It was late on a Thursday morning that a stranger called Laura Paris to tell her she was being robbed.
The stranger, a teller at Banco Nacional, asked if she knew anyone named Solís, whose bank account had just received a $2,133.85 transfer from Paris’ account. The teller, at the bank’s branch in Barrio Mexico, had thought it odd a scruffy-looking guy like Solís would have so much money to withdraw.
But by the time bank security sprang into action and stopped Solís, it was too late: Over the course of the previous 24 hours, Paris’ account had been drained through a series of 14 transfers to five different people.
$21,726.48, the operating capital for her auto repair business.
What’s more, she has almost no chance of getting it back.While Paris and her husband, Oscar Díaz, have filed reports with the Judicial Investigation Police (OIJ) and Banco Nacional, the country’s legal system has yet to figure out how to deal with Internet theft.
No convictions have been handed down yet for the crime. The OIJ has only a handful of agents working on hundreds of bankfraud cases.
At the same time, public banks generally blame victims for allowing their passwords to be stolen, and they can only legally reimburse victims if a court finds the banks negligent and orders them to, according to Banco Nacional spokesman José Francisco Araya.
But that’s not a good answer for Paris, Díaz, and their business partner, U.S. citizen Trevor Chilton. They say they are going to sue Banco Nacional. And they’re looking for others to join them.
Finding fellow travelers shouldn’t be too difficult. This year online bank fraud in Costa Rica has skyrocketed.
Minor Monge, head of OIJ’s bank crimes unit, estimates 400 complaints of online bank fraud have been filed so far this year, up from 120 in 2006.
“Last year, (the criminals) experimented, that is, they tried it out and found it easy.”
Monge said the vast majority of the crimes happen in public banks with “10, at the maximum” cases from private banks. Araya said Banco Nacional saw 120 cases of Internet fraud this year.
The cost so far has been staggering. At least $2 million disappeared from Costa Rican bank accounts this year.
The pattern is generally the same. The scammers get hold of a victim’s password and use it to quickly transfer large amounts of cash into several different bank accounts.
Then the bank account owners show up, make a withdrawal and disappear.
Banco Nacional, for one, is gearing up for a sort of arms race with the online bandits to stop the thefts before they occur by updating its online banking procedures at a cost of around $1 million.
This month, the bank will start requiring customers to change their passwords every 30 days, and it has lowered the default maximum daily transfer limit to ¢500,000 (about $1,000) from ¢6 million (about $12,000).
Next year, Araya said the bank will turn to more secure online banking methods like, for example, a two-password system where one password stays the same and the other is newly generated for every transfer and sent in an e-mail or a text message.
Other than raising awareness, Araya said, the bank can do nothing to stop the actual theft of the passwords. He and Monge chalk the password thefts up to “Tico culture” – a combination of Internet banking naivete and a tendency to use pirated software that isn’t very secure.
That, however, doesn’t help Paris and Díaz, who say they are not rookies – they have been doing Internet transactions for 15 years for their business, and use licensed software and up-to-date anti-virus programs.
“But the banks don’t take responsibility,” Díaz said. “They say it wasn’t their fault, period.”
Indeed, that was more or less how Araya responded when queried by The Tico Times: “The bank guarantees completely the security of its information system,” he said. “But it can’t guarantee the security of the connection, which is the Internet.”
Others have gotten the same reaction.
Ingrid Quesada, an office manager from Alajuela, lost $12,000 early last month after 12 bank transfers to two other accounts.
“Obviously, I presented the necessary claim to Banco Nacional and the OIJ,” she wrote in an e-mailed description of the events. “I haven’t received a response from anyone, but the bank warned me that in no case is the bank responsible, as they argue improper use of password.”
Quesada said she is considering joining a possible lawsuit, and hers is one of three other cases that Chilton has rounded up to bring a lawsuit against Banco Nacional. He said he wants to gather at least 10.
Araya says that legally, unless a judge finds the bank responsible, Banco Nacional can’t reimburse customers. He cited a legal principle linked to the country’s General Law of Public Administration, which says that public institutions are only allowed to do what is explicity authorized by the law.
Assuming the risk of its users’ Internet connections, Araya said, is not one of those things.
Likewise, Araya said the bank has to wait until OIJ completes an investigation even to return money that had been illicitly transferred but not withdrawn yet – as was the case with $4,000 of Paris’ money that Solís had been withdrawing when bank security stopped him.
And the wheels of justice turn slowly indeed, partly from a conspicuous lack of grease. Monge said there are only three OIJ agents working on bank fraud cases exclusively, plus five more from the Computer Crimes department.
Complicating things, many of the bank transfers are made from locations outside Costa Rica, which means the OIJ often must make a formal diplomatic request for information from foreign countries through the Foreign Relations Ministry – a process that takes eight to 10 months.
The OIJ wants to join an international team that would make the international exchange of information easier, but that and other expansions of the OIJ’s ability to fight cyber crime would have to go through the Legislative Assembly, meaning they could be years away.
In the meantime, Monge said there is literally “no possibility” that money stolen from bank accounts using the Internet would be recovered.
Paris and Díaz, for their part, have switched to using a bank account that cannot be accessed over the Internet.
“For a major holding account, if you want to sleep well at night there’s a simple answer,” Chilton said. “Do not have that account Internet linked.”
The greatest security threat these days is something called a “keylogger” – software that hides on a computer and records passwords and bank account numbers as you type them.
Some tips to avoid it:
• Never do your banking at an Internet café. You never know what could be on those computers.
• Always use updated and licensed software. Old or pirated version of Windows and other software are more likely to have security gaps.
• Never download e-mail attachments from strangers. Those attachments can contain dangerous software.
• Get a tune-up. Hire a technician you trust to give your system a sweep.