10:03 am
April 6, 2013
Kids and house guests are just two of ways. They are not the only ways to have a keylogging software installed.
The statement suggesting UK banks are liable for all such losses is, at best, inaccurate. BBC News (28 May 2019): Scam victims to be refunded by banks explains how the recent UK changes work.
There's a new compensation fund, that banks can voluntarily join, that compensates victimized customers. There is still an investigation and the fund can refuse claims:
A victim who has been "grossly negligent" will not be reimbursed.
10:20 am
January 12, 2019
AltaRed said
If someone has been careless enough to get malware or a key logger on to their PC and the hacker can get in and use login credentials from that IP address (spoofed or otherwise), how is that the bank's problem?
People have to take responsibility for their own device's security.
'Amen' to that ⬆
It's Amazing how many people still only have very basic security on their computers ... it's like; They're Asking For It❗
Selkirk (a.k.a. Dean)
" Live Long, Healthy ... And Prosper! "
11:00 am
April 6, 2013
One case looks like customer was negligent. It sounds like hackers changed the account number on one of her bill payees. Perhaps, she didn't check the number before confirming the payments and ended up paying off the hacker's Visa card:
… told Go Public that hackers accessed her RBC account and redirected her Visa payments, stealing $12,000 in May 2018. The bank was able to get $7,000 returned, but she is still out $5,000 and feels betrayed. "They said, 'You made the payments yourself,'" said Widdis. An RBC spokesperson wrote that potentially unauthorized transactions are analyzed "on a case-by-case" basis.
11:12 am
October 21, 2013
Norman1 said
Kids and house guests are just two of ways. They are not the only ways to have a keylogging software installed.The statement suggesting UK banks are liable for all such losses is, at best, inaccurate. BBC News (28 May 2019): Scam victims to be refunded by banks explains how the recent UK changes work.
There's a new compensation fund, that banks can voluntarily join, that compensates victimized customers. There is still an investigation and the fund can refuse claims:
A victim who has been "grossly negligent" will not be reimbursed.
The fact remains that the British have taken action, and our government has not, so far.
According to the cbc article, this action has been effective. For this, they quote a researcher at the Munk Centre. Such a researcher is likely more objective and better informed than anyone else named in the article. I have no information to contradict hm.
Yes, I am aware that, theoretically, other people may have had access to someone's computer, but the scenario being painted here about this fellow's imaginary kids is over the top.
Realistically, if I were a fraudster, surely I would want to go after the bank's weaknesses more than the individual's. I can get a lot more money that way. And household visitors are a lot easier ot identify.
Over the last few years, 3 of the financial institutions that i deal with have had reported breaches. Only one of them affected me personally, and not significantly. I was lucky. I haven't had any problems with my PC. Odds are, therefore, that future issues will also be with the banks, not me.
None of the banks cited have given a clear explanation of what happened or why they blame the victim. Yet several have reimbursed the victim. This suggests they realize they could be found liable.
11:18 am
April 6, 2013
Londonguy said
Good point about the scenario where family "friends" have been provided with the household wifi password. I've been guilty of that bit of hospitality myself.Time to change the password LOL
It is a good to change the wifi password periodically, especially after a "friend" of the family is no longer welcome. For example, the daughter's ex-boyfriend who turned out to be a small time con artist.
However, it is a hassle because every wireless device in the household needs to be updated.
2:16 pm
November 8, 2018
Norman1 said
Londonguy said
Good point about the scenario where family "friends" have been provided with the household wifi password. I've been guilty of that bit of hospitality myself.Time to change the password LOL
It is a good to change the wifi password periodically, especially after a "friend" of the family is no longer welcome. For example, the daughter's ex-boyfriend who turned out to be a small time con artist.
However, it is a hassle because every wireless device in the household needs to be updated.
Consider upgrading to WiFi router that has "guest network" option. Some internet providers have that feature in their hardware they give to users. Rogers cable modem/router does have it, for example.
My biggest concern from that article is an intercept of Interac transaction, and banks unwilling to roll it back. After all, one would assume that Interac transaction is fully and easily trackable. Yet, it appears if someone redirected it to their account, banks are unwilling to act on that.
