9:37 am
October 27, 2013
In almost every situation, the client has done something inappropriate: Shared a PIN or had an easy PIN like 1234, does not run malware sweeps regularly or automatically on their devices, has easy passwords for email and banking, does not have the wide range of alerts set up on their email and financial accounts to alert of any activity or change in account, does not use MFA/2FA, or uses public computers for email and banking, and first and foremost cannot resist the tendency to click on unsolicited links in their text messages and email that puts malware on their devices to begin with!
10:02 am
July 5, 2019
I don't think anyone should be too confident their computer doesn't have malware. Consider the Solar Winds supply chain attack. The update was hacked. You dutifully applied the update, best practices after all, and now you have loaded up malware.
Geez even a technician could load a keylogger on your machine, if they will snoop in your photos, I don't think it is not a possibility.
12:54 pm
March 30, 2017
kelbee said
I don't think anyone should be too confident their computer doesn't have malware. Consider the Solar Winds supply chain attack. The update was hacked. You dutifully applied the update, best practices after all, and now you have loaded up malware.Geez even a technician could load a keylogger on your machine, if they will snoop in your photos, I don't think it is not a possibility.
It certainly is possible but those cases are rare and NOT how the majority if people got malware on their devices. Basically everyone who got scam money will always cry foul and claim they do nothing wrong. Otherwise can’t really portrait themselves as the victim that deserves compensation…
1:50 pm
November 5, 2022
Its pretty shocking when some people blame the victims of serious financial crime, for the crime. Its like blaming the victim of a home invasion for not having a house made of steel, or a car-jacking victim for being in a car, they should stay home right?
These people are victims of very serious and sometimes sophisticated financial crimes, some using invisible malware to steal their credentials and spoof their identity.
It is 100% up to the banks to massively increase their own security in every way possible to reduce this.
Its like when Microsoft Windows was getting hacked daily, until MS was forced to fix it.
But no, banks like Simplii Financial literally won't even respond to people within 30 days to remove the Global Financial Transfer backdoor from their account. Banks do not care, they don't want to pay for staff, they want to eliminate staff and use AI.
And they want to blame the victims of financial crime for the crime. Like some are doing here, which is not surprising based on a general self-centered arrogance that it could not happen to them.
3:27 pm
April 27, 2017
savemoresaveoften said
It certainly is possible but those cases are rare and NOT how the majority if people got malware on their devices. Basically everyone who got scam money will always cry foul and claim they do nothing wrong. Otherwise can’t really portrait themselves as the victim that deserves compensation…
They are still victims of crime and can rightly portray themselves as such. Obviously.
Whether they did something wrong or not - I have no certainty one way or another. Its true that self-interest would make them blame the bank. Equally true that the bank would try to absolve itself of responsibility. I have no way of knowing what actually happened. A good court case might help to find out who is closer to the truth.
4:37 pm
September 11, 2013
Exactly, making the claim that you are a victim doesn't make it so.
I wish some of the folks on here were running a bank, sounds like I could secretly give a friend or relative my password for him to empty my account and then go to the bank (or maybe to media first!) to be fully compensated as a "victim of fraud" based just on my version of events.
4:50 pm
November 8, 2018
Does car insurance cover a stolen car even if you left your keys in it?
Whether you left your vehicle unlocked, have a spare key in your glove compartment, or even left the keys in the ignition, in most cases, your claim will be settled.
Society in general seem to be OK with that, when it is car theft. Why are we not on the same page when it is money theft from someone's bank account?
5:00 pm
March 30, 2017
Alexandre said
Does car insurance cover a stolen car even if you left your keys in it?
Whether you left your vehicle unlocked, have a spare key in your glove compartment, or even left the keys in the ignition, in most cases, your claim will be settled.
Society in general seem to be OK with that, when it is car theft. Why are we not on the same page when it is money theft from someone's bank account?
If insurance can prove that you purposely left the car not locked and key readily available, do you think insurance will reimburse the theft ?
In some cases, the withdrawal happened after successful MFA, or even from the trusted IP, the bank has to draw the line that it past all the test as a legit withdrawal, thus no compensation, same diff.
5:00 pm
October 27, 2013
kelbee said
And if a bug in your operating system allows for exploitation by malware, yet the bug has yet to be patched, if even known of, then that should not be on the bank customer.Which may make one worry about all the bugs lurking in bank systems.
