Hackers | General financial discussion | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
October 25, 2019
8:17 am
Rick
Member
Members
Forum Posts: 1110
Member Since:
February 17, 2013
sp_UserOfflineSmall Offline
October 25, 2019
8:58 am
3oakwest
Ontario, Canada
Member
Members
Forum Posts: 155
Member Since:
April 7, 2016
sp_UserOfflineSmall Offline

I thought the Bank accepted all responsibility for losses like those mentioned in the article.

I'm going to take many more precautions from now on.

October 25, 2019
10:35 am
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

Rick said
Good eye-opening story
https://www.cbc.ca/news/business/banks-deny-compensation-online-fraud-security-1.5322982?fbclid=IwAR0OB3Z79uDPTRx8_JIGGpa-dFvAAdSctOJ6l3Lp8_AaFZCmehXo2ev-s_U  

Sounds like he had inadequate malware protection on his computer ... no ?

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

October 25, 2019
10:52 am
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

.
And it's interesting to note that No One was interested in the thread about 2FA

Link ➡ https://www.highinterestsavings.ca/forum/general-financial-discussion/canadian-fis-behind-the-times-on-2fa-%e2%9d%97/

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

October 25, 2019
11:28 am
mmlt
Member
Members
Forum Posts: 168
Member Since:
February 4, 2017
sp_UserOfflineSmall Offline

2FA seems to be beyond banking capabilities. I've brought it up with my local credit union and all I get is a blank stare and "we'll look into it".

I forgot to add that to the Hubert survey. Darn.

October 25, 2019
11:42 am
Bill
Member
Members
Forum Posts: 4024
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

Article said "his claim was denied because the transaction was authorized from an internet address where he has 'extensive history'". I don't know much about this kind of stuff but isn't that kind of an important tidbit that CBC could have pursued?

October 25, 2019
12:16 pm
Doug
British Columbia, Canada
Member
Members
Forum Posts: 4290
Member Since:
December 12, 2009
sp_UserOfflineSmall Offline

Bill said
Article said "his claim was denied because the transaction was authorized from an internet address where he has 'extensive history'". I don't know much about this kind of stuff but isn't that kind of an important tidbit that CBC could have pursued?  

Maybe it's suspicious, but this is a case where more than just examining IP addresses is warranted. The bank should've sought a subpoena for surveillance camera imagery. The legal cost of such diligence, though, is likely prohibitive, so they should just award compensation, without prejudice or precedent, to the customer in keeping with good business practices. If this reoccurs, then potentially, higher due diligence would be warranted if the customer is trying to defraud the bank.

Cheers,
Doug

October 25, 2019
12:51 pm
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

mmlt said

2FA seems to be beyond banking capabilities. I've brought it up with my local credit union and all I get is a blank stare and "we'll look into it".

I forgot to add that to the Hubert survey. Darn.  

I think the thing to do is take your 2FA suggestion 'directly' to your local CU's BoD.

I haven't completed my Hubert survey yet, so I'll include the 2FA suggestion when I do it.

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

October 25, 2019
1:09 pm
Oscar
Member
Members
Forum Posts: 290
Member Since:
October 17, 2018
sp_UserOfflineSmall Offline

Doug said

Maybe it's suspicious, but this is a case where more than just examining IP addresses is warranted. The bank should've sought a subpoena for surveillance camera imagery. The legal cost of such diligence, though, is likely prohibitive, so they should just award compensation, without prejudice or precedent, to the customer in keeping with good business practices. If this reoccurs, then potentially, higher due diligence would be warranted if the customer is trying to defraud the bank.

Cheers,
Doug  

Doug , what camera footage are you referring to ?

October 25, 2019
3:34 pm
Bill
Member
Members
Forum Posts: 4024
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

I can't agree that a complainant connected with an IP address should just be paid out the first time and all the other customers have to pay higher fees, etc to cover these losses banks pay out "in keeping with good business practices". And in a subsequent occurrence only "potentially" should more due diligence be done if there's actual fraud going on? That seems pretty lackadaisical re protecting bank's assets and possible criminal activity by customer, possibly in collusion with a buddy/hacker somewhere who knows where in the world.

October 25, 2019
5:44 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 3143
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

If someone has been careless enough to get malware or a key logger on to their PC and the hacker can get in and use login credentials from that IP address (spoofed or otherwise), how is that the bank's problem?

People have to take responsibility for their own device's security.

October 25, 2019
6:32 pm
Norman1
Member
Members
Forum Posts: 7195
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

IP addresses cannot be spoofed for a two-way connection like that used by online banking. If the real originating IP address isn't set in the packet, the responding packets will end up being routed to the computer at the fake originating IP address specified.

Kind of like leaving a voicemail requesting credit card information and not leaving one's real phone number for the victim to call back. sf-laugh

To the bank, whoever did the transactions had the client's banking id and password. The perpetrator also had access to the client's internet connection, at work or home, the client had used many times before for transactions that were not disputed. sf-frown

October 26, 2019
10:22 am
Londonguy
Member
Members
Forum Posts: 535
Member Since:
May 27, 2016
sp_UserOfflineSmall Offline

Norman1 said
IP addresses cannot be spoofed for a two-way connection like that used by online banking. If the real originating IP address isn't set in the packet, the responding packets will end up being routed to the computer at the fake originating IP address specified.

