4:15 pm
October 27, 2013
9:48 am
May 20, 2016
140 BMO customers say they lost $1.5M in transfer frauds, plan to sue bank
https://www.cbc.ca/news/canada/toronto/bmo-customers-lost-1-5m-plan-to-sue-1.7169622
11:25 am
October 27, 2013
I suspect this is prevalent among all the big banks but the media story has not yet developed enough. These folks will not be successful if the fraud was perpetuated from their own devices, especially with 2FA responses, and from their IP addresses.
However, it seems odd to me BMO's security algorithms would not eventually flag multiple unusual transactions that are not part of a customer's pattern of use. Credit card companies have pretty sophisticated algorithms.
FWIW, every outgoing transaction in my bank accounts has security alerts set up to both email and SMS text (if both are available) for every type of outgoing transaction that I can. I think every FI provides the options for ATMs, Bill Payments and e-transfers but not all might have it for Global Transfers. I have not checked to be sure.
12:25 pm
April 27, 2017
If etransfer was used then defrauded customers must have received an email notification after each transaction. Did they raise alarm after the first transaction?
Preventing phishing attacks from someone who knows your social media friends and relatives can be really tough. Closing public access to that kind of information must be the first line of defence.
Completing training courses on phishing is well worth it.
Another inevitable question is whether some of these were “inside jobs”. Thats a scary thought.
3:52 pm
November 5, 2022
4:35 pm
October 27, 2013
7:23 am
November 8, 2018
AltaRed said
FWIW, every outgoing transaction in my bank accounts has security alerts set up to both email and SMS text (if both are available) for every type of outgoing transaction that I can. I think every FI provides the options for ATMs, Bill Payments and e-transfers but not all might have it for Global Transfers. I have not checked to be sure.
Not all FIs provide options for these types of notification, but even when they do - money could leave your account too fast for you to act.
https://calgary.ctvnews.ca/bank-scam-victims-say-more-needs-to-be-done-to-protect-deposits-1.6844036
From that link:
On June 13, 2023, she got an email notification that her e-transfer had been accepted.
Then another, and another. Ten within three minutes, for a total of $10,000.
"There were 10 e-transfers sent from 9:20 in the morning to 9:23. And I caught it at like 9:25," Mayne said.
She says her daily transfer limit was set at just $3,000 – she later found it had been more than tripled the day before.
8:39 am
October 27, 2013
Okay, I understand that once someone has the right login credentials, alerts wouldn't have worked in this instance. BUT someone representing her with her correct login and security credentials had the e-transfer limit raised.
It keeps coming back to people who are not taking ownership for the integrity of security on their devices, including malware such as keyloggers.
I would like this case to actually go to court and see all the gory details to be spilled. It might be the only way to encourage improvement of security algorithms on the bank's end and wish-beyond-wish that people will take more responsibility for security of their devices. The amount of sophisticated phishing that comes to me via SMS texts and emails almost every day is astounding. People have to stop clicking on links!
P.S. Another mitigation option: Don't do business with FIs that do not have all the right security selection options in place. FWIW, BMO has a ton of them if people would be willing to avail themselves of them.
9:47 am
April 14, 2021
If BMO is forced to accept security responsibility for user computers, they might just demand the full authority to scan or administer your computer altogether. Can you imagine granting authority to a bank for access to your computer 24/7 to maintain your security? Some might regard it as beneficial to have their own IT department. However, that IT department can snoop on your entire computer, too.
10:07 am
November 5, 2022
Again missing the point for some reason.
Banks need to be forced to allow people to put certain limits on their accounts, and to disable things like Global Money transfer if they don't want it. They need to increase security.
But banks do not want to do this, as it costs them more labour costs to deal with customers, and validating them, its more friction.
The banks want to move everything to AI and if you get robbed for 100K, tough for you.
BMO has absolute gaping holes in their security, and yet people are still defending them. Better hope it doesn't happen to you for some karma.
11:22 am
March 30, 2017
InterestThis said
Again missing the point for some reason.
Banks need to be forced to allow people to put certain limits on their accounts, and to disable things like Global Money transfer if they don't want it. They need to increase security.
But banks do not want to do this, as it costs them more labour costs to deal with customers, and validating them, its more friction.
The banks want to move everything to AI and if you get robbed for 100K, tough for you.
BMO has absolute gaping holes in their security, and yet people are still defending them. Better hope it doesn't happen to you for some karma.