It is also not the bank's fault if the compromise is in the client's OS system. One needs to remember that banking online is encouraged by the banks but it is not mandatory. If the bug is in the bank's IT systems, then they take responsibility.
We all take varying degrees of risk 24 hours each day, some with almost zero probability and others considerably more (such as driving on our streets and highways). It is up to us to do what we can to mitigate those risks. No driving during rush hour perhaps, or not during rain and snow storms. It is not the city's fault that it is snowing and the streets are slippery.
We mitigate our online risks by practicing safe browsing and using the security and notification tools that are available. It is our best interests to do so and time to stop blaming others for our failings, particularly when the evidence shows otherwise.
8:58 am
November 18, 2017
Alexandre:
If you have account with FI, it is set for online access. I don't know FIs that don't offer online access. Even if you haven't configured it, someone with enough information about you could configure online access to that account, without your knowledge.
I make sure that there is NO online access configured and notes on my accounts to not allow it. I originally signed up for Peoples Trust precisely because they had no on-line access back then!
I do use call-in and touch-tone banking, though one FI uses the same code for touch-tone and on-line, and I can't use touch-tone there as a result. Could someone get enough info to enable on-line banking? Perhaps, though it's getting harder with more questions asked. I also have strong verbal passwords (never recorded anywhere except in one-time-pad encrypted form) wherever they are in use. In one case, I had the agent create a random password by flipping to random pages in the manual nearest them, not tell me what it was, and put notes on my account to that effect.
That someone will appreciate that you check your account status monthly only, when you receive bank statement by snail mail.
I do call in or use touch-tone banking to check accounts regularly, reconciling when the statements arrive.
Also, can you explain how are you paying bills, set pre-authorized withdrawals such as property taxes, receive pension, do grocery shopping?
The same way I always had before the on-line cesspool! I don't use pre-authorized regular payments, paying my bills individually and checking account statuses when I do. Direct debit/credit I call in for. My credit (or debit) card works just fine for shopping. I get my pensions by cheque; they keep bugging me for direct deposit but I say no. I never shop on-line or click on pop-ups or spam.
There's only one payor who refused to send cheques, and I set up a separate account just to receive their cash. As soon as it shows up (by touch-tone) in the account at the predictable date, I drop a cheque off in my local ATM (a short walk) to suck it out. There's never any money there but for an inaccessible account that requires special authorization for withdrawals, which can take a month to fulfill. That keeps them happy with me as a customer though they get no fees from me.
Most of my financial institutions are only used for GICs, only requiring occasional monitoring.
I know I'm not bulletproof, but I do what I can (unless I've exposed too much here...). Oh, and those contactless payments that are guaranteed for zero-loss protection - that's only at the bank's discretion! I'd much rather use a PIN.
RetirEd
10:19 am
March 30, 2017
3:28 pm
April 27, 2017
RetirEd said
Alexandre:If you have account with FI, it is set for online access. I don't know FIs that don't offer online access. Even if you haven't configured it, someone with enough information about you could configure online access to that account, without your knowledge.
I make sure that there is NO online access configured and notes on my accounts to not allow it. I originally signed up for Peoples Trust precisely because they had no on-line access back then!
I do use call-in and touch-tone banking, though one FI uses the same code for touch-tone and on-line, and I can't use touch-tone there as a result. Could someone get enough info to enable on-line banking? Perhaps, though it's getting harder with more questions asked. I also have strong verbal passwords (never recorded anywhere except in one-time-pad encrypted form) wherever they are in use. In one case, I had the agent create a random password by flipping to random pages in the manual nearest them, not tell me what it was, and put notes on my account to that effect.
That someone will appreciate that you check your account status monthly only, when you receive bank statement by snail mail.
I do call in or use touch-tone banking to check accounts regularly, reconciling when the statements arrive.
Also, can you explain how are you paying bills, set pre-authorized withdrawals such as property taxes, receive pension, do grocery shopping?
The same way I always had before the on-line cesspool! I don't use pre-authorized regular payments, paying my bills individually and checking account statuses when I do. Direct debit/credit I call in for. My credit (or debit) card works just fine for shopping. I get my pensions by cheque; they keep bugging me for direct deposit but I say no. I never shop on-line or click on pop-ups or spam.
There's only one payor who refused to send cheques, and I set up a separate account just to receive their cash. As soon as it shows up (by touch-tone) in the account at the predictable date, I drop a cheque off in my local ATM (a short walk) to suck it out. There's never any money there but for an inaccessible account that requires special authorization for withdrawals, which can take a month to fulfill. That keeps them happy with me as a customer though they get no fees from me.
