Log In
Register
Home
Topic RSS
Facebook
Twitter
Email this8:17 am
February 17, 2013
Offline8:58 am
April 7, 2016
Offline
I thought the Bank accepted all responsibility for losses like those mentioned in the article.
I'm going to take many more precautions from now on.
10:35 am
January 12, 2019
Offline
Rick said
Good eye-opening story
https://www.cbc.ca/news/business/banks-deny-compensation-online-fraud-security-1.5322982?fbclid=IwAR0OB3Z79uDPTRx8_JIGGpa-dFvAAdSctOJ6l3Lp8_AaFZCmehXo2ev-s_U
Sounds like he had inadequate malware protection on his computer ... no ?
" Live Long, Healthy ... And Prosper! "
10:52 am
January 12, 2019
Offline
.
And it's interesting to note that No One was interested in the thread about 2FA
" Live Long, Healthy ... And Prosper! "
11:28 am
February 4, 2017
Offline
2FA seems to be beyond banking capabilities. I've brought it up with my local credit union and all I get is a blank stare and "we'll look into it".
I forgot to add that to the Hubert survey. Darn.
11:42 am
September 11, 2013
Offline
Article said "his claim was denied because the transaction was authorized from an internet address where he has 'extensive history'". I don't know much about this kind of stuff but isn't that kind of an important tidbit that CBC could have pursued?
12:16 pm
December 12, 2009
Offline
Bill said
Article said "his claim was denied because the transaction was authorized from an internet address where he has 'extensive history'". I don't know much about this kind of stuff but isn't that kind of an important tidbit that CBC could have pursued?
Maybe it's suspicious, but this is a case where more than just examining IP addresses is warranted. The bank should've sought a subpoena for surveillance camera imagery. The legal cost of such diligence, though, is likely prohibitive, so they should just award compensation, without prejudice or precedent, to the customer in keeping with good business practices. If this reoccurs, then potentially, higher due diligence would be warranted if the customer is trying to defraud the bank.
Cheers,
Doug
12:51 pm
January 12, 2019
Offline
mmlt said
2FA seems to be beyond banking capabilities. I've brought it up with my local credit union and all I get is a blank stare and "we'll look into it".
I forgot to add that to the Hubert survey. Darn.
I think the thing to do is take your 2FA suggestion 'directly' to your local CU's BoD.
I haven't completed my Hubert survey yet, so I'll include the 2FA suggestion when I do it.
" Live Long, Healthy ... And Prosper! "
1:09 pm
October 17, 2018
Offline
Doug said
Maybe it's suspicious, but this is a case where more than just examining IP addresses is warranted. The bank should've sought a subpoena for surveillance camera imagery. The legal cost of such diligence, though, is likely prohibitive, so they should just award compensation, without prejudice or precedent, to the customer in keeping with good business practices. If this reoccurs, then potentially, higher due diligence would be warranted if the customer is trying to defraud the bank.
Cheers,
Doug
Doug , what camera footage are you referring to ?
3:34 pm
September 11, 2013
Offline
I can't agree that a complainant connected with an IP address should just be paid out the first time and all the other customers have to pay higher fees, etc to cover these losses banks pay out "in keeping with good business practices". And in a subsequent occurrence only "potentially" should more due diligence be done if there's actual fraud going on? That seems pretty lackadaisical re protecting bank's assets and possible criminal activity by customer, possibly in collusion with a buddy/hacker somewhere who knows where in the world.
5:44 pm
October 27, 2013
Offline
If someone has been careless enough to get malware or a key logger on to their PC and the hacker can get in and use login credentials from that IP address (spoofed or otherwise), how is that the bank's problem?
People have to take responsibility for their own device's security.
6:32 pm
April 6, 2013
Offline
IP addresses cannot be spoofed for a two-way connection like that used by online banking. If the real originating IP address isn't set in the packet, the responding packets will end up being routed to the computer at the fake originating IP address specified.
Kind of like leaving a voicemail requesting credit card information and not leaving one's real phone number for the victim to call back. 
To the bank, whoever did the transactions had the client's banking id and password. The perpetrator also had access to the client's internet connection, at work or home, the client had used many times before for transactions that were not disputed. 
