BMO Fraud Cases | BMO | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
BMO Fraud Cases
May 2, 2024
5:09 pm
gicbits
Member
Members
Forum Posts: 22
Member Since:
June 9, 2022
sp_UserOfflineSmall Offline

I've been reading about the recent BMO customers who had money taken from their account. From what I can tell, in all of these cases, BMO claims that the transfers originated from the customer's IP address.

If this is true, it indicates that their computers were infected with trojans that gave criminals access to their PCs. But I wonder if BMO actually investigated all of these issues and determined that the IP addresses belonged to customers by verifying this with the customer's ISP.

One thing I've noticed with BMO is that during their customer verification process over the phone, they send you a security code and ask you to verify it. This code grants access to online banking.

Although we should be able to trust bank employees not to abuse this, if their internal system is somehow compromised, giving out this security code could lead to fraud.

I find it odd that this apparent increase in fraud is mostly coming from one bank. Unless criminals have spotted lax fraud detection on BMO's part and are purposely targeting BMO customers, it seems that something else is going on with that bank.

May 2, 2024
8:03 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 3112
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

There is an entire thread debating this BMO situation. https://www.highinterestsavings.ca/forum/bmo/ottawa-woman-warned-bmo-of-suspected-bank-fraud-still-lost-15k/ I truly suspect it is not limited to just BMO but WTFDIK?

I also don't understand what you mean

One thing I've noticed with BMO is that during their customer verification process over the phone, they send you a security code and ask you to verify it. This code grants access to online banking.

Do you mean a voice call, or strictly a 2FA verification code via SMS text? No bank employee has access to the latter.

May 3, 2024
8:24 am
tanitype
Member
Members
Forum Posts: 4
Member Since:
March 20, 2024
sp_UserOfflineSmall Offline

AltaRed said
There is an entire thread debating this BMO situation. https://www.highinterestsavings.ca/forum/bmo/ottawa-woman-warned-bmo-of-suspected-bank-fraud-still-lost-15k/ I truly suspect it is not limited to just BMO but WTFDIK?

I also don't understand what you mean

One thing I've noticed with BMO is that during their customer verification process over the phone, they send you a security code and ask you to verify it. This code grants access to online banking.

Do you mean a voice call, or strictly a 2FA verification code via SMS text? No bank employee has access to the latter.  

Nowadays when a client initiates a phone call with some banks (e.g., TD and Simplii), the bank's CSR sends a security code via SMS to the client's phone that needs to be inputted while on the phone with the CSR. This replaces the usual security questions asked by CSRs for verifying that the caller is the account holder. The client can refuse the SMS verification method and request the CSR to use the security questions method.

May 3, 2024
8:40 am
tanitype
Member
Members
Forum Posts: 4
Member Since:
March 20, 2024
sp_UserOfflineSmall Offline

AltaRed said
There is an entire thread debating this BMO situation. https://www.highinterestsavings.ca/forum/bmo/ottawa-woman-warned-bmo-of-suspected-bank-fraud-still-lost-15k/ I truly suspect it is not limited to just BMO but WTFDIK?

I also don't understand what you mean

One thing I've noticed with BMO is that during their customer verification process over the phone, they send you a security code and ask you to verify it. This code grants access to online banking.

Do you mean a voice call, or strictly a 2FA verification code via SMS text? No bank employee has access to the latter.  

Most participants in the above thread blame the victims of the fraud for their loss. Psychologically speaking, this is a tactic used by many people to falsely assure themselves that they are "safe" because they are "smarter" than the victims! I believe that gicbits is alerting us to this fallacy by proposing that the fault may be BMO's since most recent victims are its clients!

May 3, 2024
9:57 am
InterestThis
Member
Members
Forum Posts: 365
Member Since:
November 5, 2022
sp_UserOfflineSmall Offline

Yes that is right, they are blaming the victims, as they think they are smarter than them.
Its exactly the same as blaming a victim of a car-jacking, home invasion, or Bernie Madoff. Even victims of Madoff are getting money back.
But no, some people think they are too smart to get hit with an invisible trojan, and the victims had it coming, and BMO is perfectly blameless with their lousy security practices.
In fact, the banks are to blame, as they don't want to spend the money on security, and just have the customers eat the loss.

