Credit Cards

Online banking fraud victim - help needed!

  • Last Updated:
  • Jan 22nd, 2018 10:59 pm
Tags:
None
Banned
Dec 25, 2017
168 posts
122 upvotes
wm009 wrote: *rolls eyes* There's so much bad tech advice in this thread from people that simply don't understand anything about it.



How do you know 2FA would help if you don't know how they got in? Like 2FA only prevents very specific types of attacks and typically the access one has to have to do the attack, they can bypass 2FA. The password was reset, which if you're not already aware, resets 2FA. Right?



Password length is irrelevant. The whole password length thing isn't for your security, it's for the server's side incase a bank is hacked and has it's passwords hashes stolen. Since password hashes can't be reverse engineered, a hacker has to try creating hashes by using all combinations of characters. The process of hashing has a time delay built in, so the more complex a password, the longer it takes to find the matching hash. Considering the users password was reset, it's irrelevant.


They really aren't that bad. We can't just think of the best possible security measures ever. We have to use security measures that the end users will adopt with little inconvenience. If it was all about good, instead of what is decent the end user will adopt, we'd all be using a public-private key style of authentication. Problem is that it's really difficult to get the end user to be good with said key.

So much feel goodery messages in this thread.

HoTiCE_ is the only one with a decent reply on what probably happened. Though the VPN information is a bit much. There's public certificate used, so your stuff is encrypted - and if the site is being messed with you'll get some certificate error. It might be fine for noobs, but noobs and VPNs are lol. OP probably used their password on a variety of websites and ended up getting something else compromised (like the email associated with the bank). Or better yet, it was someone they know.
2FA wouldn't be terrible. Something like a soft token app on your phone would substanially increase security. OP, don't stress, all the work as been done.
Deal Addict
Jul 3, 2017
3859 posts
2814 upvotes
FerinthuI wrote: 2FA wouldn't be terrible. Something like a soft token app on your phone would substanially increase security. OP, don't stress, all the work as been done.
HSBC gives out a little plastic calculator thingy that you program with a PIN when you first get it (PIN shared with HSBC). Then each time you need to perform a transaction on your account, you are prompted for a confirmation key code, which you get by entering your PIN into the calculator thingy and reading back the key code it gives you (different each time). I guess their idea is that it's harder for someone to steal your original PIN when it's only communicated once when you first set it, while each regular transaction gets a different and hopefully unpredictable key code.

But it's a pain in the butt. The calculator thingy gets lost or breaks, or you just don't have it with you when you need it. Elderly relatives can't figure out how to use it properly. The HSBC web site and app are terrible, among the worst of any banking institution, and their customers service staff aren't very helpful. So big pass on that idea.
Banned
Dec 25, 2017
168 posts
122 upvotes
Exp315 wrote:
HSBC gives out a little plastic calculator thingy that you program with a PIN when you first get it (PIN shared with HSBC). Then each time you need to perform a transaction on your account, you are prompted for a confirmation key code, which you get by entering your PIN into the calculator thingy and reading back the key code it gives you (different each time). I guess their idea is that it's harder for someone to steal your original PIN when it's only communicated once when you first set it, while each regular transaction gets a different and hopefully unpredictable key code.

But it's a pain in the butt. The calculator thingy gets lost or breaks, or you just don't have it with you when you need it. Elderly relatives can't figure out how to use it properly. The HSBC web site and app are terrible, among the worst of any banking institution, and their customers service staff aren't very helpful. So big pass on that idea.
It sounds like the option is there. What you just mentioned was a hardware token.

A lot of clients use this to protect data they only want certain people to access. Or accessing your work place VPN if you're working at home. This is definitely a safe route, but you're right, elderly people are stuck. They're also the most common age group to use cash and services at the bank, which require a "brick and mortar" establishment, versus a online bank.

I'm not a huge cash guy. Hell, I don't even carry it most of the time. I haven't come across a place that takes debit or credit.
Deal Addict
User avatar
Mar 23, 2009
1110 posts
1048 upvotes
Toronto
Exp315 wrote: HSBC gives out a little plastic calculator thingy that you program with a PIN when you first get it (PIN shared with HSBC). Then each time you need to perform a transaction on your account, you are prompted for a confirmation key code, which you get by entering your PIN into the calculator thingy and reading back the key code it gives you (different each time). I guess their idea is that it's harder for someone to steal your original PIN when it's only communicated once when you first set it, while each regular transaction gets a different and hopefully unpredictable key code.

But it's a pain in the butt. The calculator thingy gets lost or breaks, or you just don't have it with you when you need it. Elderly relatives can't figure out how to use it properly. The HSBC web site and app are terrible, among the worst of any banking institution, and their customers service staff aren't very helpful. So big pass on that idea.
You can setup a software version on your smart phone as well, instead of the physical device. I really appreciate the 2FA from HSBC, gives me piece of mind. Never had any issues with them.
Deal Expert
User avatar
Jan 27, 2004
52935 posts
18144 upvotes
ONTARIO
I work in a bank... and I think the best way to protect against fraud is to follow the card holder agreement.
Because as long as you do... All fraud will be refunded. IT's a pain in the ass b/c it usually takes a good 2 weeks to finish the investigation.

