Sharing your personal information to suppress fraud - effective Apr 20, 2024 | Tangerine Bank | Discussion forum

Not necessarily. It may increase the odds of a data breach due to data now being at Ekata but the physicals of your data given to them may well help prevent fraud, e.g. being perpetrated from an IP other than the ones you use to access your FI accounts. It won't help in an infection necessarily if an actor can take over your device but it should be helpful in many other instances.

Open Banking is going to open the vault doors between FIs anyway so your data identity will be passed back and forth, obviously only to those in which you do, or wish to do, business.

phrank said

Yes, it's another way to shift blame from the responsible to the innocent and creates another single point of failure.

"If you had only given us all of your personal information, bought a smart phone, pay for a data/voice plan, and walked around on 24/7 call, we would have known it wasn't you making the transactions..."

They fail to acknowledge that the vast majority of fraud is caused not by the individual...

How many acts of fraud are conducted because somebody accidentally gave up all their personal info and passwords etc?

Someone calls you from the "Security Department" of FI you have account with. There is an issue with your account, it appears there are fraudulent transactions which are currently placed on hold.
To make sure they talk to the right person they ask you to provide your account number, the one you use to login to your online banking.
To confirm it is you, they will be sending security code to your phone number that you registered with FI. When you receive that code you should read it back and verification will be complete.
Security Department will know you are the owner of the account, as they sent the code to the phone number associated with the account only FI knows about.

------------

This should answer your question. Yes, such acts of fraud, where somebody voluntarily gave up their account info and 2FA code to bad actors, do happen often.

phrank said

The scenario you describe only happened because that bad actor was able to obtain some information likely from the company you are doing business with directly or indirectly from company they are sharing info with.

This all is social engineering.

1. Robocalling random phone numbers;
2. Victim picks the phone and connected to human - to bad actor;
3. Telling victim their FI account is compromised. A bit of luck is victim having account with that FI. If not, go to Step 1;
4. Victim asked for and provides account number (for "verification");
5. Victim is told they'll get security code for additional verification;
6. Password reset is initiated for that account number by bad actors;
7. 2FA code sent to victim's phone by FI;
8. Victim reads 2FA code back to bad actors;
9. Bad actors reset password and take control over account.

-------------

Step 3 is obviously hit and miss. Recently I got a call from major telecom provider in Canada, no surprise I have account with them. They told me something is amiss with my account and they wanted to begin with "verification process" to confirm they are talking to account owner.

I explained to the caller why they are not who they pretend to be, surprisingly they insisted so I asked to name CEO of their company. They hang up on me, I am guessing wasting time for googling that info was too much for them.

Alexandre said

phrank said

The scenario you describe only happened because that bad actor was able to obtain some information likely from the company you are doing business with directly or indirectly from company they are sharing info with.

This all is social engineering.

1. Robocalling random phone numbers;
2. Victim picks the phone and connected to human - to bad actor;
3. Telling victim their FI account is compromised. A bit of luck is victim having account with that FI. If not, go to Step 1;
4. Victim asked for and provides account number (for "verification");
5. Victim is told they'll get security code for additional verification;
6. Password reset is initiated for that account number by bad actors;
7. 2FA code sent to victim's phone by FI;
8. Victim reads 2FA code back to bad actors;
9. Bad actors reset password and take control over account.

-------------

Step 3 is obviously hit and miss. Recently I got a call from major telecom provider in Canada, no surprise I have account with them. They told me something is amiss with my account and they wanted to begin with "verification process" to confirm they are talking to account owner.

I explained to the caller why they are not who they pretend to be, surprisingly they insisted so I asked to name CEO of their company. They hang up on me, I am guessing wasting time for googling that info was too much for them.  

That's crazy, but you're so right IMO on all that stuff.

savemoresaveoften said

It's really simple to prevent these fraud, just ask for the name of the person, then look up the real phone number and call that number back to verify. Never give out any info from a call that you receive and not initiated.  

If it were that simple, we would not have had people losing hundreds of thousands of dollars to scammers. We would not need sophisticated anti-fraud systems like one that Tangerine appears to test on its clients.

I am totally speculating here, but I can see scenario where such anti-fraud system can spot quite simple cases of fraud, just because info is shared.

Case 1. Customer who usually resides in Montreal initiates password reset from the location in India.

People do travel, FI has no reason to believe something is wrong with that, sends 2FA code and grants request.

With shared info, FI might learn that just 30 minutes earlier same customer checked their balance in their account with different FI, from their usual location in Montreal. Now FI does have reason to suspect something might be wrong here, as it is usually hard to get from Montreal to India in just 30 minutes.

