Personal Finance

Online banking fraud victim - help needed!

  • Last Updated:
  • Nov 17th, 2017 2:07 pm
Banned
Nov 7, 2017
28 posts
5 upvotes
edkate wrote:
Nov 8th, 2017 11:14 pm
BMO
My password was never written. Not easily guessable...im lost tooooooo
Holly crap ! Mine is BMO too !

You know what's funny ? BMO used to have a security question which you had to answer before you entered your PIN to access the account . Now they got rid of that, so its easier to hack.

Now on www.bmo.com , you just enter your 16 digit Debit card number ( not hard to get from somewhere ) and then your 6 digit numeric PIN ( Its not even an alphanumeric PIN, they don't allow that ) , so only a 6 digit numbers PIN, that's it and your are in !

First after you entered the 16 digit debit card number, they would ask the answer to a security question and then the 6 digit PIN. But they got rid of the security question for some reason !

You could have any 3 security questions you wanted like - Who is your favourite athelete ? What was your first pets name ? Where did you meet your spouse ? etc etc.

I don't know why banks don't allow alphanumeric passwords and PINS like email does say something like *@1AY!

Just a numeric PIN is silly like 597436 or something like that.

16 digit debit number ( easy to get of the debit card ) and 6 digit numeric PIN and anyone is into your BMO account online ! No security questions, no alphanumeric PIN, no 2 STEP authentication , nothing ! No wonder someone hacked your BMO account.
Deal Addict
User avatar
Jan 31, 2006
4361 posts
408 upvotes
Toronto
miyoshidoll wrote:
Nov 9th, 2017 6:28 am
Holly crap ! Mine is BMO too !

You know what's funny ? BMO used to have a security question which you had to answer before you entered your PIN to access the account . Now they got rid of that, so its easier to hack.

Now on www.bmo.com , you just enter your 16 digit Debit card number ( not hard to get from somewhere ) and then your 6 digit numeric PIN ( Its not even an alphanumeric PIN, they don't allow that ) , so only a 6 digit numbers PIN, that's it and your are in !

First after you entered the 16 digit debit card number, they would ask the answer to a security question and then the 6 digit PIN. But they got rid of the security question for some reason !

You could have any 3 security questions you wanted like - Who is your favourite athelete ? What was your first pets name ? Where did you meet your spouse ? etc etc.

I don't know why banks don't allow alphanumeric passwords and PINS like email does say something like *@1AY!

Just a numeric PIN is silly like 597436 or something like that.

16 digit debit number ( easy to get of the debit card ) and 6 digit numeric PIN and anyone is into your BMO account online ! No security questions, no alphanumeric PIN, no 2 STEP authentication , nothing ! No wonder someone hacked your BMO account.
I also notice the change, however if (correct me if I am wrong) you used the same pc or mobile device on a different IP address that question will still pop-up.
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
What about the payees list? Utilities? Credit cards?

Should I change them all??????

Also im trying to find out why they haven't touched big sum account?
Could it be because they only saw accounts linked to Debit card? Like chequing and 1savngs?
Deal Addict
User avatar
Sep 10, 2005
3106 posts
492 upvotes
GTA
I think you'll probably be fine with what you've done so far. Another thing I recommend is to not re-use passwords in multiple sites/services.

If your banking password was the same password you used somewhere else, it's possible that's how they retrieved it.
Deal Expert
Aug 22, 2011
15780 posts
4676 upvotes
Ottawa
edkate wrote:
Nov 9th, 2017 7:08 am
What about the payees list? Utilities? Credit cards?

Should I change them all??????

Also im trying to find out why they haven't touched big sum account?
Could it be because they only saw accounts linked to Debit card? Like chequing and 1savngs?
Whomever is doing this, likely has access to several accounts and performing smaller transactions to stay under the radar.
Would you have noticed the amount transfered; if BMO didn't flagged it?
Deal Expert
Aug 22, 2011
15780 posts
4676 upvotes
Ottawa
miyoshidoll wrote:
Nov 9th, 2017 6:28 am
Holly crap ! Mine is BMO too !

You know what's funny ? BMO used to have a security question which you had to answer before you entered your PIN to access the account . Now they got rid of that, so its easier to hack.

Now on www.bmo.com , you just enter your 16 digit Debit card number ( not hard to get from somewhere ) and then your 6 digit numeric PIN ( Its not even an alphanumeric PIN, they don't allow that ) , so only a 6 digit numbers PIN, that's it and your are in !

First after you entered the 16 digit debit card number, they would ask the answer to a security question and then the 6 digit PIN. But they got rid of the security question for some reason !

You could have any 3 security questions you wanted like - Who is your favourite athelete ? What was your first pets name ? Where did you meet your spouse ? etc etc.

