Did Standard Bank lie and cheat to get its hands on computer programme?

Written by Ciaran Ryan. Posted in Journalism

This story first appeared in Noseweek


Did Standard Bank lie and cheat to steal an idea worth billions? When atm and internet fraud started seeping into public consciousness in the 1990s, Joburg-based software development company Advertising Digital Services (ADS) came up with a novel solution to a growing problem: hackers had found a way to secretly install a program on computers that would record keystrokes and mouse-clicks when users were logging on to sensitive websites. With this information, they could empty a bank account from anywhere in the world. ADS’s solution was to remove the keyboard as a point of entry to the computer and replace it with an on-screen virtual pin-pad that, each time it was used to input a password or PIN number, would rearrange the digits on its virtual keyboard. ADS director Johan Reynders wanted to patent the system, but was advised against it because, in any event, the system was protected by copyright for 50 years.

To avoid any ambiguity about ownership, however, he uploaded it to the internet in the 1990s so that people around the world could download it free, but only with his permission and provided they acknowledged that the intellectual property rights remained with ADS. Importantly, he says, he chose not to provide any information on the uses and applications of the product so as to prevent software developers coming up with rip-offs. He knew the industry had not yet woken up to the threats from hackers. When it did, he planned to introduce his solution to potential clients.

By 2001 it was clear that others were ripping off ADS’s intellectual property in breach of the user agreements, so Reynders updated the software licensing agreement to levy a penalty of $10,000 per machine using the random keypad without a certificate of authenticity. Legitimate users were charged a discounted rate of $250.

In early 2003, Reynders reckoned the time was ripe to introduce his solution to the market, and he approached all the local banks. All of them declined to meet with him, claiming they had no problems with internet security. But within months the national press was awash with stories of rampant internet banking fraud, prompting the Banking Council of South Africa to issue a public warning in July that year.

johan-reyndersIn the early days of August, Reynders (pictured) received a call from Louis Lehmann, head of Standard Bank’s IT security, requesting a meeting, as the bank wanted to find out exactly how the ADS system worked and how its software would eliminate the threats highlighted by the Banking Council. Reynders was happy to tell all, provided Standard Bank signed a non-disclosure and confidentiality agreement.

The meeting took place two weeks later, on 18 August 2003, with no fewer than 15 Standard Bank officials in attendance. They included Lehmann, Janie Basson (then head of Standard Bank Group), Anthony Olivier (senior manager for IT security), Michael Hawthorne (head of IT: personal and business banking), Guy Wigg (legal manager), Richard Seddon (head of online share trading) and Herman Singh (CEO of Beyond Payments at Standard Bank). The weight of the contingent attending left Reynders in no doubt the bank was now seriously interested. Also in attendance, for reasons unknown, were two Investec employees. All willingly signed the non-disclosure agreement (NDA).

Reynders outlined three vulnerabilities in the Standard Bank website, two of which, it transpired, were as yet undiscovered by the bankers. He explained how his software provided three levels of protection against “spyware”.

To his surprise, at the end of the meeting, the Standard Bank attendees, including its chief software engineer Corniel du Plessis, indicated they had no interest in his solution, and dismissed the threats to their internet banking services he had identified as “laughable” and “far-fetched.” They also expressed the view that Reynders’s randomised keypad, with its constantly changing number arrangement, would confuse their clients.

By signing his non-disclosure agreement, Standard Bank acknowledged that the information imparted to them was proprietary to ADS and “valuable, a special secret, and a unique asset”. The agreement further prohibited the bank from disclosing this information to a third party without the written consent of ADS, or from exploiting or using it in any way.

But, barely two months later, when Reynders opened the Sunday Times he was confronted with a report in which Herman Singh, CEO of Beyond Payments (a division of Standard Bank) and one of those who had been present at the meeting, bloviated about the threats of online fraud and how Standard Bank had developed a solution to protect clients’ cash. A day later, on 6 October 2003, Singh reported to Standard Bank’s 280,000 internet banking clients that it had just updated its internet security.

