2FA wouldn't be terrible. Something like a soft token app on your phone would substanially increase security. OP, don't stress, all the work as been done.wm009 wrote: ↑ *rolls eyes* There's so much bad tech advice in this thread from people that simply don't understand anything about it.
How do you know 2FA would help if you don't know how they got in? Like 2FA only prevents very specific types of attacks and typically the access one has to have to do the attack, they can bypass 2FA. The password was reset, which if you're not already aware, resets 2FA. Right?
Password length is irrelevant. The whole password length thing isn't for your security, it's for the server's side incase a bank is hacked and has it's passwords hashes stolen. Since password hashes can't be reverse engineered, a hacker has to try creating hashes by using all combinations of characters. The process of hashing has a time delay built in, so the more complex a password, the longer it takes to find the matching hash. Considering the users password was reset, it's irrelevant.
They really aren't that bad. We can't just think of the best possible security measures ever. We have to use security measures that the end users will adopt with little inconvenience. If it was all about good, instead of what is decent the end user will adopt, we'd all be using a public-private key style of authentication. Problem is that it's really difficult to get the end user to be good with said key.
So much feel goodery messages in this thread.
HoTiCE_ is the only one with a decent reply on what probably happened. Though the VPN information is a bit much. There's public certificate used, so your stuff is encrypted - and if the site is being messed with you'll get some certificate error. It might be fine for noobs, but noobs and VPNs are lol. OP probably used their password on a variety of websites and ended up getting something else compromised (like the email associated with the bank). Or better yet, it was someone they know.
Online banking fraud victim - help needed!
- Last Updated:
- Jan 22nd, 2018 10:59 pm
Tags:
- SCORE+3
- FerinthuI
- Banned
- Dec 25, 2017
- 168 posts
- 122 upvotes
- Exp315
- Deal Addict
- Jul 3, 2017
- 3859 posts
- 2814 upvotes
HSBC gives out a little plastic calculator thingy that you program with a PIN when you first get it (PIN shared with HSBC). Then each time you need to perform a transaction on your account, you are prompted for a confirmation key code, which you get by entering your PIN into the calculator thingy and reading back the key code it gives you (different each time). I guess their idea is that it's harder for someone to steal your original PIN when it's only communicated once when you first set it, while each regular transaction gets a different and hopefully unpredictable key code.
But it's a pain in the butt. The calculator thingy gets lost or breaks, or you just don't have it with you when you need it. Elderly relatives can't figure out how to use it properly. The HSBC web site and app are terrible, among the worst of any banking institution, and their customers service staff aren't very helpful. So big pass on that idea.
- FerinthuI
- Banned
- Dec 25, 2017
- 168 posts
- 122 upvotes
It sounds like the option is there. What you just mentioned was a hardware token.Exp315 wrote: ↑
HSBC gives out a little plastic calculator thingy that you program with a PIN when you first get it (PIN shared with HSBC). Then each time you need to perform a transaction on your account, you are prompted for a confirmation key code, which you get by entering your PIN into the calculator thingy and reading back the key code it gives you (different each time). I guess their idea is that it's harder for someone to steal your original PIN when it's only communicated once when you first set it, while each regular transaction gets a different and hopefully unpredictable key code.
But it's a pain in the butt. The calculator thingy gets lost or breaks, or you just don't have it with you when you need it. Elderly relatives can't figure out how to use it properly. The HSBC web site and app are terrible, among the worst of any banking institution, and their customers service staff aren't very helpful. So big pass on that idea.
A lot of clients use this to protect data they only want certain people to access. Or accessing your work place VPN if you're working at home. This is definitely a safe route, but you're right, elderly people are stuck. They're also the most common age group to use cash and services at the bank, which require a "brick and mortar" establishment, versus a online bank.
I'm not a huge cash guy. Hell, I don't even carry it most of the time. I haven't come across a place that takes debit or credit.