Well if one chooses not to sign up for email /text alerts, not activate MFA, its their fault, plain and simple. Its a very black and white case, not grey as the victims try to portrait. If there is a grey area, it may be if someone gets malware on their device and how the crooks can use the same psd, pass MFA and even matching IP. But any sane judge can not rule the bank is responsible for someone's device being hacked !
We are banking in the 21st century, cant just cry 'foul, I dont know, I am the victim". I will be pissed if banks just cover 100% of the losses for the victims regardless. Would love to see the cases go to court and have the judge throws everything out and draw the line that the customers need to take ALL precaution first and foremost.
It is indeed a good idea that a customer should be able to set and turn off features like global money transfer, set low etransfer limit etc. But that still wont prevent the cases when someone just got malware on their device and hackers able to take over.
11:45 am
April 27, 2017
Not sure I understand what would be the point of disabling Global Money transfers.
Before transferring, one has to add recipient details, complete 2FA, etc. If a malicious actor can do all that then he can surely enable Global Transfers in the first place. Or he can use another Canadian account for moving money, eg with one of numerous international money transfer companies like Wise.
11:54 am
October 27, 2013
I agree with post #71 and #72. It is the user's responsibility to lock down their devices and protect them from malware.
Contrary to what post #70 says, there are lots of tools provided by BMO for security. It is a matter of users making some effort. What is hard to understand about this? https://www.bmo.com/en-ca/main/personal/security-centre/
And this? https://www.bmo.com/en-ca/main/personal/security-centre/security-tips/
12:18 pm
April 27, 2017
This court case is probably a good thing. Hopefully we’ll find out the actual mechanism for money leaving the accounts and whether there was a specific action by individuals which left accounts vulnerable. Also, if the bank left its system vulnerable.
My wife was a victim of something similar a couple of years ago with Meridian. It was a freshly opened account. Suddenly she received hundreds of spam emails within a short period time. Then she got a message about this etransfer, I think it was $2K. Thankfully she spotted this notification email among all the spam. We got on the phone with Meridian. While we were on the phone talking to the rep who was in the process of locking it, we saw account balance change as two more transactions left the account.
Meridian refunded the funds. No quibbling. We had laptops and phones checked professionally. No malware identified. I can’t help suspicions that this was an inside job.
1:27 pm
November 8, 2018
mordko said
This court case is probably a good thing. Hopefully we’ll find out the actual mechanism for money leaving the accounts and whether there was a specific action by individuals which left accounts vulnerable. Also, if the bank left its system vulnerable.
Exactly. We are not talking type of scams here, when someone is tricked to move their money to bitcoins and sends them somewhere.
What happens here has (or must have) electronic trail. Recipient of any bank transfer, bill payment, Interac transfer, and especially domestic, should be known to the bank where that recipient is.
Banks must improve their funds recovery policy, it is terribly lacking at this point. Even if funds were moved as a result of a fraud, telling bank customer "money has left your account, we can do nothing about it" is unacceptable.
11:00 pm
November 18, 2017
Financial Institutions love trying to download responsibility to clients. Many say it is the responsibility of the client to keep up to date on the latest security information. And, to be sure, there's no way the FI can protect unknown systems from attacks... but security is a constantly-evolving cat-and-mouse game that most "normal" people simply have no hope of winning.
At the least, new or zero-day attacks that are the result of poor planning or attention to detail by the FI should be refunded.
As you all probably know by now, my approach is to not allow any online access to my accounts. And anything done by FI employees rather than myself is easy to blame on them, not me.
Nothing's perfect. I do what I can.
RetirEd
4:52 am
March 30, 2017
RetirEd said
most "normal" people simply have no hope of winning.
The definition of a "normal" person who does banking in the digital world we are in needs to be very different of a "normal" person when there were only physical branches and ATMs. Cant use "I dont know, dont understand technology" as an excuse and not owns up to one's mistake.
7:40 am
November 8, 2018
RetirEd said
As you all probably know by now, my approach is to not allow any online access to my accounts.
If you have account with FI, it is set for online access. I don't know FIs that don't offer online access. Even if you haven't configured it, someone with enough information about you could configure online access to that account, without your knowledge.
That someone will appreciate that you check your account status monthly only, when you receive bank statement by snail mail.
Also, can you explain how are you paying bills, set pre-authorized withdrawals such as property taxes, receive pension, do grocery shopping?
7:56 am
April 27, 2017
Alexandre said
RetirEd said
As you all probably know by now, my approach is to not allow any online access to my accounts.If you have account with FI, it is set for online access. I don't know FIs that don't offer online access. Even if you haven't configured it, someone with enough information about you could configure online access to that account, without your knowledge.