May 3, 2024
5:05 pm
gicbits
Member
Members
Forum Posts: 22
Member Since:
June 9, 2022
sp_UserOfflineSmall Offline

tanitype said

Nowadays when a client initiates a phone call with some banks (e.g., TD and Simplii), the bank's CSR sends a security code via SMS to the client's phone that needs to be inputted while on the phone with the CSR. This replaces the usual security questions asked by CSRs for verifying that the caller is the account holder. The client can refuse the SMS verification method and request the CSR to use the security questions method.  

I meant a voice call. When I call BMO, they send me a text message with a security code and a warning that tells me that anyone who has this code can access my online banking. If they want to verify my identity by sending a code to my phone by sms, they should send a different type of code that does not grant access to my online banking account with BMO.

May 4, 2024
1:35 am
sk
Member
Members
Forum Posts: 16
Member Since:
June 18, 2019
sp_UserOfflineSmall Offline

The big 5s just like the telcos in Canada needs a reality check. It is coming whether they like it or not.

May 4, 2024
4:52 am
mordko
Member
Members
Forum Posts: 968
Member Since:
April 27, 2017
sp_UserOfflineSmall Offline

HSBC offers a physical security device for 2FA. They started doing it perhaps 20 years ago if I remember rightly. Only used for certain types of transactions, such as wire or etransfers.

Are any of the other banks offering this? Not an expert but guessing a stand alone physical device offers an extra layer of protection vs texts or emails used for 2FA. Not even connected to the internet. Much harder to penetrate a device which isn’t used for receiving phishing emails or surfing the internet. And stealing this 2FA device would give a thief nothing unless he also has codes to the security device AND access to normal login info.

May 4, 2024
5:55 am
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

One of the banks I had business with many years ago offered SecurID physical device, for an authentication.

This article, while from 2011, explains how SecurID was compromised. RSA Security breach explained

May 4, 2024
5:55 am
savemoresaveoften
Member
Members
Forum Posts: 2978
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

I believed all banks have retired the standalone physical card device u mentioned years ago. Bloomberg, IB, and employer online access used to use the electronic card / RSA that spits out a 6 digit numbers. Have not seen those for like 10years or possibly more.

Its just unreasonable and wrong to make any bank responsible for client losses if its a result of a client using a device that is infected by a trojan. If it is, it just encourage the customers to not care about account/device security, and also provide the perfect incentive for the crooks to continue their scam practice.

May 4, 2024
6:39 am
Norman1
Member
Members
Forum Posts: 7142
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

The hardware tokens are still used and secure.

Banks and brokerage tend to deploy the software tokens to mobile phones and computers because they are much cheaper. Each hardware token used to be around $50 and needed to be replaced every five years. Cost is now around $20.

What happened in 2011 was a leak of the token seeds on the RSA Security end. One just needs to replace the existing hardware tokens with new ones with different seeds that aren't leaked.

Banks are not liable for client losses from client using a compromised device. It is not the bank's fault when (1) login name was correct, (2) login password was correct, (3) one-time random number sent to mobile phone was correct, and (4) the IP address where the login originated is an IP address regularly used by the client for other non-disputed transactions.

May 4, 2024
7:54 am
tanitype
Member
Members
Forum Posts: 4
Member Since:
March 20, 2024
sp_UserOfflineSmall Offline

Norman1 said
Banks are not liable for client losses from client using a compromised device. It is not the bank's fault when (1) login name was correct, (2) login password was correct, (3) one-time random number sent to mobile phone was correct, and (4) the IP address where the login originated is an IP address regularly used by the client for other non-disputed transactions.  

Liability of the banks is to be determined in a court of law, NOT the court of public opinion. Most likely, current security measures are becoming insufficient for the protection of "ordinary" clients. Banks may be forced to take responsibility for their clients' losses and to address the deficiency in the security of their systems!