Case 2. Starts same as Case 1, but FI is informed, by anti-fraud system, that same location in India which is office building initiated multiple password reset requests for personal accounts of different clients of a dozen of other Canadian FIs in the last hour.

phrank said

Yes, it's another way to shift blame from the responsible to the innocent and creates another single point of failure.

"If you had only given us all of your personal information, bought a smart phone, pay for a data/voice plan, and walked around on 24/7 call, we would have known it wasn't you making the transactions..."

They fail to acknowledge that the vast majority of fraud is caused not by the individual, but by inadequate security by the manager of the information/accounts which they then often don't even acknowledge happened and provide the bare minimum compensation for.

How many acts of fraud are conducted because somebody accidentally gave up all their personal info and passwords etc?

Another negative of this is what they do with that information. It takes us another step towards requiring digital IDs where at the flip of a switch the majority of your freedoms can be taken away.

If the companies/government could be trusted to provide quality service with integrity it would be a different story, but I don't appreciate the facade of we're protecting you, requiring that you give them more of your personal information like your phone number, when there are better ways of enabling people to protect their identity, securing their accounts, but these do not require you to give information to the institutions which they can compile, monetize or further their agendas.

I'd also have no problem with these sorts of things if you had a choice, but the fact is that most of us are put into situations where no longer have a choice and that's where I see this going. At this point I believe history supports the idea that this will not turn out to be a good thing.  

Yup

savemoresaveoften said

Alexandre said
If it were that simple, we would not have had people losing hundreds of thousands of dollars to scammers. We would not need sophisticated anti-fraud systems like one that Tangerine appears to test on its clients.

I have not yet seen a story about a person lose $$$ to a really sophicated scam scheme. Every story has been "grandson in trouble", "can u use ur credit card to pay for my pizza and i give u cash instead", "Nigeria prince needs ur help", "your SIN# is locked, called us to unlock" type. And to make it even worse, a lot require gift card as payment...
I hate to say it, but all those victims are simply they dont apply "common sense" ,choose to "trust a complete stranger" or let their emotions take over their thought process.
So yes it is indeed pretty simple not to get scammed. Its not that scammers are smart (if they are, they can make a living without scamming), just that the victims are dumber.  

I don't feel calling victims dumb is appropriate.

Quite a number of years ago, it was considered good practice to phone your bank, and especially your credit card issuer, to inform them if you were going overseas. This precaution arose because sometimes people found themselves stranded when their FI decided they were doing something unusual and therefore suspicious, and cut them off.

I remember calling my bank once for this purpose, and the fellow I spoke to was positively grateful that I'd called, and congratulated me for doing so. I was so surprised at the warmth of his reaction that it has stuck in my mind.

A few years later, I did this again, and was then told it was "no longer necessary".

Both of these occasions were quite few years ago now. I always wondered why it was "no longer necessary". Had they really solved the problem (not very likely)? Did they somehow have access to my travel plans, even though bookings not necessarily made on their card? Or did they just not care very much any more? I concluded, in the absence of more compelling information, that they'd decided it was too much trouble (i.e. cost too much) to keep track of such phone calls.
Today's requirements for more and more unwarranted releases of information sound to me like an extension of this policy, designed in a way that best protects the FI, not the customer. Why expect otherwise? People are too willing to give them whatever they ask for, and don't realize the ultimate consequences.
Privacy is something you can't get back.

Norman1 said

Loonie said
…. I always wondered why it was "no longer necessary". Had they really solved the problem (not very likely)? …

Yes, the problem was solved. The credit cards with a chip make it highly unlikely that the real card was not there for a successfully validated card-is-present transaction.

In contrast, the magnetic-stripe cards were easily cloned without the cardholder's knowledge.  

This is no longer the case, but they are still acting like it is. Chips have been able to be cloned as well and like stealing cars using FOBs vs physical keys, it will eventually become a big problem.

IMO, they simply do not care and rather like most other services these days, the customer should appreciate the privilege of the business allowing you to do give them your money for their service. The customer is expected to give them all information they request and do with as they please in an insecure fashion, plus the customer must maintain an ability to be in constant contact by email, sms, phone and internet if they wish to maintain their service.

One of the kickers here is even when you do everything they force you to do, when you have an issue they are often not available to take your call due to more cost cutting.

It's another example of offloading of what used to be the companies responsibility to the customer.

No one pushes back so why wouldn't they keep adding to their bottom line and reducing their responsibility.

I still call my financial institutions when I go out of town. I've even had one admit that they can manually put in notifications which the fraud department can refer to when what they deem suspicious activity occurs and luckily I have only had my card locked while I was making out of province purchases while still at home.

I don't have a problem with people making mistakes if they are putting an effort into their work, but as Dean states, it's just accepted now to blame the victims. It's more profitable for the shareholders.