Ottawa woman warned BMO of suspected bank fraud, still lost $15K | Page 3 | BMO | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Ottawa woman warned BMO of suspected bank fraud, still lost $15K
March 31, 2024
4:50 am
savemoresaveoften
Member
Members
Forum Posts: 2994
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Lodown said

Your connection to your bank is end-to-end encrypted at McD, Starbucks or from the comfort of your home. The risk is a man in the middle attack which allows your login credentials to be stolen. Sorry to say, this type of attack can happen at your home as well by your hacker neighbors, someone outside close to your home sitting in a car. That is why 2FA is second level of defence....never give it out if someone calls you! Oh, and to avoid most man in the middle attacks, hard wire your computer to your router ...no wifi.  

While end-to-end is true, It’s far more likely for crooks sitting at a Starbucks phishing for wifi data than outside my house. Just don’t want to give the bank the excuse when shit happens and point out that I was using a public IP and deny any claims.
Yeah my router. Is setup same room as my desktop, and I always hardwired, since it’s fastest anyway. No reason not to do that

March 31, 2024
6:36 am
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

RetirEd said

I prevent use of contactless payment with my card (if stolen) by disabling the contactless on cards whose issuers permit that.

If they won't disable it or reduce its contactless limit to or $1, one can easily find and cut the antenna wire on the card. The chip contacts will still work.

Which means, for every transaction large and small, you have to enter your card PIN number.

Now, how would that work if card is stolen after they noted PIN you entered? Here is an explanation:

Visa, MasterCard and American Express have zero-liability policies, so that if your credit card is lost or stolen, or if someone uses your credit card number to make transactions you didn’t authorize, you can usually be reimbursed.
The zero-liability policy applies to transactions made on the Internet, by phone or at retailers. However, it may exclude transactions made using a PIN (personal identification number) – for example, a cash advance made with your [stolen] card at an automated banking machine.

March 31, 2024
7:23 am
mordko
Member
Members
Forum Posts: 996
Member Since:
April 27, 2017
sp_UserOfflineSmall Offline

RetirEd said
Norman1:

If they won't disable it or reduce its contactless limit to or $1, one can easily find and cut the antenna wire on the card. The chip contacts will still work. Either a very bright backlight or careful location of the wire at the card's right edge will allow you to use either a hole punch, razor blade or drill to sever it. Been doing this since the first contactless cards; never a problem. Private Message me if you need more info on how to do this.  

Impressed.

Not sure it would work for my Apple Wallet though. Phones and watches don’t take kindly to hole punches.

Supposedly, cell phone “wallets” are safer than physical cards. Provides another layer of protection.

March 31, 2024
8:37 am
Norman1
Member
Members
Forum Posts: 7204
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

savemoresaveoften said

If one signs up for a dedicated IP address, that maybe doable ? The technology is already there for FIs to record your IP and use that for ‘trust your computer’ feature when loggin in and bypass 2FA.

That is done by a cookie in the browser not by IP address.

A static IP address is usually only available to those paying for business internet and not home internet. Even then, it is not guaranteed to never change. The ISP may need to reorganize their network or one may change ISP's.

March 31, 2024
8:42 am
Norman1
Member
Members
Forum Posts: 7204
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

RetirEd said
Norman1: Most cable home internet uses a dedicated IP address, as many users want to run a local web server, especially small businesses. …

Running a web server actually prohibited on home internet plans.

The IP address assigned by cable internet is dynamically assigned with a certain lease period. It doesn't change often because when the leased is renewed and the address is still available, then another lease is issued for the same IP address.

March 31, 2024
8:54 am
savemoresaveoften
Member
Members
Forum Posts: 2994
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Norman1 said

savemoresaveoften said

If one signs up for a dedicated IP address, that maybe doable ? The technology is already there for FIs to record your IP and use that for ‘trust your computer’ feature when loggin in and bypass 2FA.

That is done by a cookie in the browser not by IP address.

A static IP address is usually only available to those paying for business internet and not home internet. Even then, it is not guaranteed to never change. The ISP may need to reorganize their network or one may change ISP's.  

ic. But dont they send a cookie anyway even if I dont select 'trust the device' ?

i read some cookies do also store IP address as well, and all websites track IP address for visitors anyway.

