Abney Associates Tech Blog Teknologi loven vil snart bli omformet av folk som ikke bruker e-post

USAs Høyesterett forstår ikke Internett. Ler alt du vil, men når NSA, Pandora og personvern tilfeller treffer docket, mangel på teknisk kunnskapsrike på benken får skremmende

Internett-radio, ut-av-kontroll programvarepatenter, online innlegg som beskyttet tale og secret NSA bestillinger kan alle dukker opp Høyesterett i nær fremtid. Illustrasjoner: DonkeyHotey / Flickr via Creative Commons (dommere og segl); Electronic Frontier Foundation (NSA)

(TheGuardian) - Det har vært mye diskusjon- og hån-av USAs Høyesteretts nylige ekspedisjoner inn mobiltelefoner og Internett, men som flere og flere av disse tilfellene boble opp høy kammeret, inkludert overvåking reform, vi vil ikke være ler lang: fremtiden for teknologi og personvern loven vil utvilsomt bli skrevet de neste årene av ni personer som ikke har "virkelig"fått"e" og Finn Facebook og Twitter "en utfordring".

Et par saker som gikk før retten denne uken Asovhavets om politiet kan søke noen mobiltelefon etter en arrestasjon, men uten en arrestordre. Rettens beslutninger påvirker uunngåelig millioner. Som New York Times redaksjonsrådet forklart på slutten av argumentene, er"det 12 millioner arrestasjoner i Amerika hvert år, mest for forseelser som kan være så lite som jaywalking." 90% av amerikanere har over mobiltelefoner, og som American Civil Liberties Union hevdet i en orientering til retten, våre mobile enheter "er faktisk vårt nye hjem".

Fleste under 40 ville sannsynligvis enig politiet burde aldri ha rett til å rote gjennom hele vårt liv uten formål basert på mulig årsak.Likevel under argumenter insinuated rettferdighet Roberts at politiet kan rimelig mistanke om en person som bærer to mobiltelefoner som en narkolanger. Er han ikke klar over at en stor del av DC politiske klassen som han assosiere-inkludert mange av hans jus funksjonærer-bærer både en personlig og firmaet telefon, daglig? Høyesterettsjustitiarius av Høyesterett i USA kan bevise denne uken at han kan kaste ut tech lingo som "Facebook" og selv "Fitbit", men han er fanget i skapet fra virkeligheten.

Fleste under 40 ville sannsynligvis enig politiet burde aldri ha rett til å rote gjennom hele vårt liv uten formål basert på mulig årsak.Likevel under argumenter insinuated rettferdighet Roberts at politiet kan rimelig mistanke om en person som bærer to mobiltelefoner som en narkolanger. Er han ikke klar over at en stor del av DC politiske klassen som han assosiere-inkludert mange av hans jus funksjonærer-bærer både en personlig og firmaet telefon, daglig? Høyesterettsjustitiarius av Høyesterett i USA kan bevise denne uken at han kan kaste ut tech lingo som "Facebook" og selv "Fitbit", men han er fanget i skapet fra virkeligheten.

Supremes pleier å gjøre bedre på tech tilfeller når de unngå engasjerende direkte i selve tekniske substansen i teknologi. De fikk ros for dommen, 9-0, to år siden at politiet må fullmakt til å plassere en GPS bane på noens bil. Selv da, skjønt, latterliggjort rettferdighet Alito Justice Scalia kontrollerende mening for å fastslå slike moderne saken "basert på 1700-tallet tort law".

Når det gjelder fremtiden for tech politikken i USA, er denne ukens cellphone argumenter bare toppen av isfjellet. Akkurat nå er FBI er engasjert i alle varianter av warrantless overvåking, ved hjelp av en rekke enheter. Mest kritikerroste mener agency det kan bli vår mobile stedsinformasjon, som avslører de mest intime detaljene av våre liv, uten en arrestordre. Sharp delt i lavere domstolene bare bli sterkere over neste år.

Andre tilfeller trakting gjennom systemet adresse spørsmålet om politiet kan tvinger deg til å overlate passordet til enheter. Gitt at retten til å ikke selv anklage stavet i det femte grunnlovstillegget, og at det paralleller mellom påloggingsinformasjon og annen informasjon lagret i hodet, tvunget kan dekryptering virke antithetical til Grunnloven. Men i saker med krypterte harddisker, regjeringen har hevdet ellers.

Det er ikke alt: radio internettilgang, ut-av-kontroll programvarepatenter, og om online innlegg skal dømmes det samme som tradisjonelt beskyttet tale-alle disse kan alle boble til high court snart.

