I was stolen $2.9k thanks to Neo Financial's unsured system design and they don't care | Neo Financial | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
I was stolen $2.9k thanks to Neo Financial's unsured system design and they don't care
May 11, 2022
9:43 am
i-lost-3k-in-Neo
Newbie
Members
Forum Posts: 2
Member Since:
May 11, 2022
sp_UserOfflineSmall Offline

I just want to let you know you should never put money in Neo Financial unless you can 100% make sure your email is secure. when one tries to log in, all they need is your email access. Not possible to have an SMS verification, close the transfer function, or limit the amount. Which this all can be set in TD. I sent 450 dollars 1 year ago using Scotia, they actually blocked the transfer and the whole account, it was annoying process to unlock the account and the pending transfer, but at lease it is safe!

I am actually working in the IT area. My password was with numbers, uppercases and lowercases, and special characters. The pattern of the transfer is so clear, that they should reject the login and the transaction. It was logged in a different city, using a different phone with not-my-name's iphone - I always use chrome on a PC, it was 2900, which was close to the $ 3000 day limit, I never paid anyone more than $1000. They actually detected the abnormal but they gave it a go less than an hour when the one emailed them using my email "i did want to send this money", They did not attempt to call or message me to confirm. I called them the next morning at 9 am which is the earliest time they work. It has been a week and no one has contacted me, they probably did nothing.

When your email was stolen, there are no other barriers to stopping a transfer (unless you watching your mail every minute). I really should aware of this before.

I feel it is waste of time to contact them anymore. I just want to directly make a claim to the government agent. Any advice?2.png

May 11, 2022
4:04 pm
Vatox
Member
Members
Forum Posts: 1218
Member Since:
October 29, 2017
sp_UserOfflineSmall Offline

Call Concentra and try to find out where your account was logged in and on what device. Neo isn’t a bank

May 11, 2022
5:18 pm
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

I am thinking there are few pieces that may be missing from this story. I do not dispute the fact of the theft.

One needs email address and password to login to Neo Financial account. If you know how to do that with email address alone, please tell.

I just checked with my Neo account: one can't send Interac transfer from Neo Financial web site. This can only be done through the app. Which means, the victim may have been specifically targeted: someone must have known the victim banks with Neo, with what login email address and password.
That someone had to install Neo app on their smartphone to gain access to Interac transfer services of Neo account.

Also, once I installed Neo app on my new smartphone, I was alerted by email about that.
Screenshot_20220511-191113.png

May 11, 2022
6:32 pm
Loonie
Member
Members
Forum Posts: 9391
Member Since:
October 21, 2013
sp_UserOfflineSmall Offline

When we were discussing Neo a few months ago, there was not yet any regulation for this type of company which, as Vatox pointed out, is not a bank and thus not subject to bank regulations which help protect the public. This was one of the reasons I chose not to open an account with them. I'm guessing they are still not regulated.
Isn't this the outfit that was previously operating a restaurant delivery company? Definitely not bankers.

May 12, 2022
4:59 am
savemoresaveoften
Member
Members
Forum Posts: 2981
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

guess this story means 2-factor authentication to your phone is a much safer security feature than confirmation to email. Some institution still only offer email option which is ancient tech.

May 12, 2022
8:13 am
Norman1
Member
Members
Forum Posts: 7162
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

Whoever ordered the $2,900 Interac e-transfer had the Neo banking ID and password. How else would the person be able to install the Neo app on their phone and connect the app to the Neo account?

The person also had access to the e-mailbox registered with the Neo account. How else would the person be able to receive the 2FA e-mail message and respond to it?

With that, it isn't unreasonable for Neo or any financial institution to think that the person is the actual Neo account holder. Different phone or different IP address is just noise.

People change phones by moving their SIM card. IP address changes if one just switches from data plan to the WiFi at home or at work.

May 12, 2022
8:32 am
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

Take a look at IP address lookup for IP used to access OP's Neo account:

IP-address-lookup.jpg

The idiot who stole the money must have been on WiFi at home, connected to cable modem. Contacting Videotron Support might be a good idea, perhaps they will be willing to disclose postal address of that account.

