Which is the point of the article. I don't understand why people are so eager to downvote what's essentially a PSA. While eTransfer could be made more secure, e.g. by requiring 2FA, in both cases cited by CBC the users failed to protect either their email accounts, their bank accounts or the transfer itself with strong passwords.gravityfunk wrote: ↑May 13th, 2019 3:22 amSeems like they need to:
a) use a more secure password for their email
b) come up with a more secure verification question / answer
I guess if you can't do a) then it follows that b) does not happen either.
Hoover's security question to her friend was: "Who is my favourite Beatle?" The fraudster would have had a one in four chance of getting it right... Hoover says she's learned the hard way that strong security questions and passwords are crucial...
In another, similar case, Dr. Sylvia Veith of Prince Albert, Sask., lost $7,000 when she used Interac to e-transfer money to her son's hockey league in June 2017. That money was intercepted and her bank — RBC — blamed a weak password to a security question...
I think you have to assume that anyone can see your e-mail. You could have an impossible-to-guess password on your e-mail account, but you have no idea who might have eavesdropped on that message along its way to your inbox.bylo wrote: ↑May 13th, 2019 7:53 amWhich is the point of the article. I don't understand why people are so eager to downvote what's essentially a PSA. While eTransfer could be made more secure, e.g. by requiring 2FA, in both cases cited by CBC the users failed to protect either their email accounts, their bank accounts or the transfer itself with strong passwords.
My reading of this cautionary article is that the two victims have no one to blame but themselves. They have no basis for blaming RBC or Interac for their own stupidity or expecting restitution from them. They do have cause to go to the police to investigate their situations for fraud.
My understanding was that the recipients email password wasn't too difficult to crack, that, or she was using the same password at different sites, one that may have been hacked. Other than that, though, I never have heard of a message being intercepted before reaching its target address. Even if it could have, though, a decent security question would have prevented this from happening.taxrage wrote: ↑May 13th, 2019 10:15 amI think you have to assume that anyone can see your e-mail. You could have an impossible-to-guess password on your e-mail account, but you have no idea who might have eavesdropped on that message along its way to your inbox.
Therefore, the security question associated with each transfer is the only real protection you have that the intended recipient can access the $$$.
How can we fly like eagles, when we're governed by Turkeys?
Most email systems today, including the biggies like gmail, encrypt their transmissions.
Bingo! In both cases cited in the CBC article the security question had a simple enough answer that anyone could guess.Even if it could have, though, a decent security question would have prevented this from happening.
That's a good start. Those passwords also need to be long, e.g. 12+ characters, so as to thwart brute force attacks. In addition, some form of 2FA adds an extra layer of protection--even if the 2FA implementation, like TD's, may not be 100% bulletproof.For myself, I have different passwords for my e-mail and anything financial, then one of sites like this, so even if one is hack, it shouldn't have an effect on my other accounts.
How can we fly like eagles, when we're governed by Turkeys?
There's nothing to intercept with autodeposit, as the email is simply a notification.jeff1970 wrote: ↑May 13th, 2019 1:42 pmMy one bank (my main bank) and my one credit card use 2FA -- which really is a pain sometimes, but in this case, someone would need to know, not only my bank password, and my security question, they'd also need to know my e-mail password. I mean, that night actually be 3FA, since they'd have to be correct on three items.
And that's another thing I try to separate -- those security questions I try to have different questions for each site. To this point, not even my kids or the ex would know the answers, because these are things I never spoke to anyone about (favourite author, favourite childhood athlete) -- the athlete one is really tough, since the dude wasn't even a star.
As others mentioned, having auto-deposits is a great idea. Even if you have to have more than 1 email, it'll be valuable because there is no lag with deposits, and it'll be too late if someone knows your email.
The security question is key.