Og husk, bare måneder før Edward Snowden ble et kjent navn, ACLU foran Høyesterett hevder den Fisa endringer Act, en av de primære lovene i sentrum av NSA skandalen, var grunnlovsstridig. Retten avviste feige saken 5-4 på "stående" grunnlag, og aldri styrt på fortjeneste. En av de første tingene Snowden angivelig sa etter hans avsløringer når ACLU ble hans advokat var: «Har du står nå?

Gjør de noensinne. Takket være Snowdens åpenbaringer, andre flere søksmål-25, The randen talt-har beskjæres opp over hele landet. Selv NSA talsmenn, som i år forsøkte å hindre at domstolene avgjørelse om emnet, antyder plutselig Høyesterett bør veie, håper det er deres eneste utvei.

Tellingly, er NSAs juridiske korthus låst på en forferdelig utdatert sak fra 1970 som styrte regjeringen får telefonen postene for én mistenkt under aktiv etterforskning, for en kort periode. Regjeringen har morphed som å bety de kan samle alle slags metadata, på alle, alltid.

Den gode nyheten er, hvis dommerne kan unngå fixating på tekniske detaljer-veldig snilt de ikke synes å forstå-Roberts retten kan fortsatt komme til den riktige avgjørelsen. Etter chiding dommerne i Aereo, hevdet Vox Tim Lee det er faktisk bra dommerne ikke er teknisk kyndige, fordi det tillater dem å se det store bildet, siterer at de har "gjort en bemerkelsesverdig god jobb med å lage en fornuftig kropp av patent og copyright lover i de siste tiårene". (De også levert en oppmuntrende avgjørelse på patent Troll bare denne uken.)

Det er bevis i siste personvern meninger, som i det minste noen av dommerne forstår hvordan teknologi brukes, selv om de ikke bruker den selv. Som Justice Sotomayor skrev i sin sammenfallende uttalelse i saken GPS:

"Det kan være nødvendig å revurdere premisset om at en person har noen rimelig forventning om personvern i frivillig informasjon til tredjepart...Denne tilnærmingen er syk egnet til den digitale tidsalderen, der folk avsløre mye informasjon om seg selv til tredjeparter i utføre dagligdagse oppgaver.

Oppmuntrende, gjort rettferdighet Kagan lignende kommentarer denne uken.

Men som Electronic Frontier Foundation's Parker Higgins overbevisende hevder, er det ikke dommerne mangel på personlig erfaring med teknologi som er problemet; Det er deres tendensen å ikke forstå hvordan folk bruker den. Tilbake til rettferdighet Roberts bekymringer om skurker med to telefoner: Hvis han er faktisk ikke klar over hvor vanlig adferden er-han absolutt ikke ser Breaking Bad- så som foreslår et stort gap i sin forståelse av samfunnet.

Denne mangelen på grunnleggende forståelse er skremmende, fordi Høyesterett er virkelig den eneste grenen av klar til å konfrontere en av de største utfordringene i vår tid: fanger opp våre lover å tempoet i innovasjon, forsvare våre retningslinjer mot sprinten overvåking. NSA er "trening mer cyberwarriors" så fort, men våre tillitsvalgte flytte på en snegle tempo når det gjelder Internett. Den amerikanske Kongressen har vist seg å passere selv de ukontroversielle forslag, la alene omfattende NSA reformer: lovgivende gren kan ikke engang få sin handle sammen lenge nok til å passere en oppdatering våre primære email personvern loven, som ble skrevet i 1986-før Internett hadde blitt oppfunnet.

Så fremtiden for våre privatliv, vår teknologi-disse problemene land ved foten av en håndfull av tech-unsavvy dommere. Fremtidige nominerte til benken bør bli spurt på deres kunnskap om teknologi på bekreftelse høringer. Og mens mange har gjort argumentet om at hemmelig Fisa retten skal ansette en technologist forklare tekniske problemer til mindre teknisk dommerne, det samme kan sies i Høyesterett. Det er på tide å få nettet allerede.

PC Speak: Abney Associates Tech Blog: What Can Go Wrong When Firms Use Your IP Address Against Fraud

All the worries stirred up by the Heartbleed security flaw highlight why it makes good sense to take precautions with personal data. But sometimes companies erect security barriers so high that they shut out even their own clients.

I recently went online to our Schwab account and requested a wire transfer. After a delay and a second request, followed by verification by telephone, several days passed without any money transfer.