6:31 pm
April 6, 2013
Alexandre said
Consider upgrading to WiFi router that has "guest network" option. Some internet providers have that feature in their hardware they give to users. Rogers cable modem/router does have it, for example.
Guest devices won't be able access the other computers and devices. So, won't be able to install a keylogger, for example, on the family home computer.
But, there isn't a second external IP address for the guest device. Any online banking access from a guest device would appear to come from the same IP address as the family's regular computers and devices.
My biggest concern from that article is an intercept of Interac transaction, and banks unwilling to roll it back. After all, one would assume that Interac transaction is fully and easily trackable. Yet, it appears if someone redirected it to their account, banks are unwilling to act on that.
Like a wire transfer, an accepted Interac e-transfer is final. Doesn't matter that the bank knows what account the funds were deposited to. Once the e-transfer token is successfully claimed with the correct answer to the security question, the transfer is final.
It's really the sender's fault for using an insecure security question and answer. I read that one sender used a question like "What is the first name of my favourite Beatle?" There's only four possible answers. One is allowed three attempts. Hacker got the correct answer within three attempts.
PS: I found the CBC story: RBC customer out of pocket after fraud: What you need to know if you e-transfer money
Actually, four attempts are allowed for the Interac e-transfer question. There are only four Beatles….
7:02 pm
April 6, 2013
Loonie said
The fact remains that the British have taken action, and our government has not, so far.
According to the cbc article, this action has been effective. For this, they quote a researcher at the Munk Centre. Such a researcher is likely more objective and better informed than anyone else named in the article. I have no information to contradict hm.
That's the same person who said the UK banks are liable and Canadian banks are not. Both statements are false. Canadian banks are liable under their online banking guarantees conditional on customer meeting his/her responsibilities.
UK banks are not more liable either. Just that when some UK bank refuses to compensate and the UK bank has signed up to the fund, the customer try to claim the loss from the fund.
…
Realistically, if I were a fraudster, surely I would want to go after the bank's weaknesses more than the individual's. I can get a lot more money that way. And household visitors are a lot easier ot identify.Over the last few years, 3 of the financial institutions that i deal with have had reported breaches. Only one of them affected me personally, and not significantly. I was lucky. I haven't had any problems with my PC. Odds are, therefore, that future issues will also be with the banks, not me.
It's the other way around. The successful thieves try the easy route, not the hard one.
Very hard to break into a bank vault. Lot easier to follow the customers when they leave the branch after making their cash withdrawals and mug them on their way home.
Instead of trying to hack into a bank's network, lot easier to break into expensive homes, install keylogger software onto their home computer, and take a few valuables to make it look like an ordinary burglary.
Then, patiently harvest the e-mail account and banking passwords as the people log into their accounts, relieved that their home computer wasn't taken.
8:59 pm
April 6, 2013
Loonie said
The fact remains that the British have taken action, and our government has not, so far.
According to the cbc article, this action has been effective. For this, they quote a researcher at the Munk Centre. Such a researcher is likely more objective and better informed than anyone else named in the article. I have no information to contradict hm.
…
This UK article describes how the new funds transfer code in the UK works. It is not how the researcher described it: Victim of a money transfer scam? You now have new rights with most banks
Full refund only when customer is not to blame. No refund if customer is "grossly negligent". Partial refund when customer shares some of the blame:
…
Where there's shared blame, the customer will get a partial refund. The amount depends on who's to blame out of those involved. For example, if you and the banks receiving and sending the money all fail to meet the standards expected, you'll get a third of the money you lost from each bank but have to swallow the remaining third of the loss yourself.
…
Full liability by the banks for any losses seemed way too good to be true to me.
Instead of hacking into the bank's computers, just open a bank account and "lose" the ID and password to an accomplice. Accomplice does "unauthorized" funds transfers with the ID and password. Disclaim the transfers as fraudulent a month later when the reviewing the monthly statement and get reimbursed.
