Incident: Fraudulent Transactions at Commonwealth Bank Linked to Payment Issue

Published Date: 2021-08-17

Postmortem Analysis
Timeline 1. The software failure incident of fraudulent transactions affecting Commonwealth Bank customers happened in the last 2 weeks or so as mentioned in the article [118023]. 2. Published on 2021-08-17 07:00:00+00:00 [118023]. 3. The incident likely occurred around the end of July or early August 2021.
System 1. Commonwealth Bank payment system 2. Shudder online streaming service payment processing system [118023]
Responsible Organization 1. Commonwealth Bank [118023]
Impacted Organization 1. Commonwealth Bank customers [Article 118023]
Software Causes 1. The software cause of the failure incident was a payment issue detected by Commonwealth Bank, leading to unauthorized transactions to the American streaming service Shudder [118023].
Non-software Causes 1. Fraudulent transactions made to American streaming service Shudder, indicating a potential security breach in Commonwealth Bank [118023].
Impacts 1. Customers of Commonwealth Bank experienced unauthorized transactions ranging from $8 to $8.19 being charged to their accounts for payments to the American streaming service Shudder, leading to financial losses and potential security concerns [118023].
Preventions 1. Implementing robust fraud detection algorithms and systems to flag suspicious transactions in real-time could have prevented the fraudulent transactions from occurring [118023]. 2. Conducting regular security audits and penetration testing to identify vulnerabilities in the banking system that could be exploited by fraudsters [118023]. 3. Enhancing customer authentication processes, such as implementing multi-factor authentication, to prevent unauthorized access to accounts and transactions [118023].
Fixes 1. Implementing enhanced fraud detection algorithms to identify and flag suspicious transactions promptly [118023] 2. Conducting a thorough investigation to identify the root cause of the payment issue and implementing necessary fixes to prevent similar incidents in the future [118023] 3. Enhancing customer authentication processes to prevent unauthorized transactions and improve security measures [118023]
References 1. Commonwealth Bank spokesperson [118023] 2. Commonwealth Bank customers affected by the fraudulent transactions [118023] 3. Shudder, the American streaming service where the unauthorized payments were made [118023] 4. TrustPilot reviews from customers affected by the incident [118023]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to fraudulent transactions to the American streaming service Shudder has happened again at Commonwealth Bank. Customers reported unauthorized charges ranging from $8 to $8.19 to Shudder, even though they had never heard of the site. This incident indicates a recurring issue within Commonwealth Bank's systems [118023]. (b) The software failure incident related to fraudulent transactions to Shudder has not been reported to have happened at multiple organizations. The focus of the incident seems to be specific to Commonwealth Bank and its customers experiencing unauthorized charges to Shudder [118023].
Phase (Design/Operation) design, operation (a) The software failure incident in this case seems to be related to the design phase. The fraudulent transactions occurring in Commonwealth Bank customers' accounts were attributed to a payment issue that had been detected by the bank [118023]. This indicates that the failure was due to contributing factors introduced during system development or updates. (b) Additionally, the incident could also be linked to the operation phase. Customers were urged to check their accounts for unusual activity and contact the bank immediately if they noticed any unauthorized transactions [118023]. This suggests that the failure could have been influenced by factors related to the operation or misuse of the system.
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident in this case seems to be within the system of Commonwealth Bank. Customers reported unauthorized transactions to a legitimate online streaming service, Shudder, ranging from $8.00 to $8.19, even though they had never heard of the site. Commonwealth Bank confirmed a payment issue had been detected, indicating a failure within their system leading to these unauthorized transactions [118023]. (b) outside_system: The contributing factors that originated from outside the system in this incident could be related to potential security breaches or fraudulent activities targeting the customers' accounts. Customers raised concerns about the security of their accounts and questioned if there could be a security breach with Commonwealth Bank, suggesting external factors impacting the software failure incident [118023].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case appears to be related to non-human actions. The fraudulent transactions ranging from $8.00 to $8.19 were reported to have been paid to the American streaming service Shudder without the customers' knowledge or consent. Commonwealth Bank confirmed that a payment issue had been detected, indicating a technical glitch or fault in the system that allowed these unauthorized transactions to occur [118023]. (b) Additionally, human actions are also involved in this incident. Customers were urged to check their bank accounts for any unusual activity and were advised to contact the bank or Shudder if they noticed unauthorized transactions. Some customers expressed concerns about a potential security breach at Commonwealth Bank, suggesting that human error or oversight in the bank's security measures could have contributed to the incident [118023].
