Bank of the Cook Islands customers have been left out of pocket as hackers have been at work making illegal transactions on their accounts.

One BCI customer, who wished to remain anonymous, said his account had been targeted several times by hackers in the past five years, and that it could take up to six months to be reimbursed the missing funds.

He estimated a total of $1500 had been illegally withdrawn from his accounts in that time, most recently about $500 in two transactions made about three months ago.

It was frustrating and embarrassing at times, he said, especially when making transactions, only to find he was short on funds.

Transaction records showed hackers had used his money for a variety of purchases, including general shopping items and movie tickets overseas.  

On Tuesday, Bank of the Cook Islands chief executive officer Vaine Nooana-Arioka referred Cook Islands News to a paid statement after the newspaper addressed the bank with questions on Monday.

The newspaper asked how many customers had been affected, the exact problem, what had so far been identified, when was it identified, what was being done to fix it, and a ball park figure on the amount of funds reported missing.

In the statement, Nooana-Arioka confirmed Vaka debit card Mastercard cardholders had been targeted in a bin attack on Mastercard late last week.

Hackers impersonated card details to make illegitimate transactions.

Nooana-Arioka said bin attacks involved fraudsters taking the first six numbers of a card (the bank identification number or BIN) and then using software to automatically generate the remaining numbers, and then force transactions through.   

The bank immediately implemented further fraud interceptor measures to notify cardholders of card-not-present transactions, she said.   

“Cardholders will receive a SMS text message to their registered mobile phone, alerting them to blocked transactions.

“BCI reassures our Vaka debit Mastercard cardholders affected they will have full reimbursement on legitimate fraud transactions. 

“We encourage cardholders to continue to monitor their accounts and contact us immediately with any suspicious transactions on their accounts.”

A variety of transaction monitoring was available to customers through an internet banking portal, which included alerts (both email and text) and one-time password, Noon-Arioka said

“BCI reassures all our customers that there is in no way any compromise to your accounts, customer data, or our core banking systems and that BCI has a 24-hour team who are available if you need assistance.”

Cook Islands Financial Intelligence Unit (CIFIU) head Walter Henry said the first incidents related to the BCI bin attack were “promptly” reported to CIFIU in September 2020.

BCI provided a full explanation and documentation on what was happening, how it was happening and an action plan to mitigate the bin attack, he said.

“In compliance with its mandate BCI reported the bin attack to FIU.

“The FIU role was to work together with BCI to collect, analyse, investigate, and if warranted disclose financial information and intelligence related to the bin attack to the appropriate law enforcement agencies.

“Secondly, it was to co-operate with BCI to monitor and receive reports and updates with the internal procedures and resources deployed by BCI to mitigate the bin attack.”

Henry said BCI continue to report to FIU, reports on implementation of new internal procedures and processes and next steps to mitigate fraud activity to customers.

“FIU encourage cardholders to continue to monitor their accounts and contact BCI immediately with any suspicious transactions to their accounts. 

“And be aware and cautious with online shopping, purchases or payment.

“When you go online, you are in the space of cyber criminals, and thus are vulnerable to cyber enabled financial crime.”