Accomplice deposits a share of the funds transferred into an offshore account.
3:17 am
October 21, 2013
Let's restrict ourselves to the things Munk School researcher Christopher Parsons is ACTUALLY quoted as having said, all other statements being paraphrase and/or editorial:
"They (i.e. the banks) can't just provide us tools or push liability upon us and then walk away."
"One of the ways of correcting this would be to shift the liability structure. So rather than punishing customers … the banks themselves should be liable, so that they're encouraged to build way better security and protect their customers from this sort of fraud."
"And as soon as the banks had to take those losses (i.e. following new legislation in UK), all of a sudden … fraud plummeted because the banks invested massively in security," said Parsons.
"If banks themselves won't do it, then it's an area where legislation needs to be seriously considered. We can't rely on customers to know about every kind of security vulnerability, to track every website that has breached passwords," he said. "That's just absolutely absurd and not a feasible solution to the problem."
While there may be some errors in quotes, let's just stick to them and not the paraphrasing and editorialisms. If he'd been as clear as Norman thinks about other questions, I expect there would have been a direct quote to back it up.
The articles cited by Norman in British media have to do with the introduction of the new measures, not with the effects they have had on banks' behaviour or incidence of fraud since then.
And if the problem is burglars, visitors, or nefarious relatives installing devices to track keys, then in my opinion this is something the banks need to deal with. They are the ones who introduced online banking and told us how safe it was going to be. They bear a lot of responsibility in ensuring that it is. They have way more sophisticated tools and knowledge than the average person can ever have.And they have the arrogance to sit there and say "it's your fault" without ever disclosing how they came to this self-interested conclusion. Give me a break!
Many of the "security" questions they use are laughable. Everybody who attended my wedding knows where it took place; a ton of people know my eldest nephew's name; my father's middle name is easily obtainable; even the name of my first pet is known to a few people; and so on.
The banks chose to pretend that this was all easy and safe because they wanted us to use it and are capitalizing on our trust.
If they wanted it to be really secure, they would make it harder to log in. They are perfectly capable of doing this as they keep all their internal documents under tight control. However, if they did, customers would get frustrated, no doubt, and would complain that it was difficult to access their accounts and that online banking was too difficult. They would be constantly phoning in to re-set their passwords and would take up almost as much staff time as they used to when they went to physical branches The banks don't want people to get frustrated because then they won't use online banking. So, they have cut corners to make it "easy", "convenient", - and vulnerable. There is a cost to that, and we ought not to allow them to put it all on us.
The fact that they have compensated some people voluntarily and have apparently never revealed any details as to why they accuse the customer of being at fault shows that they recognize their role in the problem. But they will only take serious action when either the problem gets out of hand (i.e. too many complaints, lawsuits, bad publicity, and closed accounts) or they are forced by law to do better. No doubt they have actuaries and algorithmic odds-makers figuring out how much they think they can get away with on an ongoing basis.
In this regard, I doubt credit unions are any different. I don't find them to be any more secure. I remember when Hubert used to force members to change their password every few months They have dropped that, but it was a good start. Maybe people complained that it was "inconvenient".
BTW, the correct answer to "who is your favourite Beatle?" (this week) is "Clovis". Next week I think it might be "Minerva". Think of it like naming hurricanes. Perhaps "Boris" will be up next. Maybe my first pet's name really was "tractor", come to think of it, or was it "Nonsequitur"?
Poor puppy.
4:49 am
November 8, 2018
Norman1 said
Like a wire transfer, an accepted Interac e-transfer is final. Doesn't matter that the bank knows what account the funds were deposited to.
It's really the sender's fault for using an insecure security question and answer.
It is similar to saying "When someone lifted wallet with $20 from your pocket, the transfer is final. Doesn't matter that you notified police and they have clear view of a thief on security camera, and the person is known to the police. It is really your fault for not securing wallet in your pocket."
6:33 am
September 11, 2013
The views here represent the usual dichotomy between those who take personal responsibility for their security and those who regularly blame others such as big business or government for the same. I agree with you, Alexandre, that's where it starts, and so far I've never had a problem of any kind.