March 31, 2024
8:55 am
Norman1
Member
Members
Forum Posts: 7204
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

savemoresaveoften said
Are you sure BMO do not have MFA for bank accounts that can be either email or text msg ? I find that quite impossible to believe. But I never bank with them so don’t know.

BMO does. The article says someone logged in with her credentials. The bank sent a confirmation code to the e-mail address on her account to confirm. Correct confirmation code was supplied.

Victim may claim fraud. But, the bank or a judge will be quite suspicious.

March 31, 2024
9:00 am
Norman1
Member
Members
Forum Posts: 7204
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

savemoresaveoften said

ic. But dont they send a cookie anyway even if I dont select 'trust the device' ?

i read some cookies do also store IP address as well, and all websites track IP address for visitors anyway.

The 'trust the device' cookie is a specific cookie. A site is allowed multiple cookies.

No need to keep an IP address in a cookie if the cookie has a unique ID for the visitor.

March 31, 2024
10:06 am
HermanH
Member
Members
Forum Posts: 1242
Member Since:
April 14, 2021
sp_UserOfflineSmall Offline

RetirEd said

I prevent use of contactless payment with my card (if stolen) by disabling the contactless on cards whose issuers permit that.

If they won't disable it or reduce its contactless limit to or $1, one can easily find and cut the antenna wire on the card. The chip contacts will still work.

I also thought that chip/PIN was superior to the contactless function. However, I was watching a news episode regarding skimmers and they presented an opposite viewpoint. They mentioned that the skimming technology is now so good that it is difficult to notice whether or not a machine has been tampered. In the early days of skimmer fraud, it was not difficult to know that a machine was altered. Usually, a good shake of the terminal was sufficient. One scheme even had a pinhole drilled into the pad so that a camera could steal the PIN code. Their claim was that contactless was superior to chip/PIN, since there would be no way to compromise the signal between the reader and the card. It sounded logical and made me reconsider my previous opinion.

Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

March 31, 2024
11:06 am
Norman1
Member
Members
Forum Posts: 7204
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

HermanH said

I also thought that chip/PIN was superior to the contactless function. However, I was watching a news episode regarding skimmers and they presented an opposite viewpoint. They mentioned that the skimming technology is now so good that it is difficult to notice whether or not a machine has been tampered.…

The skimming presented only skims enough info to produce a magnetic stripe card. Same with the so-called EMV bypass cloning.

There has been no cloning of the full chip card. One does not end up with a card that does chip-and-PIN or contactless payment.

April 1, 2024
8:15 am
RetirEd
Member
Members
Forum Posts: 1175
Member Since:
November 18, 2017
sp_UserOfflineSmall Offline

Alexandre: Exactly. Having to enter the PIN is safer than not having to enter it! And of course I hope all of us here are by now savvy enough to hide our numbers when typing them in. If you're REALLY paranoid you can make several backspaces and re-keys while entering it, which would be VERY hard for a shoulder surfer to track. I also use more than one finger when typing a PIN so it can be hard to tell which button I've pressed.

The credit issuer's policies may try to force us to contactless payments, but the chip-and-PIN is a superior system. Merchants should mark their mini-terminals and safely store them when not open for business.

In the case of doctored terminals, there will rarely be just one fraudulent transaction.

In many parts of the world, chip-and-pin cards are not used; they go with chip-and-signature. (I think the UK and much of the EU.)

Norman1: does the prohibition on running a server apply to home users letting friends and family fetch things from their computers, or only to commercial users? I know many clubs that run a server for members, and I haven't heard of any troubles. When the first home internet plans from Rogers and Shaw were marketed, the ability to run a home server was used as a major selling point.

RetirEd

April 1, 2024
9:15 am
Norman1
Member
Members
Forum Posts: 7204
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

For home cable internet, the prohibition on servers applied to everything including "mail, news, file, gopher, telnet, chat, web, or host configuration servers, multimedia streamers, or multi-user interactive forums."

I remember some of the home cable internet plans came with some hosted web space that one could upload content to for sharing, without having to run a server at home.

