baldino most, however, was the fact the perpetrators had multiple conversations with his financial institutions while posing as him and had even managed to change his passwords.
“This person was able to palm themselves off as me,” he said.
“My biggest concern is someone hacked in in the first place, so how am I protected in the future?”
Tips to keep hackers out
There is a myriad of advice out there for people concerned about cyber security, but the key points are:
- Do not click on links in emails that look suspicious or are from people you don’t trust
- Never offer your passwords to anyone under any circumstances
- Memorise PINs and do not keep them with cards
- Periodically check your transactions for unauthorised or unusual payments
- Never give an unsolicited person remote access to your computer
- If you are contacted by somebody claiming to be from your bank, be suspicious and hang up if it doesn’t feel right, before calling the bank yourself.
A spokesperson from SAPOL’s Electronic Crime Section said that “broadly speaking, scams are on the rise across Australia, both in the number reported and the amount lost”.
“It is increasingly important that the community is aware of the activity of scammers in order to keep themselves, their data and their money safe.
“Anyone who believes they have been financially scammed should first contact their banking institution in order to prevent the further transfer of funds.
“Secondly, if a financial loss has occurred, they should report the matter to police via ACORN.”
September 12, 2018 07:06:59