Reynders had no doubt the security update that Singh had announced to the bank’s customers was a direct rip-off of his intellectual property, and was therefore a breach of the confidentiality agreement they had signed.

Based on figures from Standard Bank itself, 500,000 internet transactions were recorded each day – a staggering 730 million over the four years the bank proceeded to use this particular security solution. Reynders reckons the bank owes him at least US$10 billion (R153bn) in damages.

Standard Bank discontinued use of the security system in 2007, coincidentally, just after Reynders deposited R200,000 into the bank’s attorney’s trust account as security for legal costs, as demanded by the bank as a precondition for the court hearing of his damages claim to proceed. He had no doubt this was done to mitigate any damages the court might in due course have seen fit to award him.

How Reynders comes to the $10bn damages figure is by a straightforward application of penalties outlined in his published user licence agreement. That is, $10,000 for every breach, multiplied by the estimated one million Standard Bank clients who used the system. To put this in perspective, Reynders’s claim is a shade less than the bank’s entire market capitalisation of about R180bn, and more than seven times last year’s reported profit of R23.8bn. This does not include Standard Bank users outside South Africa, nor use by associates such as Investec, Bank of China and Bank of India.

The problem Reynders faced was how to enforce his rights against a bank with deep pockets and a squad of highly paid legal counsel at its disposal. He attempted to negotiate a settlement with the bank over the next two years, but this went precisely nowhere. He managed to track down a firm of attorneys willing to take on the case – a rarity in South Africa, as anyone with a gripe against the banks knows – and on 25 July 2005 they served summons on Standard Bank, claiming breach of confidentiality and “re-creation and exploitation” of ADS’s intellectual property.

In its reply to the summons, Standard claimed that its chief software engineer, Corneil du Plessis (who had attended the meeting with Reynders, and had been particularly dismissive of the online threats and the type of technology proposed by Reynders) had coded algorithms on his computer that proved the bank was already working on a solution similar to that of ADS as early as 23 July 2003 – three weeks before Reynders disclosed his secrets to the bank. (But as it happens, at about the time the bank had called him seeking a meeting to be briefed on his scheme.) Which immediately raised the question: if the bank’s own staff were already on top of the problem with an identical solution, why invite Reynders under false pretences to such a high-level meeting where he is persuaded to reveal all the detail of his scheme to the bankers, on a supposedly confidential basis? And after which he is told they see no merit in it. Why the outright lie?

That deception was their intention is further confirmed by the fact that at their meeting on 18 August 2003 they made no mention to him of their own attempts, that had commenced just three weeks earlier, to develop such a system.

In response to Standard Bank’s plea of having had their own prior scheme that just happened to be almost identical to his, Reynders demanded proof that Standard Bank had beaten him to the punch.

Two forensic audits were commissioned, one independent, the other by the bank, to examine the computer hard drive of Corneil du Plessis, the Standard Bank man who, quite fortuitously, is said to have developed, independently, a very similar system. The first was conducted by Mervin Pearce of Security Audit and Control Solutions, the second, by Dr Fritz Solms, an IT expert commissioned by the bank. Both experts concluded independently that there was no evidence on Du Plessis’s hard drive to support the bank’s plea that he had developed the security software prior to the meeting with Reynders on 18 August 2003. What they did find on the hard drive was a stack of pornography and links to illegal websites.

Mervin Pearce of Security and Audit Control Solutions, in a forensic report drafted in September 2006, states the following after an inspection of the Standard Bank’s computer hard drive used for the program in question:

“The statement made by Corneil du Plessis (Standard Bank’s IT expert) that the scrambling code was developed on or before the 23rd July 2003 is incorrect as the initial book-out by Corneil du Plessis of the common pinpad.jsf (not the scrambling software code) was on Wednesday the 30th of June 2003 at 11:05:05 in the morning. This is one week after the alleged meeting where internet security was discussed…

“The evidence on the hard disk drive indicates that the first occurrence of the scrambling for the Pinpad is on 3rd of October 2003.”

In other words, the evidence suggests Du Plessis only started to work on the source code for the scrambled keypad after the meeting with Reynders on 18 August 2003.