Most of my financial institutions are only used for GICs, only requiring occasional monitoring.
I know I'm not bulletproof, but I do what I can (unless I've exposed too much here...). Oh, and those contactless payments that are guaranteed for zero-loss protection - that's only at the bank's discretion! I'd much rather use a PIN.
Very interesting. I do wonder if this reduces your vulnerability all that much, given that your money is not stored in a physical vault in a bank like in the olden days and that you still make transactions while lacking ability to check cash flows and balances regularly (or get electronic warnings of unusual activity). Suppose there are fewer points of vulnerability, which is probably why you are doing it all in the first place.
My wild guess is that the main risk with this philosophy is the loss of opportunity. Presumably you don’t invest as surely that would necessitate unwanted financial footprint online?
6:07 am
November 8, 2018
RetirEd said
I make sure that there is NO online access configured and notes on my accounts to not allow it.
I do use call-in and touch-tone banking.
I do call in or use touch-tone banking to check accounts regularly, reconciling when the statements arrive.
I don't use pre-authorized regular payments, paying my bills individually and checking account statuses when I do.
I never shop on-line.
I know I'm not bulletproof, but I do what I can
My respect. You are the proof a man can do anything he set his mind to.
To arrange such offline life in modern online world one must be highly organized, with attention to detail and such.
A person like that is unlikely to fell victim of common scams, so while I do respect what you've accomplished - you are unlikely could have been victim anyway.
For me, what you do would be like moving to remote cabin which does not have electricity, to avoid getting electrocuted by household appliance.
My approach is different. I do embrace online banking, but real me can't be found on social networks. I am active at some forums, but for example on this forum I registered with email which is not used for banking. "Alexandre" is my name on this forum, but not in my driver's license.
I will not fall victim of social engineering. The only risk I see for me is spyware sneaking on my computer. I know it is non-zero probability, but not enough for me to abandon conveniences of online world, which includes online banking and online shopping.
7:42 am
November 18, 2017
mordko and Alexandre: I'm old enough to be needing a RRIF. I lived through decades of pre-internet life and never saw the need to dive into an intrusive soup teeming with criminals and corporate thieves. I simply never converted to on-line activity when the opportunities were offered. Took no effort at all!
mordko:
you still make transactions while lacking ability to check cash flows and balances regularly
I can check them much more quickly and easily with a touch-tone phone call than by booting up my computer, logging in, running the 2FA, etc.
My wild guess is that the main risk with this philosophy is the loss of opportunity. Presumably you don’t invest as surely that would necessitate unwanted financial footprint online?
Investing, like any other financial activity, can still be done offline. That's how it was always done before. Being old, though, I avoid risk these days other than some shares at a couple of credit unions.
Alexandre: I, too, have no social media presence and never let my real identity appear on line. I'm careful about social engineering, but once came pretty close to being a "grandparent scam" victim despite long being aware of it; the caller was a perfect match for a known and trusted person - whether accidentally or by AI voice I do not know. I caught on when they asked me to send money to a lawyer, not a court or police agency. I asked for the supposed victim's last name and they hung up. I urge you all to watch the news and consumer affairs shows, and to check in with the Canadian Anti-Fraud Centre regularly: antifraudcentre-centreantifraude.ca/index-eng.htm
And of course I use a dumbphone and secure my Linux computer with whatever tools I know about. I use a separate computer for all my personal and financial data. (I have lots of them... people throw out or give away computers these days. It's an internet connection that costs a lot!)
savemoresaveoften: I always wear a motorcycle helmet when riding my motorcycle. I have yet to be hit by any golf balls.
RetirEd
12:56 pm
November 8, 2018
RetirEd said
Alexandre: I'm old enough to be needing a RRIF. I lived through decades of pre-internet life
I think most of us visiting this forum are of that age or close to retirement. We all witnessed dramatic society change coming from some obscure system that military expected to use for communications in the case of nuclear war.
I secure my Linux computer with whatever tools I know about. I use a separate computer for all my personal and financial data. (I have lots of them...)
Can't resist but to go off-topic. I wonder if you have bearded photo of yours in your 30th. If I say "a book by Brian Kernighan and Dennis Ritchie" you'll know title of that book without googling. If I mention PDP-11, you would not need to check Wikipedia to explain what is that and what was its importance.
