Credit Cards

Online banking fraud victim - help needed!

  • Last Updated:
  • Jan 22nd, 2018 10:59 pm
Tags:
None
Member
Mar 14, 2010
283 posts
144 upvotes
Toronto
McMaggot wrote: While the issue is serious, it is only WiFi security issue exposing your traffic. It is no different than somebody logging traffic between two devices, but if the traffic itself is encrypted, the logging is pretty much useless. It helps knowing what it is before spreading FUD.
It IS serious:
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. ...As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher.
From: https://www.krackattacks.com/#faq

Wifi simply is not safe for most mobile devices, even if you don't use your phone/tablet for financial transactions. as HoTiCE points out in his excellent post above.. I still use it but I have no trace on my devices of any of the financial institutions I deal with. I have a Windows laptop for banking when I travel (Windows has some kind of fix to prevent KRACK attack) and only use it in a pinch when on friends' networks, not public networks.

As you can see from this list of routers, fixes are few and far in between although the companies are taking the threat very seriously. https://github.com/kristate/krackinfo#v ... e-complete
Deal Addict
User avatar
Feb 16, 2004
1753 posts
148 upvotes
York Region
pickles02 wrote: It IS serious: From: https://www.krackattacks.com/#faq

Wifi simply is not safe for most mobile devices, even if you don't use your phone/tablet for financial transactions. as HoTiCE points out in his excellent post above.. I still use it but I have no trace on my devices of any of the financial institutions I deal with. I have a Windows laptop for banking when I travel (Windows has some kind of fix to prevent KRACK attack) and only use it in a pinch when on friends' networks, not public networks.

As you can see from this list of routers, fixes are few and far in between although the companies are taking the threat very seriously. https://github.com/kristate/krackinfo#v ... e-complete
So basically everyone is screwed for now? Some OS has had fixes issued, some hasn't.
What if I use my android phone at home on Wi-Fi network? I already installed VPN on my phone, firewall and antivirus on our laptops. Should we enable VPN on laptops too?
What if i log in to fb using Gsm provider and then switch to wifi after i logged in? Is this method safe?
Member
Mar 14, 2010
283 posts
144 upvotes
Toronto
edkate wrote: So basically everyone is screwed for now? Some OS has had fixes issued, some hasn't.
What if I use my android phone at home on Wi-Fi network? I already installed VPN on my phone, firewall and antivirus on our laptops. Should we enable VPN on laptops too?
What if i log in to fb using Gsm provider and then switch to wifi after i logged in? Is this method safe?
I wouldn't log into a financial site using an Android phone since they are the easiest to KRACK. If you are traveling and don't have a secure internet connection, phone your bank from a land line if you really have to do banking. Otherwise, use data from your phone company which is far safer than wifi at the best of times.

If you live in a house, only a few people could even see your wifi connection -- perhaps neighbours on either side, if your houses are small and close together. Using your phone or tablet is safe. If you are in a high rise, more people are close enough to see your wifi router's signal. But do your neighbours plot to spy on you? Nah. But you have no need to use Android devices at home for financial purposes - you have a laptop.

The public networks (McD's, library, hotel, restaurant and dentist's office, etc. are the ones to be wary of. Yes, it is POSSIBLE that someone could Krack your encrypted wifi activity but if you don't keep bank info etc. on your phone, your risk is small. And it's highly unlikely that very many people know how to KRACK -- it's a new vulnerability. Just practice safe computing. You've made a good start already.
Member
Apr 15, 2009
318 posts
325 upvotes
toronto
same with PC financial.. or Simplii as they're called now. 8 characters , alphanumeric only! they they have that orange /green line telling you that your password is mediocre?! But they won't let you use longer string or special characters..
Sr. Member
Mar 23, 2016
821 posts
227 upvotes
HoTiCE_ wrote: Exactly, dont use any of those commercial systems. The best is to set one up at home but granted, this is not the easiest thing to do if you dont work in that field.
Any easy instructions or is it only tech minded ppl who can do it?
*Faux transparency / censorship warning for RFD*
Deal Addict
Feb 21, 2004
1584 posts
378 upvotes
Montreal
springdays wrote: Any easy instructions or is it only tech minded ppl who can do it?
Well, the first hard step is to get a piece of equipment (router) that allows remote VPN Connection. The industry business standard is IPSEC VPN but consumer-grade OpenVPN can also be used. If your router doesn't support it (and most of the ones you buy at Best Buy or Amazon dont), the next step would be to set up a server that runs the OpenVPN server software.

For KRACK, while high severity, I woudln't be overly worry about it. There was a lot of hype in the media. Latest versions of Apple & Windows devices have all been patched. Android is a different story and last I checked, they (Google) had not pushed it out yet. For your WPA2 wifi connection to be exploited by this, both the client (your computer or smartphone) and the access point (wifi router) would need to be vulnerable. EVEN in the very very rare case your wifi was cracked, bank transactions are still secured on top of that with SSL encryption, making it virtually impossible to crack even with modern equipment. Just avoid public wifis and untrusted wifi networks (dont assume the wifi is secure at work). Do Online banking via a wired computer, home wifi, your own VPN service....or LTE cellular service is better than public wifi.
Newbie
Jan 15, 2018
1 posts
The exact same thing happened to me today.
Basically my online banking information were changed (passwords, security questions, email addresses).
They transferred $1200 from my savings to chequing, then cash advanced $600 from my credit card. After that, two e-transfers to one of my payee, which is my landlord. I managed to quickly cancel both of them, so luckily my money is back.