Pearce goes on: “The critical analysis of Corneil’s contemporaneous statement [about] when the development of the scrambling code took place on the hard disk is negated by the evidence found on the hard disk drive and the physical audit trail.”

In summary, the forensic auditor found evidence that Standard Bank’s programmers had been working on a type of screen keypad as early 23 July 2003 (three weeks prior to their meeting with Reynders), but the crucial scrambling code was only added in October – after the meeting with Reynders. Pearce concluded that ADS, not Standard Bank, was the proprietary owner of the software.

In his forensic report, Dr Fritz Solms notes that Standard Bank first publicly announced the planned use of a virtual pinpad on 25 July 2003, but the first mention of a scrambled pinpad was made on ITWeb – a prime source of IT news – on 6 October of that year. But, contrary to Pearce’s view, Solms says: “In my opinion the technical implementation of a scrambled pinpad would not have posed a significant challenge to even junior software developers” ; adding that the algorithm for scrambling a sequence of numbers has been around since the 1980s.

This might have been true, had they thought of applying it as a means of further securing online banking transactions. They clearly had not, until Reynders told them about his idea.

Reynders says his case is not about the technical complexity of coding a scrambled keypad. He says his intellectual property relates to how this technology is applied to deal with the problem of online fraud – that is what has been pilfered from him by Standard Bank.

The mysterious Investec letter

A trial date was set down for 14 April 2008. Just a few days prior to this, Standard Bank introduced (“discovered”) a bombshell bit of new evidence – an undated letter on Investec’s letterhead in which two senior officials of that bank claimed that Investec had implemented a technology similar to ADS’s system on its website ten days before the Reynders meeting. The letter was signed by Paul Hanley, head of Investec Private Bank, and Tim Till, that bank’s head of risk.

Reynders believes it to be an outright lie intended to run up legal costs and delay justice – and told everyone so.

Standard Bank stuck to its claim that the Investec letter was authentic, despite ITWeb’s reporting that Investec had uploaded similar technology to that provided by ADS some time after Reynders met with Standard Bank.

The Investec letter was supposed to support Standard Bank’s contention that the technology was widely available prior to the bank’s having signed the non-disclosure agreement with ADS and, if it was a breach of copyright, it was an unintentional breach.

By now, Reynders’s legal team were getting cold feet. His attorney and legal counsel resigned, alleging threats from the bank’s legal team.

The bank’s advocate, Schalk Burger SC, approached Reynders on the day of the trial with an offer to settle, failing which he would ask the court to award costs against ADS. Reynders refused. In front of Judge Roland Sutherland, Reynders represented himself and asked for more time to get to the bottom of the Investec letter and find new legal representation. Judge Sutherland agreed.

Reynders appointed a new firm of attorneys, who pressed Investec on the authenticity of the letter it had provided Standard Bank. Investec simply refused to respond, reinforcing Reynders’s suspicions.

Reynders’s legal team also asked Standard Bank for a copy set of all the documents it would rely on in the upcoming trial, as he feared some of the documents might have gone missing when he changed attorneys.

To his amazement, he found that the duplicate set they supplied contained a copy of an email in which Corneil du Plessis discussed the security threats, that differed significantly from the copy of the same email that the bank had originally made available to him in the “discovery” stage of the case.

The copy of the email now provided by the bank had in the interim clearly been “doctored” by someone who presumed he was no longer in possession of the original. It looked like a crude cut-and-paste of some exculpatory text that would support the bank’s claim that it had had knowledge of the technology prior to its introduction by Reynders.

Reynders had now been given two versions of what purported to be the same email, one clearly a forgery. Why the forgery, other than to mislead the court with false evidence? This, says Reynders, is confirmed by an earlier affidavit, filed by Standard Bank’s Louis Lehmann in 2006 in response to a request for discovery, in which Lehmann stated that the bank had no documentation of whatever nature that would support their plea.