10:22 am
May 27, 2016
Offline
Norman1 said
IP addresses cannot be spoofed for a two-way connection like that used by online banking. If the real originating IP address isn't set in the packet, the responding packets will end up being routed to the computer at the fake originating IP address specified.Kind of like leaving a voicemail requesting credit card information and not leaving one's real phone number for the victim to call back.
To the bank, whoever did the transactions had the client's banking id and password. The perpetrator also had access to the client's internet connection, at work or home, the client had used many times before for transactions that were not disputed.
Surprised that you didn't continue on to say (nor did the CBC article) that the unspoken inference here is that somebody else in his house did it using his computer, either with or without his knowledge (or maybe someone at work, they don't provide that level of detail)
11:08 am
April 6, 2013
Offline
Londonguy said
Surprised that you didn't continue on to say (nor did the CBC article) that the unspoken inference here is that somebody else in his house did it using his computer, either with or without his knowledge (or maybe someone at work, they don't provide that level of detail)
Someone else in his household is definitely a possibility. That's probably what the bank thinks. I've read quite a few stories of unauthorized ATM cash withdrawals complaints from way back when the banks starting installing video cameras at ATM. Customer claimed their ATM card was not stolen. Must be hacked ATM network! Imagine the surprise when they see the video of one of their children performing the ATM cash withdrawal with their card at 3 am.
However, there are other possibilities. For example, his home computer and home wireless network were compromised by one their children's friends whom his family shared their wireless network password with.
The friend returned, parked near their house, connected to his home wireless network, and logged onto online banking through his home network. To the bank, the packets came from and went back to the same IP address of his wireless router, like all his previous logins.
2FA can also be defeated if his home phone has call forwarding and it has been set to forward to the culprit's phone. Culprit would login to online banking with user ID and password. Online banking would ask to SMS or voice call the authentication code. Culprit selects voice call. Online banking calls home phone which forwards to culprits phone. Culprit get authentication code and provides it to online banking.
To the bank, user ID, password, IP address, and 2FA authentication code all match! A four-factor authentication has been successfully completed.
11:42 am
September 11, 2013
Offline
Norman1, in your scenario the "friend" (!) still would have to know his logon id and password. Unlike CBC, I'm guessing this guy gave someone that info so they could rob a bank together but I could be wrong.
That was the point of my original post, i.e. that CBC puts its usual innocent little guy vs big bad corporation spin on it while at the same time hinting but not pursuing that there's more to the story. I've heard there are lots of cases (e.g. credit card fraud) where the fi (more to the point, its other customers who pay more fees, interest, etc to make up the losses) ends up taking the loss, so I'm guessing these cases where the customer is held liable are relatively rare and for where there's probably good reason. Of course all you have to do then is go to the media, as this person did, and the fi will pay you off to minimize bad publicity.
1:06 pm
May 27, 2016
Offline
Good point about the scenario where family "friends" have been provided with the household wifi password. I've been guilty of that bit of hospitality myself.
Time to change the password LOL
5:15 pm
October 21, 2013
Offline
Why has Dean changed his name to Selkirk?
He must really like Hubert a lot.
6:33 pm
April 26, 2019
Offline
Loonie said
Why has Dean changed his name to Selkirk?
He must really like Hubert a lot.
.......
9:19 am
April 6, 2013
Offline
Bill said
Norman1, in your scenario the "friend" (!) still would have to know his logon id and password. Unlike CBC, I'm guessing this guy gave someone that info so they could rob a bank together but I could be wrong.
…
The "friend" definitely had his banking ID and password. It is always in the bank's mind that the complaining customer could be complicit.
But, there's also the possibility that his ID and password were sniffed. The household may have a family computer used by everyone. Everyone, including his kids and the classmates of the kids when they came over, used the same account with full administrator privileges!
The "friend" slipped in a keylogging program on that computer that captured all the keyboard activity and quietly sent the captured activity periodically to a web server. Among the captured activity was the victim's logins to online banking.
9:29 am
October 21, 2013
Offline
We actually know nothing about this guy's living arrangements. For all we know, he lives alone and hates kids.
Scotia obviously knew something had gone wrong because they phoned him early in the morning to tell him about it.
I thought the most useful part of the story was the experience in the UK where tighter regulation requiring banks to take responsibility caused the banks to beef up security such that such cases of fraud plummeted.
Please write your comments in the forum.