5:08 am
May 20, 2016
It's still a mystery how this happened. The bank blamed the client but the client insists that she didn't share any account information with anyone. Another inside job?
https://ottawa.ctvnews.ca/ottawa-woman-warned-bmo-of-suspected-bank-fraud-still-lost-15k-1.6821464
6:18 am
November 8, 2018
Exactly how the scammers gained access to her account has not been conclusively explained but the bank says there is no way the fraudulent transaction could have gone through without Lemay's bank card number, password, and the one-time passcodes.
I would love to see some sort of the law or regulations which will make bank refund disputed transaction 100% unless bank can provide exact steps of how someone accessed account, including IP address(es) logins were made from, device type and was it app or Web access, phone number to which one-time passcodes were sent.
Banks must have that info already, they must already collect and archive it, but unless they are required to provide that info they would not bother.
6:50 am
January 3, 2009
Alexandre said
Exactly how the scammers gained access to her account has not been conclusively explained but the bank says there is no way the fraudulent transaction could have gone through without Lemay's bank card number, password, and the one-time passcodes.
I would love to see some sort of the law or regulations which will make bank refund disputed transaction 100% unless bank can provide exact steps of how someone accessed account, including IP address(es) logins were made from, device type and was it app or Web access, phone number to which one-time passcodes were sent.
Banks must have that info already, they must already collect and archive it, but unless they are required to provide that info they would not bother.
Great idea, but that would hurt profits, shareholders and political contributions
7:08 am
November 8, 2018
phrank said
Great idea, but that would hurt profits, shareholders and political contributions
Agreed. That's why it must be the law or mandatory financial regulation.
This lady might not be IT competent enough to understand all that IP address mumbo-jumbo, but even she could have shared detailed info from the bank with someone who can, and get answers.
It is very interesting case. They claim remote access (not ABM withdrawal), they claim security codes sent by SMS - so from which IP address, to which phone number?
From the initial looks of it sounds like inside job at FI, someone cloning/copying card number, password and PIN while they are issued to the client, but security code sent by SMS requires access to the phone number. That does not fit inside job definition.
7:27 am
March 30, 2017
The Amazon Prime scammer phone call has nothing to with how her account was hacked. A voice phone call is not possible to fish any info out of her, unless she gave it away which she said she did not.
This story is weird and there is more to it I believed. It is a pure coincidence that it seems to be connected. And the money was withdrawn right when a branch changes her card# etc etc, and scammer able to produce the proper one time pass code too ?! Did she check if its still the correct phone number listed for authentication ??
7:36 am
November 5, 2022
Yikes the bank is refusing to pay her the lost 15K.
It could also have been a trojan or keylogger she downloaded, or phishing, which captures all of your log-in data, so then the crooks can access the accounts.
So basically if your computer get hacked, and the criminals steal your money, tough luck for you.
Time to turn off Global money transfer if possible, and accounts really need to be locked down.
8:12 am
November 5, 2022
Trying to turn OFF Global Money Transfer as don't need it, the CSR says they cannot turn it off.
You cannot even set a limit of $10 or something to control it!
And the CSR says "everything will be fine as long as you don't use it, or misuse it".
Meanwhile there is no limit to the Global Money transfer, unlike the 3K Interac for security. So it's a wide open back door to empty your account if someone hacked into your bank account by stealing passwords with a keylogger or trojan.
The banks are getting worse and worse tht is for sure.
Put in an official complaint about it, but expect they will say take a hike. So the bank puts a wide open back door to empty your account, and won't remove or control it.
8:15 am
November 8, 2018
InterestThis said
Time to turn off Global money transfer if possible, and accounts really need to be locked down.
As I read through Global Money Transfer FAQ, I am having more questions:
Are there any transaction limits on Global Money Transfers? How much money can I send?
The minimum transfer amount is C $100 and the maximum amount depends on your daily debit card limit.
I doubt her debit card has $11,000 daily limit - this is how much were transferred from her account in one Global Money transfer.