Kind of like leaving a voicemail requesting credit card information and not leaving one's real phone number for the victim to call back. sf-laugh

To the bank, whoever did the transactions had the client's banking id and password. The perpetrator also had access to the client's internet connection, at work or home, the client had used many times before for transactions that were not disputed. sf-frown  

Surprised that you didn't continue on to say (nor did the CBC article) that the unspoken inference here is that somebody else in his house did it using his computer, either with or without his knowledge (or maybe someone at work, they don't provide that level of detail)

October 26, 2019
11:08 am
Norman1
Member
Members
Forum Posts: 7195
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

Londonguy said

Surprised that you didn't continue on to say (nor did the CBC article) that the unspoken inference here is that somebody else in his house did it using his computer, either with or without his knowledge (or maybe someone at work, they don't provide that level of detail)

Someone else in his household is definitely a possibility. That's probably what the bank thinks. I've read quite a few stories of unauthorized ATM cash withdrawals complaints from way back when the banks starting installing video cameras at ATM. Customer claimed their ATM card was not stolen. Must be hacked ATM network! Imagine the surprise when they see the video of one of their children performing the ATM cash withdrawal with their card at 3 am.

However, there are other possibilities. For example, his home computer and home wireless network were compromised by one their children's friends whom his family shared their wireless network password with.

The friend returned, parked near their house, connected to his home wireless network, and logged onto online banking through his home network. To the bank, the packets came from and went back to the same IP address of his wireless router, like all his previous logins.

2FA can also be defeated if his home phone has call forwarding and it has been set to forward to the culprit's phone. Culprit would login to online banking with user ID and password. Online banking would ask to SMS or voice call the authentication code. Culprit selects voice call. Online banking calls home phone which forwards to culprits phone. Culprit get authentication code and provides it to online banking.

To the bank, user ID, password, IP address, and 2FA authentication code all match! A four-factor authentication has been successfully completed.

October 26, 2019
11:42 am
Bill
Member
Members
Forum Posts: 4024
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

Norman1, in your scenario the "friend" (!) still would have to know his logon id and password. Unlike CBC, I'm guessing this guy gave someone that info so they could rob a bank together but I could be wrong.

That was the point of my original post, i.e. that CBC puts its usual innocent little guy vs big bad corporation spin on it while at the same time hinting but not pursuing that there's more to the story. I've heard there are lots of cases (e.g. credit card fraud) where the fi (more to the point, its other customers who pay more fees, interest, etc to make up the losses) ends up taking the loss, so I'm guessing these cases where the customer is held liable are relatively rare and for where there's probably good reason. Of course all you have to do then is go to the media, as this person did, and the fi will pay you off to minimize bad publicity.

October 26, 2019
1:06 pm
Londonguy
Member
Members
Forum Posts: 535
Member Since:
May 27, 2016
sp_UserOfflineSmall Offline

Good point about the scenario where family "friends" have been provided with the household wifi password. I've been guilty of that bit of hospitality myself.

Time to change the password LOL

October 26, 2019
5:15 pm
Loonie
Member
Members
Forum Posts: 9395
Member Since:
October 21, 2013
sp_UserOfflineSmall Offline

Why has Dean changed his name to Selkirk?
He must really like Hubert a lot.

October 26, 2019
6:33 pm
GICinvestor
Member
Members
Forum Posts: 670
Member Since:
April 26, 2019
sp_UserOfflineSmall Offline

Loonie said
Why has Dean changed his name to Selkirk?
He must really like Hubert a lot.  

.......E67AD158-F5C8-412F-856A-5BEB4031B455.jpeg

October 27, 2019
9:19 am
Norman1
Member
Members
Forum Posts: 7195
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

Bill said
Norman1, in your scenario the "friend" (!) still would have to know his logon id and password. Unlike CBC, I'm guessing this guy gave someone that info so they could rob a bank together but I could be wrong.

The "friend" definitely had his banking ID and password. It is always in the bank's mind that the complaining customer could be complicit.

But, there's also the possibility that his ID and password were sniffed. The household may have a family computer used by everyone. Everyone, including his kids and the classmates of the kids when they came over, used the same account with full administrator privileges!

The "friend" slipped in a keylogging program on that computer that captured all the keyboard activity and quietly sent the captured activity periodically to a web server. Among the captured activity was the victim's logins to online banking.sf-frown

October 27, 2019
9:29 am
Loonie
Member
Members
Forum Posts: 9395
Member Since:
October 21, 2013
sp_UserOfflineSmall Offline

We actually know nothing about this guy's living arrangements. For all we know, he lives alone and hates kids.

Scotia obviously knew something had gone wrong because they phoned him early in the morning to tell him about it.

I thought the most useful part of the story was the experience in the UK where tighter regulation requiring banks to take responsibility caused the banks to beef up security such that such cases of fraud plummeted.

No permission to create posts

Please write your comments in the forum.