May 12, 2022
9:15 am
Loonie
Member
Members
Forum Posts: 9391
Member Since:
October 21, 2013
sp_UserOfflineSmall Offline

If someone comes into my house and steals my stuff because I inadvertently left a window open, it's still theft.
Have you considered calling the police? I know it's a relatively small amount and you may not get a useful response, but should be easy for them to track this IP if it's valid. A knock on the door from a cop might discourage a junior hacker from continuing a life of crime.

May 12, 2022
9:58 am
Norman1
Member
Members
Forum Posts: 7162
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

That $2,900 Interac e-Transfer was deposited into a bank account. The identity of the owner of that bank account would be available and could be obtained by the police.

May 12, 2022
3:57 pm
LK
British Columbia, Canada
Member
Members
Forum Posts: 199
Member Since:
July 9, 2020
sp_UserOfflineSmall Offline

Loonie said
When we were discussing Neo a few months ago, there was not yet any regulation for this type of company which, as Vatox pointed out, is not a bank and thus not subject to bank regulations which help protect the public. This was one of the reasons I chose not to open an account with them. I'm guessing they are still not regulated.
Isn't this the outfit that was previously operating a restaurant delivery company? Definitely not bankers.  

The name of the account is the "Neo Savings Account", but the bank is Concentra (now Wyth). Neo is just the technology company providing the app and interface, and so Concentra/Wyth should be contacted as the financial institution / bank (which is federally regulated).

May 12, 2022
5:01 pm
Loonie
Member
Members
Forum Posts: 9391
Member Since:
October 21, 2013
sp_UserOfflineSmall Offline

Yes, I know that.
However, OP was dealing with Neo.

Neo and Wyth/Concentra are not likely to take responsibility for this in my opinion; they will just blame each other and OP. And none of us knows who was responsible.

For all these reasons, I suggested OP contact the police. If they can be induced to pursue it, they have the tools needed. For them, it should be a simple case.

May 12, 2022
5:50 pm
Bill
Member
Members
Forum Posts: 4018
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

If I ever decided to put my money with one of these financial "partnership" arrangements between a non-bank and a bank I'd read very carefully all the fine print at time of opening the account regarding who to contact, or which "partner" is ultimately liable/responsible for resolving any issues like this.

May 20, 2022
8:49 am
i-lost-3k-in-Neo
Newbie
Members
Forum Posts: 2
Member Since:
May 11, 2022
sp_UserOfflineSmall Offline

Updates: They fully refund the money.

November 25, 2023
9:48 am
lost-6k-Neo
Newbie
Members
Forum Posts: 2
Member Since:
November 25, 2023
sp_UserOfflineSmall Offline

This happened to me. Still hasn't been resolved yet and now affecting my credit score. Someone hacked my email and took over my online banking. I phoned customer support to lock the credit card right away and change the email. I was told they did and we even went over the security steps to secure my email and phone. I recovered my email myself but still not the online banking so I asked them to freeze it. Support told me the fraud department would call me and they will investigate.

Months gone by. I haven't got any call back from them. I received a call from Collections that I owe $6,694.22 from Neo financial credit card. I called support after being on hold for almost an hour every time, I was told that the email had not changed, and the card was unlocked. How in the world does that happen without my CONSENT? My maximum credit limit is only $1,000.

I feel like my case was neglected and no actions were taken which I thought they were working on it. After numerous phone calls trying to change my email address and submitting all required documents so I can see the transactions and tell them which are fraudulent charges, Neo Financial told me the account was CLOSED! without any permission and that it's more than 120 days (It's been more than a year now) Neo Financial is telling me that it is long overdue and can't dispute anything beyond that.

It affected my credit score big time and now hindering me from buying a house when I learned it was reported to my credit report. I filed a dispute with Equifax and made a police report. Will I get these fraudulent transactions disputed still? Do I need to make a police complaint to Neo Financial? I run out of options. Please HELP.