8:33 am
November 5, 2022
It also depends on the bank, Simplii Global transfer is 50K and you cannot limit it!!
It should be set to the debit limit, but of course they don't want to have to pay staff to over-ride those limits. They want everything done by the magic of AI.
So for Simplii, at this point it cannot be trusted, as if someone stole your credentials, they could move 50K offshore, and the bank will not reimburse you, as you got hacked.
So Simplii is not secure up to 50K by this criteria.
It appears Tangerine does not allow Global transfer, so that is good. Just need a seperate bank account for Global transfer, and if you ever need it, move the money in, then keep the account basically empty.
9:27 am
November 5, 2022
Actually the Simplii CSR told false info, its not 50K
Its 75K per day per account, so if a person got hacked with a trojan keylogger, in theory the criminal could move 150K offshore very easily.
The banks must make good money on the FX conversion, and hey if you get scammed that is your fault.
Isn't it interesting that domestic transactions can be capped at lower amounts even though they are more secure. Perhaps the domestic laws require this, but once its global you are on your own.
Simplii Financial Global Money Transaction Limits
https://www.payments.simplii.com/assets/documents/rates_en.pdf
9:36 am
November 5, 2022
10:32 am
April 6, 2013
savemoresaveoften said
The Amazon Prime scammer phone call has nothing to with how her account was hacked. A voice phone call is not possible to fish any info out of her, unless she gave it away which she said she did not.
This story is weird and there is more to it I believed. …
I agree. Her recounting of the what happend is not believable.
People don't waste their time going to their bank branch to get a new cards and reset passwords each time they receive an Amazon Prime scam call. She warned the bank of nothing.
For a $11,000 transfer to another country, BMO would likely have sent a two-factor SMS or e-mail code to confirm.
The Ottawa $14,500 victim's story in the Ottawa Citizen article that InterestThis mentioned is likely what actually happened.
10:41 am
May 20, 2016
A even more bizarre case.
That money, she said, was stolen even though the society’s account had a new bank card and a new password, neither of which she had used online.
“They weren’t entered or stored on my computer and I hadn’t told anyone the numbers,” Frederking insisted. “I have the only bank card. The other signing officer for our society doesn’t have a card.”
10:54 am
December 22, 2022
11:07 am
November 5, 2022
There can be browser based javascript trojans that can keylog. Its pretty easy to get hacked. Never mind all of the holes in mobile devices. If they hack into an account they can change the devices, or probably even spoof them.
If this keeps getting worse, for those with some money, it might be a good idea to have it offline in bulk, or have a seperate device only for banking. But even then.
It would be interesting to have an account only accessible from your home IP address for example, but probably not doable.
Frankly Scarlett, the big banks don't give a damn. Its a numbers game of risk.
11:10 am
November 5, 2022
11:50 am
April 6, 2013
davidgeorge said
A even more bizarre case.That money, she said, was stolen even though the society’s account had a new bank card and a new password, neither of which she had used online.
“They weren’t entered or stored on my computer and I hadn’t told anyone the numbers,” Frederking insisted. “I have the only bank card. The other signing officer for our society doesn’t have a card.”
It is bizarre if the treasurer's claims are true.
But, unfortunately, an occassional volunteer treasurer is not really volunteering as in the case of one who ripped off a hockey club of $48,000+:
We'll have to see when more details come out whether there is an issue at BMO or with the treasurer.
8:36 am
May 20, 2016
Claim of etransfer theft prompts class-action suit against BMO
'It's just strange that all of these people in the last year or two have suffered from this,' says woman organizing the lawsuit, despite bank ombudsman saying BMO Canada is not to blame
10:04 am
March 30, 2017
Norman1 said
InterestThis said
It would be interesting to have an account only accessible from your home IP address for example, but probably not doable.
Not doable. Home IP address is not fixed. Mobile phone IP address is not fixed either.
If one signs up for a dedicated IP address, that maybe doable ? The technology is already there for FIs to record your IP and use that for ‘trust your computer’ feature when loggin in and bypass 2FA.
Please write your comments in the forum.