Contacted the bank, changed all passwords / security questions, got a new card, enabled all payment alerts for my account. Will keep an eye on my account for a while.

Have no idea how they got my password, I always type www.bmo.com when I login to my online banking.
Deal Addict
User avatar
Feb 16, 2004
1753 posts
148 upvotes
York Region
You should be contacting police to see to open a case.
Omg! So sorry it happened to you! It is scary.
I switched all transactions to credit card only with each transaction notification sent to my specificly opened email account for this purpose.
Bought 15 ft ethernet cable to do online banking through connecting ut from modem to laptop directly as police detective suggested.
Member
Jan 19, 2017
431 posts
121 upvotes
User092187 wrote: The exact same thing happened to me today.
Basically my online banking information were changed (passwords, security questions, email addresses).
They transferred $1200 from my savings to chequing, then cash advanced $600 from my credit card. After that, two e-transfers to one of my payee, which is my landlord. I managed to quickly cancel both of them, so luckily my money is back.

Contacted the bank, changed all passwords / security questions, got a new card, enabled all payment alerts for my account. Will keep an eye on my account for a while.

Have no idea how they got my password, I always type www.bmo.com when I login to my online banking.
same thing happened to us with BMO on January 1st. they took $2400 out of our savings account and transfered another $4000 to our checking account (for whatever reason). we contacted the bank etc. etc. etc. but they still haven't given us a refund..."we are investigating!". they should be investigating their own security systems; it's absolutely ridiculous that they don't offer 2FA in 2018and they restrict passwords to exactly 6 alphanumeric characters. the branch manager told us a lot of people have been coming in these days to report the same type of fraud.
Member
Jan 19, 2017
431 posts
121 upvotes
edkate wrote: You should be contacting police to see to open a case.
Omg! So sorry it happened to you! It is scary.
I switched all transactions to credit card only with each transaction notification sent to my specificly opened email account for this purpose.
Bought 15 ft ethernet cable to do online banking through connecting ut from modem to laptop directly as police detective suggested.
you seem to have contacted police about this. did they do anything? we are still waiting to hear back from BMO about the refund. my plan was to contact the police if they don't refund us.
Deal Addict
User avatar
Feb 16, 2004
1753 posts
148 upvotes
York Region
you have to contact them anyways! BMO returned everything to us the whole $3000 that was stolen. They said there is too much of these kind of activities going around, Most of them end up withdrawing money in Quebec.
He was going to follow up with BMO. I have to call him back, was caught up in holidays and didnt get a chance.
Deal Addict
Nov 13, 2013
4527 posts
3688 upvotes
Ottawa
User092187 wrote: The exact same thing happened to me today.
Basically my online banking information were changed (passwords, security questions, email addresses).
They transferred $1200 from my savings to chequing, then cash advanced $600 from my credit card. After that, two e-transfers to one of my payee, which is my landlord. I managed to quickly cancel both of them, so luckily my money is back.

Contacted the bank, changed all passwords / security questions, got a new card, enabled all payment alerts for my account. Will keep an eye on my account for a while.

Have no idea how they got my password, I always type www.bmo.com when I login to my online banking.
Interesting why do they pay your landlord? Maybe so the other transactions look legit to fraud algorithms.
Banks in the rest of the world usually gives you a little code generator that basically eliminates this kind of fraud. I guess it would be too disruptive to Canadian customers so better to eat the fraud losses?
Deal Addict
User avatar
Feb 16, 2004
1753 posts
148 upvotes
York Region
fogetmylogin wrote: Interesting why do they pay your landlord? Maybe so the other transactions look legit to fraud algorithms.
Banks in the rest of the world usually gives you a little code generator that basically eliminates this kind of fraud. I guess it would be too disruptive to Canadian customers so better to eat the fraud losses?
they used my payee i set up for credit line and transferred $2000 to that email....go figure!
Deal Addict
User avatar
Feb 16, 2004
1753 posts
148 upvotes
York Region
darXider wrote: you seem to have contacted police about this. did they do anything? we are still waiting to hear back from BMO about the refund. my plan was to contact the police if they don't refund us.
If you dont contact the police, then the bank will take it's time. Detective told me if there is an actual theft without bank returning the money - then police has to open the case and deal with bank!
Deal Addict
Jan 30, 2013
1432 posts
414 upvotes
RICHMOND HILL
are there any common denominators for such frauds?