May 4, 2024
8:03 am
mordko
Member
Members
Forum Posts: 968
Member Since:
April 27, 2017
sp_UserOfflineSmall Offline

Its an issue of ones funds/account being secure. Phishing schemes can be VERY imaginative. Elderly in particular are susceptible. Blaming the client is easy. If a bank were to offer tokens for 2FA, I would certainly consider giving it my business. It’s unfortunate big 5 don’t have to care. Understand its extra costs for the banks, but hopefully the courts will change this equation.

May 4, 2024
8:40 am
savemoresaveoften
Member
Members
Forum Posts: 2978
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

While it may seem easy for the bank to blame the client, the evidence is such that all security measure in place has met the requirement, including 2FA AND matching IP. A client will still blame the bank even if physical RSA type dongle is used. As long as the transaction is not initiated by the client, client points finger at bank.

I would love to hear from those that side with the victim 100% regardless of evidence provided, what are the other security measures that are lacking that banks should deploy ? It better be a practical one…

May 4, 2024
8:44 am
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

mordko said
If a bank were to offer tokens for 2FA, I would certainly consider giving it my business. It’s unfortunate big 5 don’t have to care. Understand its extra costs for the banks, but hopefully the courts will change this equation.  

If you are sufficiently paranoid security conscious, you could get prepaid phone number for about $15/mo or less, share it with nobody and only provide to banks for 2FA.

If nobody knows your "secret" 2FA phone number, they won't be able to do SIM swap on it.

Many modern smartphones allow dual SIM, but going further just get inexpensive flip phone for 2FA phone number and use it as a sort of hardware token.

------------------

On topic of tokens, I agree with you. In fact, I would not mind to pay out of pocket for SecurID type of device, $50 one time is not that much.

Maybe something good will come from BMO case, not just settlement without any bank's action.

May 4, 2024
8:51 am
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

savemoresaveoften said
I would love to hear from those that side with the victim 100% regardless of evidence provided, what are the other security measures that are lacking that banks should deploy ? It better be a practical one…  

I never used Western Union transfers with Scotiabank, being their client for decades. They have that feature to send funds through WU from Scotiabank account.

First time I tried to use WU to send funds, and it were small amount under $1,000, my web access to Scotiabank accounts was blocked and I had to call Scotiabank to confirm it was me.
I was annoyed as hell, but now I think that were the right action on their side.

Just an example.

May 4, 2024
10:32 am
AltaRed
BC Interior
Member
Members
Forum Posts: 3112
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

I suspect the majority of clients would scream bloody murder if they had to jump through extra hoops to login, or have random, potentially out of character transactions blocked until the bank could verify identity. More difficult when out of country. Clients want ease and convenience of online banking without the inconvenience of tightened security measures, and without taking extraordinary efforts and responsibility to keep their devices secure.

May 4, 2024
11:38 am
nerdralph
Member
Members
Forum Posts: 8
Member Since:
February 11, 2023
sp_UserOfflineSmall Offline

savemoresaveoften said
I believed all banks have retired the standalone physical card device u mentioned years ago. Bloomberg, IB, and employer online access used to use the electronic card / RSA that spits out a 6 digit numbers. Have not seen those for like 10years or possibly more.

I was using the HSBC OneSpan Digipass 270 until the account was ported to RBC.

May 4, 2024
3:01 pm
rpotter28
Kingston, ON
Member
Members
Forum Posts: 42
Member Since:
March 8, 2022
sp_UserOfflineSmall Offline

nerdralph said

savemoresaveoften said
I believed all banks have retired the standalone physical card device u mentioned years ago. Bloomberg, IB, and employer online access used to use the electronic card / RSA that spits out a 6 digit numbers. Have not seen those for like 10years or possibly more.

I was using the HSBC OneSpan Digipass 270 until the account was ported to RBC.  

Me too! Photo attached for the non believers.

Untitled.jpg

May 4, 2024
6:17 pm
Norman1
Member
Members
Forum Posts: 7142
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

RBC Royal Bank offers RSA SecurID hardware tokens to their RBC Express Online Banking for business banking clients: Getting Started Guide… (June 2020).

Scotiabank as well. Their ScotiaConnect Digital Banking business banking clients can choose "extra security" with a hardware token or a digital token.

No permission to create posts

Please write your comments in the forum.