Paper Logo

Banking fraud hits local lodge

Thursday, 05 October 2017, 14:02
Share
Banking fraud hits local lodge
Generic image.

GEORGE NEWS  - Arbour Lodge owners Bill and Marion Ashmole lost R15 000 from their Standard Bank account through online fraud in November last year.

Not only was the loss traumatic, but the couple, who have been clients of the bank for more than 30 years, are terribly disappointed in the way they are being treated by the bank's head-office.

Countless e-mails and calls to the call centre, visits to the local branch, and efforts to lay a complaint with the banking ombud have brought them nowhere nearer to a response to many unanswered questions about the incident. 

They allege that the bank is shrugging off any responsibility.

The money in their Standard Bank account was transferred to an unknown beneficiary on 3 November. 

Mrs Ashmole had earlier in the day opened an e-mail which appeared to be from Standard Bank, and was subsequently verified by several George branch staff as having the correct Standard Bank logo. 

The e-mail stated that it was a proof of payment (which they were expecting for a booking). 

Mrs Ashmole clicked on the attachment, as she had done in the past to open their monthly bank statement and other payment notifications. 

It took her to a fake Standard Bank website where she was prompted to type in her username and password.

Later, when she logged into their account, she discovered to her horror that the money had been transferred to a Capitec account.

Mr Ashmole says that no OTP (one-time password) was entered into their computer, as the bank is alleging. 

"When my wife opened the e-mail, she did not need an OTP. The phone was with me."

Their journey from then on, trying to obtain information from the bank's fraud department, was a nightmare. 

Four days after they informed the bank of the incident, an official called to say that the case was closed and the bank was not taking any responsibility. The bank was able to recover only R240.

The Ashmoles allege that, over the following months, their e-mails and requests for answers were bluntly ignored. 

"Head-office treats me as if I do not exist. We want to know how a third party was able to create himself a beneficiary and transfer R15 000 from our account."

The banking ombud also did not respond to his faxed complaint in December, nor to several subsequent e-mails, one of which was sent to the ombud via the Standard Bank George branch manager, Susan Leendertz.

Standard Bank responds

Responding to a query from the George Herald, Standard Bank wrote, "The customers were the victim of internet banking fraud and unfortunately compromised their private and confidential sign-on credentials to the fraudsters. 

"By the time the fraud was reported, most of the funds had been withdrawn by way of ATM cash withdrawals, and the amount refunded to them was the amount secured from the beneficiary accounts."

Ombud denies complaint

The ombud spokesperson, Karin van Rooyen, told the newspaper that no record of the Ashmoles' complaint could be found on their system. 

This is contrary to documentation that the Ashmoles supplied to the newspaper. 

Among others, they completed and submitted the complaints form three times.

It was only after the ombud received the Ashmoles' documentation from the George Herald that Ronél van der Merwe, manager of case processing, informed the Ashmoles that a formal file has been opened and the matter has been escalated to the investigations department.

The suspected fraudulent e-mail was a proof of e-payment from Standard Bank and the attachment was opened by Mrs Ashmole.

'Flaw in bank system'
A local systems analyst and IT geek, Werner Ekron, says the fraudulent transaction on Bill and Marion Ashmole's bank account could not have been executed through a SIM swap as their cellphone is still working with its original SIM card.

"Victims of online banking fraud often seem to believe that their money was stolen by means of a SIM swap, as that is the common answer given to them by the banks. 

"The reality is that once a SIM swap was done, your current SIM card becomes inactive and you cannot swap back again."

The one-time pin (OTP), part of the bank's dual layer security that enables the account holder to create a new beneficiary or perform a once-off payment, must have been diverted to another cell number or e-mail address. 

According to Ekron, this indicates a flaw in the bank's internal security systems.

"Even though the fraudster did get hold of the Ashmoles' password and PIN, all he could do with it was to access their account to view their balance and make payments to existing beneficiaries. 

"To execute the fraudulent transaction, he had to get hold of the OTP. This OTP was intercepted and not sent to the Ashmoles' phone as the bank alleges.

"The fraudster had to have help from inside the bank, because the Ashmoles' account profile was 'updated'. The destination (cell number or e-mail) where the OTP had to be sent to, was changed. 

"I suspect that the OTP was sent to an e-mail address.

Afterwards, the Ashmoles' e-mail address on their account was again changed - to dummy@dummy.co.za," says Ekron.

André Jonker, head of personal banking at Standard Bank Western Cape, promised in the presence of the Ashmoles and the George branch manager, Susan Leendertz, that he would supply Ekron with the IP address of the computer that logged into the Ashmoles' bank account, as well as the IP address of the device on which the OTP was typed in. 

At the time of going to print, the bank's spokesperson had not responded to the George Herald's query regarding this promise.

The IP address can with some effort be traced through the relevant internet service provider. 

Ekron says this seems to be the next logical step as the Fica system has failed to identify the owner of the account that the funds were transferred to. 

"The bank advertises a double level of security. The first is the client's password and PIN, and the second the OTP. In this case, I believe the bank's second level of security failed the client."

It is possible for banks to put systems in place (and some of them do) that recognise the age of a SIM card. 

"If it is a new SIM card, the bank system should not send the OTP."

Furthermore, there are ways that banks can enable their clients to verify that they are indeed logging onto the authentic web site of their bank when they do internet banking.

"Currently it is possible to copy a web site and create a fake version to gain access to your username and password. Banks can and must do more to up their security."

'We bring you the latest George, Garden Route news'

Read more about: fraud lodge local lodge bank charges fraudulently withdrawn cash withdrawn

Back to Top

More Group Editors Publications & Online Platforms

PapersImages
PapersImages
PapersImages
PapersImages
PapersImages
Press Council Fair Logo

George Herald proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website, www.presscouncil.org.za or email the complaint to enquiries@ombudsman.org.za. Contact the Press Council on 0114843612.

Disclaimers | Contact Us

Copyright 2025 Group Editors Company (Pty) Ltd, Registration Number 1963/002133/07 t/a George Herald