Schwab then said: “In order to complete your request please go to one of our branches and bring a picture ID with you.” In a follow up call, an agent explained that the company grew suspicious based on a computer IP address — the identifying number given to a computing device — that did not match the location they expected.

I had logged in from home, but I was using a secure browser called Authentic8 Silo which masked my location (I’ve recently written about secure browsers here). I turned to experts to learn more about what had happened.

“I am surprised that mainstream companies are relying on that as a security measure, because I think the mechanism is incredibly brittle,” said Scott Petry, Authentic8’s co-founder and CEO. “If you go and travel around, it’s standard operating procedure for you to be picking up different IPs in different regions.”

Yet Schwab is far from alone in its practices. Security experts say companies routinely scope out your IP address whenever you visit their websites.

“Using IP address to prevent fraud and risky web activity is a widespread practice and you can expect almost everybody from online stores to social networks to banks are doing it,” said TJ Mather, president of MaxMind, which offers companies IP intelligence and online fraud prevention tools.

In the last five to eight years, companies have increasingly employed “confidence ranking” filters in which IP address and other data helps them set fraud alerts, said Mark Bregman, chief technology officer at Neustar which helps firms with IT security.

“Companies use a variety of methods for fraud detection, including browser header information, confirming account registration data matches, cookies, device finger printing, and for mobile users, device location,” he said. “This multi-tiered approach is appropriate because each method has its weakness. For repeat customers, companies will look for consistent behavior and information.”

Added Mather: “Session analysis is also used to do things like looking at the web pages a user navigated through before logging in or looking at the time users take to perform certain actions to identify anomalous behavior.”

Despite several phone calls and days of delay, Schwab remained suspicious and kept the account frozen. A traditional signed letter sent by mail did not assuage those fears. Only a visit to a Schwab office, even if one does not live in a town with a Schwab office, would resolve the issue, they said.

“We sincerely regret that certain circumstances that require a client to provide verification within a branch office may cause some inconvenience, but it’s a measure we sometimes have to take for the client’s own protection,” said Sarah Bulgatz, a Schwab spokeswoman.

Of course companies must take security precautions to prevent fraud. Yet in the future I expect that more people will turn to VPNs and secure browsers that provide websites less information– as users take more control over the flow of their own data. So IP address checks may become ever less accurate.

As for Schwab, it took several hours to travel to and from its office to prove that their warning flags had misfired. Because other banks and brokers rely on similar techniques, it is possible the same set of circumstances could have happened with them. Yet  the episode had soured the relationship. Perhaps somewhat impetuously, on Friday, we liquidated the account.

Alienating clients is not inevitable, especially if companies adopt better fraud detection methods. Chip Witt, director of product management, enterprise & OEM at security company Webroot, suggests two-factor authentication is ultimately the best approach for Internet security.

“Client certificates are a more efficient way to identify individual users than an IP address, as the certificate gets installed on the device, and does not change as the location and IP address does,” he said. “Neither certificates nor IP-based user identification address the other concern in a mobile world: a lost or stolen device. An increasingly popular way to positively affirm identity is to use two-factor authentication.”

“This, as it turns out, is also one of the more flexible and mobile friendly approaches, as it relies on something the user knows, their username and password, and something the users has, a secure token generator (or a mobile device that can receive tokens via SMS or mobile app).”

PC Speak: Abney Associates Tech Blog: Protecting your identity

Globally, cybercrime costs hundreds of billions of dollars each year and it comes in many forms, from computer hacking to phishing scams.

At the forefront of the fight is the U.S. Secret Service.       

While law enforcement is trying to stay on top of it, people are urged to do their part because in the end it's the consumers who will foot the bill.

A listing of stolen credit card numbers was found last month when authorities searched two homes on Quiet Way in Louisville.

"I'll be pretty conclusive -- it probably came from a recent data breech," said Paul Johnson with the U.S. Secret Service. "In this case we hit the mother lode."

According to Johnson, who heads up the Louisville Secret Service Office, the paperwork, an encoder, and a laptop -- everything needed to wreak havoc on someone's credit  -- were in a child's backpack.

"Stolen credit card numbers get re-encoded on a re-encoding device. You go to a legitimate store and you want to start buying as many of these as you can," Johnson said.

Johnson said thieves load gift cards, then sell them at pawn shops for 50 cents on the dollar.

In the case on Quiet Way, three men and a woman, described by authorities as Cuban and Mexican nationals were arrested. All pleaded not guilty

The Secret Service said it was just one of many identity theft scams.

For example, in March, Darnell Brown and Tierra Be'ans each received 42 months in federal prison for fraud and ID theft.

Phony Georgia driver's licenses were seized.