- astroboy100
- Deal Addict
- Mar 23, 2009
- 1110 posts
- 1048 upvotes
- Toronto
You can setup a software version on your smart phone as well, instead of the physical device. I really appreciate the 2FA from HSBC, gives me piece of mind. Never had any issues with them.Exp315 wrote: ↑ HSBC gives out a little plastic calculator thingy that you program with a PIN when you first get it (PIN shared with HSBC). Then each time you need to perform a transaction on your account, you are prompted for a confirmation key code, which you get by entering your PIN into the calculator thingy and reading back the key code it gives you (different each time). I guess their idea is that it's harder for someone to steal your original PIN when it's only communicated once when you first set it, while each regular transaction gets a different and hopefully unpredictable key code.
But it's a pain in the butt. The calculator thingy gets lost or breaks, or you just don't have it with you when you need it. Elderly relatives can't figure out how to use it properly. The HSBC web site and app are terrible, among the worst of any banking institution, and their customers service staff aren't very helpful. So big pass on that idea.
- UrbanPoet
- Deal Expert
- Jan 27, 2004
- 52935 posts
- 18144 upvotes
- ONTARIO
I work in a bank... and I think the best way to protect against fraud is to follow the card holder agreement.
Because as long as you do... All fraud will be refunded. IT's a pain in the ass b/c it usually takes a good 2 weeks to finish the investigation.
Don't loan out your card
Don't share passwords or pins
Keep pin/pw random. No Bday/phone numbers/identifying features
Check your account daily. We have great access to online banking options now. Its very easy to check for descrepency
As long as you report it right away & follow the above... You will 99.999999999% get a refund for ALL fraud.
The only time i've seen people declined for fraud refunds is if they do something REALLY dumb... like "oh I gave my card and pin to my ex-gf to help me buy a pack of smokes. Then the next day $2000 was misssing"
or "my online banking password is my bday... 1984!"
Because as long as you do... All fraud will be refunded. IT's a pain in the ass b/c it usually takes a good 2 weeks to finish the investigation.
Don't loan out your card
Don't share passwords or pins
Keep pin/pw random. No Bday/phone numbers/identifying features
Check your account daily. We have great access to online banking options now. Its very easy to check for descrepency
As long as you report it right away & follow the above... You will 99.999999999% get a refund for ALL fraud.
The only time i've seen people declined for fraud refunds is if they do something REALLY dumb... like "oh I gave my card and pin to my ex-gf to help me buy a pack of smokes. Then the next day $2000 was misssing"
or "my online banking password is my bday... 1984!"
- greg123
- Deal Fanatic
- Oct 1, 2004
- 6651 posts
- 995 upvotes
- GTA
all the banks should have the option of having notification through sms as an option, even if they try and change your phone number, you would be notified.
- huynhtcduy
- Newbie
- Dec 15, 2015
- 39 posts
- 41 upvotes
- Toronto, ON
To the OP and everyone else reading through this thread,
I found a very similar post on Reddit concerning this issue that I think might be useful to everyone:
https://www.reddit.com/r/PersonalFinanc ... h=3af34ff7
I found a very similar post on Reddit concerning this issue that I think might be useful to everyone:
https://www.reddit.com/r/PersonalFinanc ... h=3af34ff7
- TommyT931227
- Newbie
- Mar 9, 2017
- 41 posts
- 7 upvotes
Glad I decided against etransfer to email accounts .I also avoid BMO' digital Wednesdays and consider bank employees digging their own graves
(trying to lure me into using machines for banking)
(trying to lure me into using machines for banking)
- darXider
- Member
- Jan 19, 2017
- 431 posts
- 121 upvotes
thanks for the reddit thread. it's insane that BMO accounts get hacked left and right, and they're not doing anything about it. i'm planning to move all our money to another bank after we get refunded.huynhtcduy wrote: ↑ To the OP and everyone else reading through this thread,
I found a very similar post on Reddit concerning this issue that I think might be useful to everyone:
https://www.reddit.com/r/PersonalFinanc ... h=3af34ff7
- georvu
- Deal Guru
- Feb 4, 2015
- 10331 posts
- 6696 upvotes
- Canada, Eh!!