like
interac

transfer to people/entity other than yourself?
Deal Addict
User avatar
Dec 26, 2010
1736 posts
776 upvotes
Calgary
*rolls eyes* There's so much bad tech advice in this thread from people that simply don't understand anything about it.
blexann wrote: Financial institutions need to add another layer of security on top of the login process. Two factor authentication (2FA) would have helped in your situation, sorry that happened to you.
How do you know 2FA would help if you don't know how they got in? Like 2FA only prevents very specific types of attacks and typically the access one has to have to do the attack, they can bypass 2FA. The password was reset, which if you're not already aware, resets 2FA. Right?
mkl38s wrote: I remember someone mentioned a while back why BMO only allows 6 digits as the password. I don't remember password reset requirement, probably some security questions/answers which sometime, they can guess them from your social media accounts. I have or had accounts with all of them except scotia and this is what I found
- TD, RBC, NBC, EQB, ZAG - they all allow password with even special characters
- CM, Simplii/PCF - allow letters, but limit to 12 characters max and no special characters
- BMO/Tangerine - digits only and limit to 6
Password length is irrelevant. The whole password length thing isn't for your security, it's for the server's side incase a bank is hacked and has it's passwords hashes stolen. Since password hashes can't be reverse engineered, a hacker has to try creating hashes by using all combinations of characters. The process of hashing has a time delay built in, so the more complex a password, the longer it takes to find the matching hash. Considering the users password was reset, it's irrelevant.
Dave98 wrote: Agreed. Security questions are one of the worst things they have come up with. I'm sure it has actually made things even less secure.
They really aren't that bad. We can't just think of the best possible security measures ever. We have to use security measures that the end users will adopt with little inconvenience. If it was all about good, instead of what is decent the end user will adopt, we'd all be using a public-private key style of authentication. Problem is that it's really difficult to get the end user to be good with said key.

So much feel goodery messages in this thread.

HoTiCE_ is the only one with a decent reply on what probably happened. Though the VPN information is a bit much. There's public certificate used, so your stuff is encrypted - and if the site is being messed with you'll get some certificate error. It might be fine for noobs, but noobs and VPNs are lol. OP probably used their password on a variety of websites and ended up getting something else compromised (like the email associated with the bank). Or better yet, it was someone they know.
Indexer, non-yield chasing, low cost, broad based, as simple as possible investor.
Deal Fanatic
User avatar
Jul 29, 2005
9295 posts
3156 upvotes
Mississauga
It could be an inside job. I recall when I had a BMO credit card, BMO alerted me that someone tried to access my information but failed by not being able to answer personal questions. They quickly set up extra security access to ensure it was me calling in. I suspected this was an inside job because how else would the person have certain information about me... I cancelled my account shortly after.
My food blog - Reggie The Food Critic.
Deal Fanatic
User avatar
Sep 10, 2005
5701 posts
3662 upvotes
GTA
wm009 wrote: *rolls eyes* There's so much bad tech advice in this thread from people that simply don't understand anything about it.

How do you know 2FA would help if you don't know how they got in? Like 2FA only prevents very specific types of attacks and typically the access one has to have to do the attack, they can bypass 2FA. The password was reset, which if you're not already aware, resets 2FA. Right?

Password length is irrelevant. The whole password length thing isn't for your security, it's for the server's side incase a bank is hacked and has it's passwords hashes stolen. Since password hashes can't be reverse engineered, a hacker has to try creating hashes by using all combinations of characters. The process of hashing has a time delay built in, so the more complex a password, the longer it takes to find the matching hash. Considering the users password was reset, it's irrelevant.

They really aren't that bad. We can't just think of the best possible security measures ever. We have to use security measures that the end users will adopt with little inconvenience. If it was all about good, instead of what is decent the end user will adopt, we'd all be using a public-private key style of authentication. Problem is that it's really difficult to get the end user to be good with said key.

So much feel goodery messages in this thread.

HoTiCE_ is the only one with a decent reply on what probably happened. Though the VPN information is a bit much. There's public certificate used, so your stuff is encrypted - and if the site is being messed with you'll get some certificate error. It might be fine for noobs, but noobs and VPNs are lol. OP probably used their password on a variety of websites and ended up getting something else compromised (like the email associated with the bank). Or better yet, it was someone they know.
A little condescending but I can see where you're coming from. Although I don't see how you go from insinuating 2FA is not that secure and then go on to say security questions "aren't that bad".... especially considering security questions are exactly the authentication method used for resetting passwords for a lot of institutions in the first place.

There was nothing bad about the advice given that you quoted. You're just nit picking
Deal Addict
Feb 6, 2011
2372 posts
3008 upvotes
edkate wrote: So last Thursday someone reset our online banking password and etransfered $2,000 from checking acct and $1000 from savings acct. Entrasnfer was sent to one of my payees (its myself and that's how we pay for heloc with another bank).
One transfer was accepted, another was not. Bank fraud department managed to detect fraud and froze transactions.
Only checking acct and 1 saving account was linked to Debit card.
Bank confirmed that debit card was compromised. They issued a new one.
Do you use the debit card when you shop? Maybe that's when it was compromised?

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)