Police said surveillance video caught the couple buying merchandise at retailers using credit cards obtained by using phony IDs. The total loss to retailers in that case was more than $17,000.

"Criminals want your identity. Protect it with everything you have," Johnson said.

Sometimes victims can't see it coming.

It was recently discovered thieves installed skimmers at a New York City subway station to steal card numbers as tickets were being purchased.  A tiny camera captured people typing in personal identification numbers.

Johnson said everyone has to stay vigilant.

"The public should be checking their credit rating. They should go to one of the three credit reporting companies and is anyone taking out credit in their name that they are aware of," Johnson said.

Johnson said if you see a person in a self-service checkout line of a store loading up gift cards, report it to a clerk or police.

Clerks should also check to see if the numbers on the receipt match the last four numbers on the credit card.

Beware of phishing scams, either by the phone or in emails.

"It's important for individuals to take responsibility for himself. Your identity is something people want. Your credit card number is something people want. You have to protect yourself. Police cannot do that for you," Johnson said.

PC Speak: Abney Associates Tech Blog, Online fraud risks: protect yourself

The internet is such a part of everyday life that we don't even think about it any more. It's no more exotic and unexpected than having water coming out of the taps. However, unlike the water coming out of our taps, the internet isn't always pure and clear. And by using it without taking the proper precautions, we could find ourselves becoming the victims of online fraud.

So how can we protect ourselves?

CIFAS, the UK's fraud prevention service, discovered that in the last year, card fraud and identity theft had surged - with over 125,000 separate instances. A significant proportion of these frauds are perpetrated because people don't take sufficient precautions online. So what do you need to be aware of, and how can you protect yourself?

Experian has produced 5 top tips to stay safe online.

Beware of phishing expeditions

These involve emails or phone calls which come out of the blue, and persuade you to part with your credit card details or bank account information. There are a number of common approaches.

One is to pretend to be from your bank or card provider, asking you to log on and verify your identity. If you click on the link they have sent, you'll be sent to a site run by fraudsters, who will collect the information you input and use it to take your money. Others will use a likely-sounding story, such as telling you you have a PPI repayment waiting or a tax rebate.

Experian says that your best approach is to assume that all emails asking for confidential data are scams. If you receive an email you should contact the organisation involved to let them know about the scam - using email or phone details you have elsewhere rather than the link on the email.

Don't be a Twit

Be careful about what you reveal through social media. It can be easy to post photos of valuable possessions, complain about your bank by name, boast about a forthcoming holiday or mention pet names, your mother's maiden name or anything else you may have used as a password. There are plenty of people out there - including your 'friends' or people posing as them - who would use this to access your email, infiltrate online banking, or even burgle your home while you're away.

Be wary of wi-fi

It might be a useful way to buy something on the hoof, or check your bank balance, but there can be nasties hiding in public wi-fi when you're out and about - and your every online move can be watched.

Experian say it's worth being wary, avoid baking online on public wi-fi, and steer clear of any sites that need a password - from banks to social networks.

Check your statements

If a fraudster has taken over your account, or accessed your credit card, your statement is the first place it will show. Experian says that fraudsters are increasingly taking smaller amounts from their victims on a regular basis rather than a one-off hit. If you don't check your statements, it's easy to miss this. One of the best approaches it to go through every single transaction and only tick them off when you're absolutely sure you know what it is.

PC Speak: Abney Associates Tech Blog, Hacker claim about bug in fixed OpenSSL likely a scam

Hackers claim to have found a new vulnerability in the cryptographic library as serious as Heartbleed, and are selling it for 2.5 bitcoins

Security experts have expressed doubts about a hacker claim that there's a new vulnerability in the patched version of OpenSSL, the widely used cryptographic library repaired in early April.

A group of five hackers writes in a posting on Pastebin that they worked for two weeks to find the bug and developed code to exploit it. They've offered the code for the price of 2.5 bitcoins, around $870.

A new flaw in OpenSSL could pose just as much of a threat as Heartbleed did. But the hackers' claim was met with immediate suspicion on Full Disclosure, a forum for discussing vulnerability reports.

One commentator, Todd Bennett, wrote the technical description of their claim is "rather extraordinary."

The open-source OpenSSL code is used by millions of web sites to create encrypted communications between client computers and servers. The flaw disclosed in early April, nicknamed "Heartbleed," can be abused to reveal login credentials or a server's private SSL key.

More than two-thirds of the websites affected by the flaw have patched OpenSSL, according to McAfee.