November 25, 2023
10:14 am
AltaRed
BC Interior
Member
Members
Forum Posts: 3122
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

While a bit tangential to this thread, it appears many?most? people do not understand that email addresses are as important to protect as one's own bank vault, SDB, SIN card. They are the basis of most User IDs to accounts, and the default 'go to' for institutions to provide 'alerts' to changes in one's accounts, and sometimes for 2FA. One's email password should, in my opinion, be 15-30 characters in length.

All of my accounts, where possible, have both email and SMS text alerts when a transaction, including any profile change, is made. It is a bit of a nuisance to deal with both, but I would rather have both come in than to have a single one of them compromised.

November 25, 2023
10:25 am
Doug
British Columbia, Canada
Member
Members
Forum Posts: 4275
Member Since:
December 12, 2009
sp_UserOfflineSmall Offline

Vatox said
Call Concentra and try to find out where your account was logged in and on what device. Neo isn’t a bank  

That's true, yes, in terms of who legally holds your funds, but in using Neo Financial, you're granting Neo Financial the ability to manage your funds and the applicable online banking security guarantee would be delegated to Neo, not Concentra.

November 25, 2023
10:29 am
Doug
British Columbia, Canada
Member
Members
Forum Posts: 4275
Member Since:
December 12, 2009
sp_UserOfflineSmall Offline

Norman1 said
Whoever ordered the $2,900 Interac e-transfer had the Neo banking ID and password. How else would the person be able to install the Neo app on their phone and connect the app to the Neo account?

The person also had access to the e-mailbox registered with the Neo account. How else would the person be able to receive the 2FA e-mail message and respond to it?

With that, it isn't unreasonable for Neo or any financial institution to think that the person is the actual Neo account holder. Different phone or different IP address is just noise.

People change phones by moving their SIM card. IP address changes if one just switches from data plan to the WiFi at home or at work.  

Thank you. You've articulated the exact reason why regulated and non-regulated financial institutions need to be called out, taken to the mat, and publicly flogged and shamed for insisting on using SMS- and/or e-mail-based codes as a two-factor authentication mechanism. We need financial institutions to be required to use FIDO2/other standards TOTA-based two-factor mechanisms and, for those without smartphones, to provide, a free rental of a physical hardware token, with a reasonable charge if lost.

Cheers,
Doug

November 25, 2023
10:30 am
Doug
British Columbia, Canada
Member
Members
Forum Posts: 4275
Member Since:
December 12, 2009
sp_UserOfflineSmall Offline

i-lost-3k-in-Neo said
Updates: They fully refund the money.  

Wow, that's great. And by "they," I assume you mean Neo Financial? 🙂

November 25, 2023
10:52 am
AltaRed
BC Interior
Member
Members
Forum Posts: 3122
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

Doug said

Thank you. You've articulated the exact reason why regulated and non-regulated financial institutions need to be called out, taken to the mat, and publicly flogged and shamed for insisting on using SMS- and/or e-mail-based codes as a two-factor authentication mechanism. We need financial institutions to be required to use FIDO2/other standards TOTA-based two-factor mechanisms and, for those without smartphones, to provide, a free rental of a physical hardware token, with a reasonable charge if lost.

Cheers,
Doug  

Maybe, but that is not what the public at large will likely accept with a (near) 100% online future. It is incumbent upon each individual to properly secure their email address login credentials and their phone access. Anything less is irresponsible.

November 25, 2023
11:50 am
Norman1
Member
Members
Forum Posts: 7162
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

As well, those software FIDO tokens are not much more secure either.

After hijacking the cellphone number, the thief will call the financial institution with a story that the original cellphone is now at the bottom of the Pacific Ocean after it was dropped while trying to take a photo during a whale watching excursion. Now have new phone.

The financial institution's agent will authenticate caller with date of birth and other info. Caller ID shows the call being made from cellphone number on record. Agent sends a text message to the cellphone number on record. Thief provides the code in the received text message. Authentication passes.

Agent then proceeds to pair the FIDO token from the app installed on the thief's phone. Thief now has FIDO-authenticated access to the bank accounts.

No permission to create posts

Please write your comments in the forum.