That someone will appreciate that you check your account status monthly only, when you receive bank statement by snail mail.
Also, can you explain how are you paying bills, set pre-authorized withdrawals such as property taxes, receive pension, do grocery shopping?
Yes, good question. ATM, cash, cheque, in person payments using physical cards? All of these methods have their risks.
9:24 am
April 6, 2013
RetirEd said
Financial Institutions love trying to download responsibility to clients. Many say it is the responsibility of the client to keep up to date on the latest security information. …
Responsibility has always been a shared one. Client can't be irresponsible, suffer a loss, and expect the financial institution to make up the loss.
Cases like this show that some clients don't take their share of the responsiblity seriously:
OBSI: Giving Your PIN to Your Friend
Posted Friday, November 12, 2004A client and his friend went to a night-club one evening after having several drinks at home. The client was intoxicated by the time they arrived at the club, but he ordered and paid for a round of drinks. He then left his wallet containing his bank debit card on the table while going to the washroom. When the client returned to the table he did not notice that his wallet was gone. Shortly afterwards, the client and his friend left.
The next morning, the client realized that his wallet was missing and reported it to the police and to his bank. The bank immediately cancelled the debit card, but $800 had already been withdrawn from the client's bank account.
The client later identified his friend as the thief from photographs taken by a security camera at an automated banking machine.
When the friend was interviewed, he told us that during the evening the client had boasted that he had plenty of money in his account and had told the friend his PIN. The client denied informing his friend of his PIN, but admitted that he had been intoxicated and did not recall many of the events of that evening at the night club.
It was a clear case of failing to protect the PIN by the client, and we did not recommend that the bank reimburse the client.
(2004)
Some clients will go as far as lying afterwards about the bank staff not warning them about possible fraud:
OBSI: Senior Falls Victim to the Grandparent Scam
Posted Thursday, July 18, 2019Key lessons
- Bank staff are aware of the tactics commonly used by scammers and will do their best to warn customers when they suspect fraud is taking place. If your bank warns you about a transaction you are trying to complete, have an open mind and take their warnings seriously.
- The bank is not responsible for losses that result from a consumers’ own actions.
An elderly woman, Ms. W, had a grandson living overseas.
In September, Ms. W received a phone call from her grandson, who had been teaching English in South Korea. He indicated that he wished to move to China to continue teaching, and requested financial assistance from his grandmother for the move. As she was close with her grandson and helped raised him after the death of his mother, Ms. W wanted to help. Through her local bank branch, Ms. W sent a wire transfer to her grandson for $35,000.
In October the grandson phoned again, telling Ms. W he had been in a car accident, arrested for drunk driving, and needed bail money to get out of jail. In a later call he told her he needed additional money for legal counsel. Concerned for his safety and well-being, Ms. W wired additional money to China. Combined with the original transfer, Ms. W sent $123,000 to her grandson.
At Christmas, Ms. W's grandson came to visit. When asked about his troubles, the grandson said he had not relocated to China, had not been in an accident, had not been in jail, and had not called asking for money. Ms. W realized she had been the victim of a fraudster. She immediately notified her bank, but the criminals had disappeared and the bank was unable to retrieve any of the money.
Ms. W complained to her bank that they did not properly inform her of the risks associated with the wire transfers, and demanded compensation for her losses.
The bank declined. It explained that bank staff had cautioned Ms. W about the possibility of fraud and even offered ways to mitigate the risks on numerous occasions, to no avail. Unsatisfied, Ms. W brought her complaint to OBSI.
Complaint not upheld
During our investigation, we interviewed bank staff who recalled raising a number of concerns with Ms. W.
Ms. W had instructed the bank to prepare wire transfers to recipients other than her grandson. She had told bank staff that her grandson could not travel to a bank and that the money would instead be delivered by a friend. Bank employees were wary of this story and explained to Ms. W that fraudsters often employed such tactics. They suggested that Ms. W, at a minimum, include her grandson's name in the payment order or send the funds to him “in trust". However, Ms. W declined to take these precautions.
Each time Ms. W went to her bank to make another transfer, branch staff asked if Ms. W had confirmed that her grandson received the money. They also repeatedly warned of the possibility of fraud. Each time, Ms. W indicated her grandson had received the money.
Our investigation concluded that the bank acted appropriately. It had warned Ms. W multiple times that sending the money via wire transfer as she had instructed would leave her vulnerable to fraud. The bank also provided advice on how Ms. W could mitigate the risk, advice that was ignored. OBSI did not recommend the bank compensate Ms. W for her losses.
Please write your comments in the forum.