BMO Fraud Cases | Page 2 | BMO | Discussion forum

Alexandre said

I never used Western Union transfers with Scotiabank, being their client for decades. They have that feature to send funds through WU from Scotiabank account.

First time I tried to use WU to send funds, and it were small amount under $1,000, my web access to Scotiabank accounts was blocked and I had to call Scotiabank to confirm it was me.
I was annoyed as hell, but now I think that were the right action on their side.

Just an example.  

That’s quite different. You are authorizing WU to access ur Scotia bank account. That transaction is way more suspicious than a EMT or wire transfer initiated by someone logging into the bank account, with correct password, got 2FA verified, AND from the same IP address that the customer commonly uses. If I am doing EMT to someone new, I will be annoyed if my bank declined it every single time and call me for confirmation….

tanitype said

Security is a "dynamic situation" and therefore banks need to continually make adjustments. No matter what security measures banks put in place, it's only a matter of time for fraudsters to find a way to circumvent them. Blaming clients for security breaches is an indication of laziness and poor judgement and it will hurt a bank in the end. Just look at the very bad publicity the latest cases has caused BMO. Remediating the bad press will definitely cost them much more than the total $1.5 M loss reported by several clients. It's not safe to assume that clients are IT security experts, banks are the actual security experts! However, it boggles the mind that in this day and age BMO still uses email for 2FA. Clients who do not feel secure about this actually need to call BMO to request disabling email 2FA. Disabling can be done by the bank only by removing the client's email address from their client's profile. Following this, BMO cannot communicate with their client via email because they no longer have their email address!! Also, a client who tries to reduce their risk, e.g., by requesting from their bank to disable Global Money Transfer in their account or to at least cap it at a small amount, instead of the ~$100 K default cap, will be told by most banks that this is NOT possible!  

Agree with you banks should allow customers to disable global money transfer completely.
A client using online banking takes responsible for their security, whether they are IT expert or not is not an excuse.
As for email 2FA, I exclusively use text 2FA to my phone only, even tho my email is with the bank as well. I believe text msg 2FA is the bank's preference as well, since its more secure, but some customers insist email cuz they dont want to pay for text message cost etc. I guess those customers can request the physical dongle...
Onec gain, if a login passes the password check, passes the 2FA, and also coming from a familiar IP customer uses, there is zero reason for the bank to "suspect" its a fraudster. A customer can not be protected like a bubble boy.... lets be real....

tanitype said

… Just look at the very bad publicity the latest cases has caused BMO. Remediating the bad press will definitely cost them much more than the total $1.5 M loss reported by several clients. …

No need to remedy the bad press when it is isn't the bank's fault. In fact, the press may be beneficial to all the financial institutions by causing more people to take their responsibility in securing their online banking access more seriously.

… Also, a client who tries to reduce their risk, e.g., by requesting from their bank to disable Global Money Transfer in their account or to at least cap it at a small amount, instead of the ~$100 K default cap, will be told by most banks that this is NOT possible!

Won't reduce risk. Anyone who can login with the correct account, correct password, correct one-time two-factor number, and from a regularly-used IP address by the client can do so and request that the feature be switched back on.