I hope I am right. If not, this is just off-topic, but if I guessed at least two out of three, even more respect to you.
2:00 pm
October 27, 2013
A bigger question may be whether a non-online life with respect to financial and other business/transactional matters will be viable in 10 years. Some banks are going cashless/transactionless at the front counter already, albeit some kind of 'phone service' and of course 'ATM service' will still be needed for those without any Internet connected smart devices to pull cash and pay bills. The bigger issue for some will be when/if cheques are no longer part of the payments system.
Germany, Sweden and Norway use almost no written cheques, while Finland abandoned the personal cheque in 1993 and Poland followed suit in 2006. These countries now rely instead on payment systems that are totally electronic.
In 9 years, Canada went from 7.9% cheques to 4.1% cheques. Some countries like India, Mexico and USA have seen far more dramatic changes. The USA, Canada and France are now outliers.
https://www.atlantafed.org/-/media/documents/banking/consumer-payments/research-data-reports/2023/07/14/use-of-checks-in-selected-countries.pdf
11:24 pm
November 18, 2017
Alexandre: Two out of three.
I have touched and used a PDP-8, but never used a PDP-11. I do have one of those - an almost-last model about the size of a Kaypro - but it's a boat-anchor in a closet I never got working for lack of peripherals.
Nope, never wore a beard. I did have really long blonde hair...
AltaRed: The internet was converted for military use. It began as ARPANET, intended primarily for Advanced Research Projects. Only when it was converted to DARPANET (Defense ARPANET) did it become a military priority.
RetirEd
7:05 am
October 27, 2013
RetirEd said
AltaRed: The internet was converted for military use. It began as ARPANET, intended primarily for Advanced Research Projects. Only when it was converted to DARPANET (Defense ARPANET) did it become a military priority.
Sure, most of us know the origin of the Internet and the adoption/transition to civilian use. I had a Tandy 1000 I think in 1985 and my first Windows 3.0 (IBM clone) computer in 1990. Connecting to broadband in 1997 was a gamechanger.
Just because we all functioned without any of that pre-Internet days does not mean we should not have become more productive and efficient with technology. Productivity improvements from technology and innovation are responsible for most GDP growth. We went from desktops that we could not put in our pockets, to laptops, to tablets and now smartphones to optimize productivity.
The next step is AI if we can harness that effectively where our devices know what we want before we know we want it. That may well develop enough by the time I become relatively incompetent in perhaps circa 10 years that it will allow me to be more independent than I would be otherwise.
Same with new payment processing systems and open banking in Canada that is all unfolding here within the next 5 years. Canada is well behind other primarily European jurisdictions, but some Asian ones too (as noted by my links above on changes in the use of cheques). I think we should be embracing change, not rebelling against it.
11:54 am
October 27, 2013
From an EQ Bank email yesterday which may have been prompted by the media attention to the BMO story
Summary of changes
We have made the following changes to the EQ Bank Mobile and Online Banking Terms and Conditions (the “Agreement”):
* Broadened the definition of “Unauthorized Activity” to clarify that instances where a transaction was caused by a failure, error, malfunction or technical problem of our system or equipment are included.
* Updated your responsibilities under “Safeguarding Your Electronic Identification and Notifying EQ Bank” for safekeeping your Electronic Identification use, including by protecting yourself from phishing by not responding to pop-ups, emails or other electronic requests that ask you to reveal personal information about yourself or your EQ Bank accounts, and by not clicking on links in or replying to emails that seem suspicious.
* Clarified under “Use of Information/Accuracy” that we may require periodic updates to the operating system of your Electronic Device(s) to maintain their compatibility with our software for the purposes of data protection and security.
* Clarified under “Changes to this Agreement” that we may send you a notice by email about any material changes to the Agreement.
* Clarified under “Acceptable Use” the ways in which our Services may not be used.
Updated under “Security” the security features that we offer to safeguard your information.
* Broadened the application of the Agreement to include all EQ Bank online accounts.We have updated the EQ Bank Mobile and Online Banking Security Guarantee to align with the changes made to the EQ Bank Mobile and Online Banking Terms and Conditions. We have also added a Resources section to make it easier for you to help us protect your financial identity.
it seems to me this is as plain as it can be what the customer is responsible for in their online security. If you don't know how to fish, stop going out on the lake with a fishing pole expecting good results.
Please write your comments in the forum.