April 1, 2024
9:54 am
AltaRed
BC Interior
Member
Members
Forum Posts: 3145
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

Americans need to get with the times. No more cards with magnetic stripes and no more POS acceptance of cards with magnetic stripes. That said, there are still a few Canadian locations that I notice use the magnetic stripe only (a local car wash).

Contactless RFID technology is safest and I use that methodology where possible. All 5 (4 raised + 1 flat) of my cards fit in a Secrid RFID wallet. https://unluggage.com/collections/secrid/products/secrid-card-protector They can often be found on sale for under $30. I have been using this for several years.

Chip + PIN is the next best alternative.

All said though, this thread has gotten derailed from the original subject. I cannot imagine that Ottawa woman has any ground to stand on as Norman1 has already pointed out in post #47.

April 1, 2024
1:36 pm
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

RetirEd said
Alexandre: Exactly. Having to enter the PIN is safer than not having to enter it!

It is the other way around.

"Tap to pay" transactions covered by zero liability policy. Fraudulent transactions will be refunded.
"Chip and PIN" transactions are excluded from zero liability policy. Fraudulent transactions involving PIN may or may not be refunded.

With current generous limits, I almost never have to enter PIN. You do enter PIN for every transaction you make.

April 1, 2024
3:46 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 3145
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

RetirEd said

In many parts of the world, chip-and-pin cards are not used; they go with chip-and-signature. (I think the UK and much of the EU.)  

That is pretty useless since anyone can forge a signature. The USA is worse. Purposely when in the USA, when I sign a charge slip (where they do not use chip and PIN), I have scrawled a useless scrawl that bears no resemblance to my signature. Not once has it been questioned or have I been asked to show them the signature on the back of the card. It leaves me speechless!

April 1, 2024
9:19 pm
Norman1
Member
Members
Forum Posts: 7204
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

That does not appear to be factually accurate.

Europe is mostly chip-and-PIN. Articles like The Guardian (January 20, 2019): How shops sign away the self-worth of disabled people describe discrimination in Europe against those who can’t memorise or can’t key in a PIN by merchants who refuse to accept the domestic chip-and-sig cards issued to such people.

Chip-and-sig cards seem to be a US phenomenon. Travel articles like Do I Need a Chip-and-PIN Credit Card in Europe? suggest it is a good idea for people to have a chip-and-PIN card when travelling to Europe.

Most merchants in Europe are set up to accept chip-and-PIN cards, which means they aren’t always used to dealing with chip-and-signature cards.

In fact, on a recent trip I took to England, I only had a chip-and-signature card and it created a lot of hassle. A lot of the stores that I went to didn't even have pens at the register for me to sign receipt slips with, so there was a scramble to find a pen until I began carrying one with me everywhere.

And, in some cases, not having a chip-and-PIN card can make it impossible to enter into a transaction at all. The self-checkouts in the supermarkets in England, for example, were not equipped to accept chip-and-signature cards -- a fact I learned when the machine started blaring after I inserted my card and a store manager had to come over to resolve the problem.

April 1, 2024
9:51 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 3145
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

Now that you mention it, I agree the European merchants I used to frequent years ago used Chip and PIN. I haven't been to Europe since well before covid so I had forgotten.

April 2, 2024
6:45 am
RetirEd
Member
Members
Forum Posts: 1175
Member Since:
November 18, 2017
sp_UserOfflineSmall Offline

Looks like times have changed.

RetirEd

April 2, 2024
7:17 am
Norman1
Member
Members
Forum Posts: 7204
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

It is also not that important whether the chip card is one that requires a PIN or not.

Most of the security improvement of the EMV cards come from having the chip that produces a dynamic card-specific authentication code instead of a magnetic stripe that has a static CVV code.

April 3, 2024
12:28 pm
MDJ
Member
Members
Forum Posts: 52
Member Since:
March 14, 2024
sp_UserOfflineSmall Offline

Just logged into my BMO account. Seems to be an added level of security to login and you have to acknowledge that you will not give the "code" to any one else.

No permission to create posts

Please write your comments in the forum.