Dimension (Hardware/Software) hardware, software (a) The software failure incident in the Commonwealth Bank case seems to be related to a hardware issue. Customers reported unauthorized transactions to an American streaming service, Shudder, ranging from $8.00 to $8.19, even though they had never heard of the site. Commonwealth Bank confirmed a payment issue had been detected, indicating a potential hardware-related problem [118023]. (b) The software failure incident in the Commonwealth Bank case could also be related to a software issue. Customers experienced unauthorized transactions to Shudder, a legitimate online streaming service, without their knowledge or consent. This suggests a potential software glitch or vulnerability that allowed these transactions to occur [118023].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident in this case appears to be non-malicious. Customers of Commonwealth Bank reported unauthorized transactions to the American streaming service Shudder, ranging from $8.00 to $8.19, without their knowledge or consent. The bank confirmed a payment issue had been detected, indicating a technical glitch or error rather than a malicious attack [118023].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident reported in Article 118023 seems to be more aligned with poor_decisions. The incident involved fraudulent transactions being made to the American streaming service Shudder from Commonwealth Bank customers' accounts. The payments ranged from $8.00 to $8.19, and customers had never heard of the site. Commonwealth Bank confirmed a payment issue had been detected, indicating a failure possibly due to poor decisions in the bank's payment processing system or security measures [118023].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in this case does not seem to be related to development incompetence. There is no indication in the articles that the fraudulent transactions and payment issue were caused by a lack of professional competence in the development of the software. (b) The software failure incident appears to be accidental. The incident of fraudulent transactions and unauthorized charges to Commonwealth Bank customers' accounts seems to have occurred accidentally, possibly due to a glitch or fault in the payment processing system. The unauthorized payments to the streaming service Shudder were not initiated by the customers, indicating an accidental issue with the software system [118023].
Duration temporary From the provided articles, the software failure incident related to fraudulent transactions occurring in Commonwealth Bank accounts appears to be a temporary failure. The incident seems to be temporary as it was caused by a specific issue related to payment processing, leading to unauthorized charges to customers' accounts for payments to the streaming service Shudder. The bank and the streaming service were actively addressing the issue by urging affected customers to contact them to resolve the unauthorized transactions and close affected accounts. Additionally, customers were advised not to dispute the charges with their bank directly but to contact Shudder for resolution, indicating a specific and addressable issue rather than a permanent failure affecting all circumstances [118023].
Behaviour omission, value, other (a) crash: The software failure incident in the articles does not specifically mention a crash where the system loses state and does not perform any of its intended functions [118023]. (b) omission: The software failure incident can be categorized as an omission where the system omits to perform its intended functions at instances. In this case, fraudulent transactions ranging from $8.00 to $8.19 were made to the American streaming service Shudder without the customers' knowledge or consent, indicating an omission in the system's ability to prevent unauthorized transactions [118023]. (c) timing: The software failure incident does not align with a timing failure where the system performs its intended functions correctly but too late or too early [118023]. (d) value: The software failure incident can be classified as a value failure where the system performs its intended functions incorrectly. In this case, the system allowed unauthorized transactions to be processed, resulting in customers being charged for payments they did not authorize [118023]. (e) byzantine: The software failure incident does not exhibit a byzantine failure where the system behaves erroneously with inconsistent responses and interactions [118023]. (f) other: The other behavior observed in this software failure incident is a security breach leading to fraudulent transactions. Customers' accounts were compromised, and unauthorized charges were made to the American streaming service Shudder without their knowledge or consent, indicating a security breach in the system [118023].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident reported in Article 118023 resulted in fraudulent transactions being made from Commonwealth Bank customers' accounts to the American streaming service Shudder without their authorization. Customers reported charges ranging from $8 to $8.19 appearing in their transaction history, leading to financial losses for the affected individuals. The unauthorized charges raised concerns about potential security breaches and compromised accounts, prompting customers to contact the bank and the streaming service to address the issue [118023].
Domain finance, entertainment (a) The failed system in this incident was related to the finance industry. The software failure incident involved fraudulent transactions appearing in Commonwealth Bank customers' accounts, with payments ranging from $8.00 to $8.19 being made to the American streaming service Shudder without the customers' authorization [118023]. The bank confirmed a payment issue had been detected, and customers were urged to check their accounts for any unusual activity and contact the bank immediately if they noticed any unauthorized transactions. The bank also assured customers of a 100% guarantee against online fraud if they were not at fault. (k) The failed system also impacted the entertainment industry. Shudder, the online streaming service to which the unauthorized payments were made, is a platform focused on the horror genre. The service acknowledged the fraudulent transactions and urged affected individuals to contact them to close their accounts and resolve the issue [118023]. Customers who did not recognize charges from Shudder were advised to contact the service directly to address the problem and prevent further unauthorized charges. Unknown industries: There is no specific mention of other industries in the provided article.

Sources

Back to List