Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Fraud cases reveal online banking flaws

Sunday, 3 April 2011

.
.

There is a hole in the heart of business banking, exposing firms who bank online to serious risks of fraud, say some victims.

For 10 years, highly paid accountant Richard Watson was stealing from the Ross Group of companies.

Be wary: Private investigator Ron McQuilter says theft is easier in the electronic age.
Be wary: Private investigator Ron McQuilter says theft is easier in the electronic age.

Watson, who allegedly stole to feed a gambling habit, has admitted siphoning $5.5 million, and, although he has not yet been sentenced, he is in custody expecting at least six years in jail for the thefts, ranging in size from $50,000 to $210,000.

The Ross family, who fell victim to Watson's criminal activities, want to warn other business owners of what they see as 'fatal flaws' in the PC banking services offered by the big banks – fatal flaws they say have been exploited time and again by crooks stealing from their employers.

They say the more victims of corporate theft they meet, the more they believe the banks are failing in their duty to warn of the ways PC business banking is being used to commit crimes.

Watson worked for the Ross Group for over 30 years, was held in high regard and trust by the Ross family, so high he was granted the status of 'superuser', a piece of PC banking jargon that meant he was authorised to make transactions, and also had the power to change other users' passwords.

The Ross Group had set itself up to allow payments to be made to accounts outside of the group only when two people with PC banking authorisation logged in and authorised it.

As superuser, Watson, the Ross family claim, was able to temporarily 'assume' the identity of another employee to make transactions.

PC banking systems also allow users to enter payee details that do not match the account receiving the money, which enables thieves to make it look like a payment is going to a legitimate recipient, such as a supplier, when the account the money goes to belongs to somebody entirely different.

The Ross family claims that was how Watson got away with his thefts for so long.

They say other business owners they have spoken to who have been victims of fraud, have had similar experiences, and the issues are common to all banks.

The Ross's say, at the very least, PC banking systems should send out email notifications to users whose passwords have changed, so at least there would be an indication someone else was transacting in their names.

Others believe there are deeper problems with PC business banking.

Another victim told the Sunday Star-Times that, in the old days where companies frequently required cheques to be signed by more than one person, employee theft was far less common.

Electronic banking brought in much faster transactions, but it also introduced new risk into the banking system, he said. One element is that the banks do not check that the stated payee and the account receiving a payment match for PC banking.

The banks should tell business owners that in explicit terms, he said, though if they did that, confidence in PC banking would collapse as people realise how it lacks 'any checks and balances'.

Banks, for their part, he said, merely point to their terms and conditions, which effectively say that businesses use the banks' services at their own risk.

BNZ, Ross Group's banker, responded to Star-Times' inquiries in a statement.

'For an employee to become a `superuser' they must be given written authority to administer the company's accounts by the accounts' owners. The Bank's PC Business Banking is extremely robust and there are clear rules around the disclosure and protection of passwords. 'We cannot comment in more detail because the matter is before the court.'

Private investigator Ron McQuilter said the electronic age had certainly made fraud within offices easier.

'Which is why we are seeing a rise in big number frauds within businesses.'

He said companies often did not do the simple things they should to make thefts harder, such as not allowing employees with the power to create invoices to also pay them.

TO CATCH A THIEF

Adopt the motto 'trust, but verify'. No one in your organisation should be allowed to operate without scrutiny. Pay for annual external audits. Do not allow those with the ability to create invoices to pay them. Some thieves are brazen and arrive at work in new cars, or boast of 'investments' that paid off. Corporate thieves often don't take holidays as they fear their dishonesty will be detected. They may come in regularly at unusually early or late hours. They are secretive about their work and do not like to be questioned by superiors. Make sure all staff know they can 'whistleblow' in confidence.