Loonie, it's not just burglars, nefarious relatives, etc, these types of frauds are very often committed, as those who have worked in the field fully know, by collusion, e.g. the victim or employee (inside person) and outside collaboration. You need to consider that possibility too.
I and my colleagues used to laugh at CBC and other media reports of a particular case. Invariably much was incorrect, even more was omitted. I don't expect those without my experience to be as aware of this, but I think all the kids have been taught for some time to be very skeptical consumers of all media.
12:47 pm
October 21, 2013
Your bias in favour of the banks, whose stock you own, and against the CBC and most media, are well known on this forum, Bill. No need to repeat.
As usual, you cite unspecified and unverifiable work experiences to slam the CBC. You must think I am incredibly naive. I too have experience with the media, almost certainly from more angles than you do. It isn't perfect, but nothing is, certainly not the banks; however, CBC has unearthed some very important issues in the past and continues to do so.
Did I ever say there were not additional avenues for crooks? Of course not. Let's keep the red herrings out of this discussion.
8:36 pm
April 6, 2013
Loonie said
Let's restrict ourselves to the things Munk School researcher Christopher Parsons is ACTUALLY quoted as having said, all other statements being paraphrase and/or editorial:"They (i.e. the banks) can't just provide us tools or push liability upon us and then walk away."
"One of the ways of correcting this would be to shift the liability structure. So rather than punishing customers … the banks themselves should be liable, so that they're encouraged to build way better security and protect their customers from this sort of fraud."
"And as soon as the banks had to take those losses (i.e. following new legislation in UK), all of a sudden … fraud plummeted because the banks invested massively in security," said Parsons.
"If banks themselves won't do it, then it's an area where legislation needs to be seriously considered. We can't rely on customers to know about every kind of security vulnerability, to track every website that has breached passwords," he said. "That's just absolutely absurd and not a feasible solution to the problem."While there may be some errors in quotes, let's just stick to them and not the paraphrasing and editorialisms. If he'd been as clear as Norman thinks about other questions, I expect there would have been a direct quote to back it up.
But, there is no sign of any new legislation in the UK shifting the liability to the banks in these kinds of situations.
In contrast, there are lots of articles about the new compensation fund for these kind of situations. Talk of a 2.9 pense levy on each fund transfer over £30 to fund the compensation fund. Proposals for some kind of payee verification system that one could use to verify the identity of the account one is about to send funds to.
The articles cited by Norman in British media have to do with the introduction of the new measures, not with the effects they have had on banks' behaviour or incidence of fraud since then.
…
The change is just a new compensation fund. It just means that when the bank won't compensate and the bank is among the ones signed up to the fund, the customer can file a claim against the fund.
According to Guardian (Sept. 26, 2019): Number of bank transfer scams in UK rises by 40% in a year, funds transfer fraud has been up substantially this year to June. But, the latest statistics only includes about a month of the new compensation fund available for claims.
10:15 pm
April 6, 2013
Alexandre said
It is similar to saying "When someone lifted wallet with $20 from your pocket, the transfer is final. Doesn't matter that you notified police and they have clear view of a thief on security camera, and the person is known to the police. It is really your fault for not securing wallet in your pocket."
So what if it is similar.
If I take the police report and video to the Bank of Canada, will they replace the the $20? If I take the same to the store where I bought my wallet, will the store replace the wallet for free?
Even if the victims were blameless, which they clearly were not in the Interac e-transfer loss, it doesn't mean the bank should always be the one who takes 100% of loss.
2:36 am
October 21, 2013
Norman, according to the articles you have referenced from the BBC and from "moneysavingexpert", whoever that may be:
the compensation fund is funded by the committed banks;
the banks themselves drew up the codes;
Most of the major British banks have committed to it;
banks who have not committed to it have indicated they likely will in the future, with the exception of one that promises to refund all innocent customers;;
vulnerable people are fully protected;
there is provision for appeal to an ombudsman service if the decision is not accepted;
and, in the first instance, where banks are fully responsible for what happened, they will compensate directly, not from the fund. The fund is to be used only when there is joint responsibility.