Around this time the bank’s attorney Aslam Moosajee of Deneys Reitz (later Norton Rose) argued that ADS was being deliberately slow in advancing the case, and requested the matter be placed under case management by a judge. The late Judge Mohamed Jajbhay was appointed to hear the matter, which would go to trial on 25 March 2010. If ADS was not ready by then, the case would be dismissed with costs. ADS wanted a postponement as it had not been able to elicit a response from Investec on its supposedly exculpatory letter, a bit of evidence potentially devastating to ADS’s case – if it were true.

ADS’s attorney at the time reported back to Reynders that Judge Jajbhay had “gone off at him” during the pre-trial hearing, and threatened that the bank would be awarded a de bonis propriis cost order (where the loser’s attorney – rather than his client – is ordered to pay all costs of the case), unless he withdrew the case against Standard Bank before it went to trial. Shocked, Reynders contacted Judge Jajhbay and asked why he had made this unseemly threat to his attorney, to which Jajbhay replied his comments were “in jest”. But by then the damage was done: Reynders’s attorneys had panicked and withdrawn from the case.

Judge Jajhbay, struggle stalwart and defender of press freedom in ruling for the Sunday Times when it published unlawfully obtained medical information about the late health minister Manto Tshabalala-Msimang, had interesting ties with Standard Bank and its legal team. Standard Bank was the major sponsor of SA cricket at the time, and Jajbhay served on the sports body’s legal and governance committee. The bank’s attorney, Aslam Moosajee, is the brother of Mohammed Moosajee of SA Cricket fame. Adv AE Bham SC, who represented Standard Bank in this case, also previously provided legal counsel to SA Cricket.

Given these ties, Reynders didn’t like his odds. On 25 March 2010, Reynders was in court again, this time before Judge Tsoka. Again he was unrepresented, and was forced to ask the judge for a postponement as he had still not been able to get to the bottom of the obviously critical Investec letter. Adv Burger made sport of this, claiming Reynders had a pattern of showing up in court without legal counsel. Reynders attempted to point out that his lack of representation was the result of the bank’s bullying tactics. The trial was ordered to go ahead, or be dismissed with costs as per late Judge Jajbhay’s orders.

Just before the trial commenced, Reynders received an email from the bank’s attorneys advising him that they would not be using the contentious Investec letter in court. A reasonable deduction from this was that Investec was not prepared to testify under oath to the truth of its contents or be cross-examined on how they came to introduce the system at their bank.

Standard Bank’s only witness at the trial was Du Plessis, who had already been found to be a liar by both forensic experts. The trial was tainted with irregularities: Du Plessis was allowed to read his testimony from prepared notes, and gave hearsay expert evidence without filing an expert notice, as would be normal in such trials.

Errors of fact

Judge Tsoka dismissed Reynders’s case and found in favour of the bank. He further refused ADS leave to appeal without giving reasons. The judgment contains several errors of fact, hearsay evidence and rulings on points that were not part of the bank’s pleadings. For example, the judge states as fact that Reynders conceded that his software was not secret and was available freely on the internet – which is not what he conceded.

Reynders is now preparing to take his case on appeal to remove what he says are the errors of judgment handed down in the South Gauteng High Court. This time he plans to have some heavyweight legal counsel at his side. “Kenneth Makate won his case against Vodacom in the Concourt, which found he had been cheated out of his invention. According to media reports, Vodacom must pay him R10.5bn. But look what it cost him: sixteen years and R5.5bn in legal costs, which is what his legal funders are expected to receive from his winnings.”

How is that fulfilling the Constitutional right of access to justice?

“It’s been reported that Oscar Pistorius spent R30m on his defence. Imagine you are accused of murder – rightly or wrongly – and you don’t have money. You’d rather run than come up against a justice system which bankrupts you,” says Reynders.

When done with Standard Bank, he wants to press for specific legislation whereby anyone who is party to a legal fraud is criminally charged and jailed. God speed with that.

Ciaran Ryan

The Writer's Room is a curated by Ciaran Ryan, who has written on South African affairs for Sunday Times, Mail & Guardian, Financial Mail, Finweek, Noseweek, The Daily Telegraph, Forbes, USA Today, Acts Online and Lewrockwell.com, among others. In between he manages a gold mining operation in Ghana, and previously worked in Congo. Most of his time is spent in the lovely city of Joburg.