I don't know why banks don't allow alphanumeric passwords and PINS like email does say something like *@1AY!

Just a numeric PIN is silly like 597436 or something like that.

16 digit debit number ( easy to get of the debit card ) and 6 digit numeric PIN and anyone is into your BMO account online ! No security questions, no alphanumeric PIN, no 2 STEP authentication , nothing ! No wonder someone hacked your BMO account.
RBC does and you can also setup secutity questions after successfully logging in with the password.
It actually prevented an unathorized login on my account; as I was receiving security alerts on failed attempts.
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
vkizzle wrote:
Nov 9th, 2017 8:28 am
Whomever is doing this, likely has access to several accounts and performing smaller transactions to stay under the radar.
Would you have noticed the amount transfered; if BMO didn't flagged it?
$2000 +$1000 - definitely noticeable.
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
Bmo said password was reset!
I didn't get password reset notification... I don't think they have it.
Member
Aug 27, 2013
337 posts
141 upvotes
cloud
Perhaps your debit card was compromised by ATM skimming. Who knows? In that case your PC and other online accounts should be safe.

I wouldn't lose sleep over this. I'm sure you'll keep a close eye on your account transactions in the next while. Not too much else you can do.

Look into password managers like LastPass and start using super-complex passwords and 2FA on other sites whenever possible. There've been many threads on password managers here on RFD.
Deal Fanatic
User avatar
Nov 19, 2004
7189 posts
981 upvotes
Cambridge, ON
edkate wrote:
Nov 9th, 2017 8:37 am
Bmo said password was reset!
I didn't get password reset notification... I don't think they have it.
Change your password anyway. And don't use the same password that you use anywhere else. Make sure any secret questions are not guessable or easily found information. Better yet, don't use real info for your secret questions.
Deal Addict
Jan 21, 2014
2139 posts
492 upvotes
I remember someone mentioned a while back why BMO only allows 6 digits as the password. I don't remember password reset requirement, probably some security questions/answers which sometime, they can guess them from your social media accounts. I have or had accounts with all of them except scotia and this is what I found
- TD, RBC, NBC, EQB, ZAG - they all allow password with even special characters
- CM, Simplii/PCF - allow letters, but limit to 12 characters max and no special characters
- BMO/Tangerine - digits only and limit to 6

I closed my BMO a while back and setup security questions with my Tangerine account. I also only have savings and linked with my other banks. So if they get into my Tangerine, they must setup new link (remove old one) which I will be notified. Else they will just be moving my money for me to other banks which I will also be notified
Deal Addict
User avatar
Sep 10, 2005
3106 posts
492 upvotes
GTA
don242 wrote:
Nov 9th, 2017 8:48 am
Change your password anyway. And don't use the same password that you use anywhere else. Make sure any secret questions are not guessable or easily found information. Better yet, don't use real info for your secret questions.
Agreed. Security questions are one of the worst things they have come up with. I'm sure it has actually made things even less secure.
Deal Addict
Jan 21, 2014
2139 posts
492 upvotes
I remember someone suggested to me once, that I can pick some ridiculous answer or use another secret password and use it as the same answer for all of my security questions regardless of what the question is.
Deal Addict
Dec 16, 2005
2701 posts
690 upvotes
i like custom security questions so all I do is create a question that reminds me what password I used. It is meaningless and the answer is also meaningless and not necessary as the question itself is the password reminder.

out of curiousity, OP... do you use BMO debit card to pay for things? Paying using your debit card is the easiest way for someone to get your bank card number.
If you must use debit, attach it to apple pay or android pay as it is much more secure since it uses a temporary number.

I never use debit. Period. The only time I use my debit card is at an ATM. And even then I am very careful to check the reader to see if there are additional devices.
Deal Addict
Jan 20, 2016
1360 posts
512 upvotes
Houston, TX
cmchiu wrote:
Nov 9th, 2017 8:39 am
Perhaps your debit card was compromised by ATM skimming. Who knows? In that case your PC and other online accounts should be safe.

I wouldn't lose sleep over this. I'm sure you'll keep a close eye on your account transactions in the next while. Not too much else you can do.

Look into password managers like LastPass and start using super-complex passwords and 2FA on other sites whenever possible. There've been many threads on password managers here on RFD.
Skimming ATM card will NOT help to crack online banking. At least in TD, you have to 1) enter ONLINE password (NOT saved on ATM card) 2) answer security questions for ALL new IP address login (and old as well if you delete cookies)

IMO until someone hack bank's DB directly, it's hard to get someone online access EXCEPT the case if user logged to some "public"' PC and someone used his session shortly after...
Make the Trudeau drama teacher again!

Top