This is not an exhaustive list.
People who are "grossly negligent" will be responsible for their own errors, but this is within reason; customers are not expected to be computer experts. Education will be provided on what is reasonable. That is to be expected, and nobody here has suggested otherwise. Everyone who is not shown to be "grossly negligent" will be compensated.
However, if as Parsons says, significant improvements have already been seen, then either there can't be so many "grossly negligent" people as are sometimes assumed or the new educational expectations that the banks must implement have been rapidly effected and transformed into new habits (very unlikely in my view, given human nature).
Certainly, if I were a bank and knew I would be held responsible or would have to contribute more to a compensatory fund, I would be in a hurry to make security improvements. I would abandon the laziness of which our banks are typically guilty in their so-called "security" questions. But if it's up to my total discretion, as is the case in Canada, then I would simply be weighing the costs of lawsuits, bad publicity and occasional payouts to make me look good and take off the pressure to regulate.
The British banks seem to have seen the light, the need to regulate, and have agreed to it. Perhaps they had a bigger problem in the first place, which was leading to more bad publicity. Let's hope ours become equally enlightened.
Here, on the other hand, we have no protection at all and everyone must beg individually and hope for the best, or go to the media. It's time we caught up.
In your last post, you added the notion that in future the compensation fund might be funded from a transaction tax charged by the banks.
Yes, they might. That would be just like them, wouldn't it, to charge the customer for the fund that is supposed to compensate them for errors which are partly their own responsibility, and not take it from profits. That is what is so sick about this industry - and many others - that they transfer their own mistakes to the public, whether it's through whining to the government that they need more tax breaks or "incentives" or by taxing the customer. Talk about people not taking responsibility! I can't think of better examples.
But when it comes to individuals messing up, some people are eager to point the finger - even when they have no evidence.
4:53 am
November 8, 2018
Norman1 said
Alexandre said
It is similar to saying "When someone lifted wallet with $20 from your pocket, the transfer is final. Doesn't matter that you notified police and they have clear view of a thief on security camera, and the person is known to the police. It is really your fault for not securing wallet in your pocket."
So what if it is similar.
If I take the police report and video to the Bank of Canada, will they replace the the $20? If I take the same to the store where I bought my wallet, will the store replace the wallet for free?
Even if the victims were blameless, which they clearly were not in the Interac e-transfer loss, it doesn't mean the bank should always be the one who takes 100% of loss.
I do not expect bank necessarily return money that was misdirected, smart criminal will withdraw it from their account right away. Yet, banks not acting promptly where they have access to all information about the thief is what allows these criminal actions to continue.
9:34 am
September 11, 2013
9:58 am
September 20, 2016
I receive e-transfers a lot and was looking for a safer, more convenient way. My solution was to set up a bank account with "e-transfer auto-deposit", easily done from the bank's web site and free. When someone sends me funds they see a "no security question required" message while setting up the transfer. The only email I receive is from my bank advising an e-transfer has been auto deposited - no accepting required on my part. Hacking my email account doesn't come into play. Also no constantly checking incoming email for e-transfers. I can later re-direct the funds. Has anyone heard of a problem with this method?
12:43 pm
November 8, 2018
skibum said
I receive e-transfers a lot and was looking for a safer, more convenient way. My solution was to set up a bank account with "e-transfer auto-deposit", easily done from the bank's web site and free ... Hacking my email account doesn't come into play. Also no constantly checking incoming email for e-transfers. I can later re-direct the funds. Has anyone heard of a problem with this method?
You did the right thing, but this method is still not hacker-proof.
A hacker that has access to victim's email account could submit victim's email address for autodeposit to hacker's bank account and complete the transfer of autodeposit registration by intercepting emails coming from Interac to victim's inbox.
Autodeposit transfer process does not require victim's banking credentials, just victim's email address.
If victim receives recurring autodeposit payments, hacker could intercept such payment by redirecting autodeposit to hacker's account just before next payment is made.
Please write your comments in the forum.