Don't loan out your card
Don't share passwords or pins
Keep pin/pw random. No Bday/phone numbers/identifying features
Check your account daily. We have great access to online banking options now. Its very easy to check for descrepency

As long as you report it right away & follow the above... You will 99.999999999% get a refund for ALL fraud.
The only time i've seen people declined for fraud refunds is if they do something REALLY dumb... like "oh I gave my card and pin to my ex-gf to help me buy a pack of smokes. Then the next day $2000 was misssing"

or "my online banking password is my bday... 1984!"
Deal Fanatic
Oct 1, 2004
6651 posts
995 upvotes
GTA
all the banks should have the option of having notification through sms as an option, even if they try and change your phone number, you would be notified.
Newbie
Mar 9, 2017
41 posts
7 upvotes
Glad I decided against etransfer to email accounts .I also avoid BMO' digital Wednesdays and consider bank employees digging their own graves
(trying to lure me into using machines for banking)
Member
Jan 19, 2017
431 posts
121 upvotes
huynhtcduy wrote: To the OP and everyone else reading through this thread,

I found a very similar post on Reddit concerning this issue that I think might be useful to everyone:

https://www.reddit.com/r/PersonalFinanc ... h=3af34ff7
thanks for the reddit thread. it's insane that BMO accounts get hacked left and right, and they're not doing anything about it. i'm planning to move all our money to another bank after we get refunded.
Deal Guru
Feb 4, 2015
10331 posts
6696 upvotes
Canada, Eh!!
Was talking to a friend who does banking online both in Canada and USA.

Few things he noticed [note this is just for banks he deals with so not all banks; just some data points]:

* Cdn bank has full acct number of credit card he is paying via Bill Pay whereas US only has last few digits [he initially had to input full cc number when setting up bill pay]
* Not online necessarily however his cc stmt that he downloads has full cc number or in case of one cc the last few digits are shown at top of page BUT then in address to pay to the full cc number is typed; US cc stmt only shows last few digits [anywhere on page]
* US bank emails/texts him whenever a bill is paid [or for that matter whenever a transaction is made; various options exist as to what notifications should/can be sent]
* With US bank if email or password or pin or address, etc are changed then an email/text is sent to original email and original mobile #. So yes, password could be reset BUT would still get notification on original email/mobile
* His US bank sends passcode to email or mobile each time he logs in; this is in addition to regular log in process of username and password
2022/3: BOC raised 10 times and MCAP raised its prime next day.
2017,2018: BOC raised rates 5 times and MCAP raised its prime next day each time.
2020: BOC dropped rates 3 times and MCAP waited to drop its prime to include all 3 drops.
Jr. Member
Nov 18, 2008
113 posts
26 upvotes
Thornhill
So which bank has the best security? It seems to me that only RBC and CIBC has 2 factor authentication. Does that make them the most secure?
Member
Jan 19, 2017
431 posts
121 upvotes
does RBC have 2FA for personal banking accounts or only for investment accounts? i believe CIBC and HSBC have a form of 2-factor authentication. i'd like to know the full list of banks that support 2FA as well.
Deal Addict
Jul 24, 2011
1100 posts
236 upvotes
Just stumbled into this thread today. Basically same thing happened to me on Dec. few days before Christmas eve. I also use BMO.

Someone was able to reset everything on my account (psw, email, questions/answers) and add a payee (themselves) and e-transfer 3k.

I found out when I got an email saying (John smith) has accepted your 3,000 CAD e-transfer.

Took me about 30 mins on the phone for them to block my Debit card, but by then the damage was done. Had to go to the branch to change my email, and get a new debit card.

Long story short, got all my money back after 2 weeks.
Fido client
Tangerine client.
Deal Addict
Feb 6, 2011
2372 posts
3008 upvotes
I deal with Scotiabank. Have both text alerts and email alerts setup.
If my password or security questions are changed, I get email and text alerts with a phone number to call if I didn't authorize it.
Also get alerts for payments without credit card, paypal, amazon, etc. Atm withdrawals and if a new payee is added to bill payments. Theres other alerts you can add also.

Also, when logging in, they ask you a security question.

Its a little annoying at times with the alerts, but I think its good to have as I know whats going on at all times.
Jr. Member
Nov 18, 2008
113 posts
26 upvotes
Thornhill
This is all good, don't get me wrong. But they hacked into my account at midnight so I wouldn't receive the text until the next morning, by which time it's too late.

That's why I am enquiring about 2FA coz it seems the best way of protecting yourself in Canada. But I may be wrong. Just asking the question.
Sr. Member
Mar 23, 2016
821 posts
227 upvotes
FerinthuI wrote: It sounds like the option is there. What you just mentioned was a hardware token.
I use these and find them very easy to use and a good security measure. For the security, I think the hassle is very low personally and have no issues with it. Can understand why elderly folk might not like it though.
*Faux transparency / censorship warning for RFD*
Sr. Member
Mar 23, 2016
821 posts
227 upvotes
Wow - so BMO accounts are all compromised? How the f do they get away with that and not have any publicity about it?
*Faux transparency / censorship warning for RFD*

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)