The hackers said they've found a buffer overflow vulnerability that is similar to Heartbleed. They claim they've spotted a missing bounds check in the handling of the variable "DOPENSSL_NO_HEARTBEATS."

"We could successfully overflow the 'DOPENSSL_NO_HEARTBEATS' and retrieve 64kb chunks of data again on the updated version," they wrote.

They have not published their exploit code, so there is no way to verify their claim. The group provided an email address for questions, but did not immediately respond to a query.

A Google search showed the same email address has been used in other offers for data on Pastebin. In March, it was used in a Pastebin posting advertising a trove of data from Mt. Gox, the defunct Tokyo-based bitcoin exchange that was hacked.

The same advertisement also offered database dumps from "carding" websites, or those selling stolen credit card data, and data from CryptoAve, another virtual currency exchange that's been attacked by hackers. Scammers often try to make money by falsely claiming they have data of interest to the hacking community.

The Heartbleed flaw has since touched off an effort to strengthen the security of widely used open-source products. The OpenSSL Project, for example, had just one full-time employee and only received about $2,000 in donations annual despite its critical role in protecting communications.

On Thursday, a group of technology companies and organizations launched the Core Infrastructure Initiative, a project intended to generate funds for full-time developers on important open-source products.

The group's participants include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.

PC Speak: Abney Associates Tech Blog: Online Debit, Credit Fraud Will Soon Get Much Worse

I’m not much of a Nostradamus, but one thing I can predict with near certainty is that this time next year we are likely to find ourselves witnessing an all-time high in the rate of online credit and debit card fraud. Ironically, that surge in online theft will be the result of efforts to make the offline use of credit and debit cards more secure.

By Oct. 1 of next year, retail establishments are supposed to be able to accept new credit and debit cards that have a chip embedded and require the use of a PIN when making purchases at the checkout counter. The point is to make the cards smarter so that financial institutions can better detect fraudulent usage. Requiring a PIN clearly adds a layer of identification and protection that can deter such fraud.

How do we know that this effort to increase security at the point of sale is going to actually drive online fraud? We already saw it happen in Europe.

In 2002, European financial institutions starting rolling out these very same cards and point-of-sale terminals. We call this technology EMV (Europay, MasterCard and Visa). Financial institutions intend to make EMV a global standard for authenticating credit and debit card transactions using integrated chip technology.

This technology has now been partially or fully deployed in about 14 countries and regions, including most Asian Pacific nations, all of Europe, most of Latin America and the Caribbean. Every country and region in which EMV has been deployed has seen a corresponding surge in online fraud.

Four years after beginning the deployment of cards and new point-of-sale terminals, about 99 percent of businesses and consumers were utilizing EMV. No doubt the cards were effective at cutting offline abuse. Before EMV, Europe saw fraud losses in stores of about 13 basis points of net sales. After EMV, the offline fraud rate plummeted to just 3.5 basis points, according to Douglas King in the study, “Chip-and-Pin: Success and Challenges in Reducing Fraud.”

However, the online world was a fraud nightmare. Online credit and debit card fraud rates more than doubled from the pre-EMV days. In 2004, Europe had an online credit and debit card fraud rate of 25 percent. By 2010, the rate had soared to 64 percent. Further, the European Central Bank’s February 2014 report on card fraud found that card-not-present (CNP) payments, i.e. payments via the internet, post or phone, were the source of 60 percent of total fraud incidents across Europe in 2012. With about $1.1 billion in fraud losses in 2012, CNP fraud showed the highest growth rate, up 21.2 percent from 2011, and analysts project this growth rate will continue to increase in 2013 and 2014.

Making credit and debit cards smarter made the crooks smarter. They stopped using cards with EMV technology in brick-and-mortar stores. Even the thieves knew that using one of the new EMV cards in a store was quickly going to get the card shut down.

So they doubled their efforts at stealing online, where the chips in cards did no good when all that was required were card numbers. Additionally, the bad guys shifted more of their nefarious online activity to foreign countries where it’s even harder to tell a legitimate card user from a thief.

When EMV technology was established, the crooks also started targeting debit cards over credit. Most debit cards use the magnetic stripe and therefore behave like credit cards without the chip and pin, making it easier for fraudsters to exploit both offline using the swipe and online using the debit card number.

Some will probably ask why online retailers don’t just require a PIN for all purchases as in-store clerks do with EMV. We may see more of that kind of adoption here in the U.S. than we’ve seen in other countries that saw this surge in online fraud, even as offline fraud declined. However, putting any barrier to check out in the ecommerce world means a lot of full shopping carts that never make it to purchase.

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.

Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.