Was talking to a friend who does banking online both in Canada and USA.
Few things he noticed [note this is just for banks he deals with so not all banks; just some data points]:
* Cdn bank has full acct number of credit card he is paying via Bill Pay whereas US only has last few digits [he initially had to input full cc number when setting up bill pay]
* Not online necessarily however his cc stmt that he downloads has full cc number or in case of one cc the last few digits are shown at top of page BUT then in address to pay to the full cc number is typed; US cc stmt only shows last few digits [anywhere on page]
* US bank emails/texts him whenever a bill is paid [or for that matter whenever a transaction is made; various options exist as to what notifications should/can be sent]
* With US bank if email or password or pin or address, etc are changed then an email/text is sent to original email and original mobile #. So yes, password could be reset BUT would still get notification on original email/mobile
* His US bank sends passcode to email or mobile each time he logs in; this is in addition to regular log in process of username and password
Few things he noticed [note this is just for banks he deals with so not all banks; just some data points]:
* Cdn bank has full acct number of credit card he is paying via Bill Pay whereas US only has last few digits [he initially had to input full cc number when setting up bill pay]
* Not online necessarily however his cc stmt that he downloads has full cc number or in case of one cc the last few digits are shown at top of page BUT then in address to pay to the full cc number is typed; US cc stmt only shows last few digits [anywhere on page]
* US bank emails/texts him whenever a bill is paid [or for that matter whenever a transaction is made; various options exist as to what notifications should/can be sent]
* With US bank if email or password or pin or address, etc are changed then an email/text is sent to original email and original mobile #. So yes, password could be reset BUT would still get notification on original email/mobile
* His US bank sends passcode to email or mobile each time he logs in; this is in addition to regular log in process of username and password
2022/3: BOC raised 10 times and MCAP raised its prime next day.
2017,2018: BOC raised rates 5 times and MCAP raised its prime next day each time.
2020: BOC dropped rates 3 times and MCAP waited to drop its prime to include all 3 drops.
2017,2018: BOC raised rates 5 times and MCAP raised its prime next day each time.
2020: BOC dropped rates 3 times and MCAP waited to drop its prime to include all 3 drops.
- tonyb
- Jr. Member
- Nov 18, 2008
- 113 posts
- 26 upvotes
- Thornhill
So which bank has the best security? It seems to me that only RBC and CIBC has 2 factor authentication. Does that make them the most secure?
- darXider
- Member
- Jan 19, 2017
- 431 posts
- 121 upvotes
does RBC have 2FA for personal banking accounts or only for investment accounts? i believe CIBC and HSBC have a form of 2-factor authentication. i'd like to know the full list of banks that support 2FA as well.
- Vinotintazo
- Deal Addict
- Jul 24, 2011
- 1100 posts
- 236 upvotes
Just stumbled into this thread today. Basically same thing happened to me on Dec. few days before Christmas eve. I also use BMO.
Someone was able to reset everything on my account (psw, email, questions/answers) and add a payee (themselves) and e-transfer 3k.
I found out when I got an email saying (John smith) has accepted your 3,000 CAD e-transfer.
Took me about 30 mins on the phone for them to block my Debit card, but by then the damage was done. Had to go to the branch to change my email, and get a new debit card.
Long story short, got all my money back after 2 weeks.
Someone was able to reset everything on my account (psw, email, questions/answers) and add a payee (themselves) and e-transfer 3k.
I found out when I got an email saying (John smith) has accepted your 3,000 CAD e-transfer.
Took me about 30 mins on the phone for them to block my Debit card, but by then the damage was done. Had to go to the branch to change my email, and get a new debit card.
Long story short, got all my money back after 2 weeks.
Fido client
Tangerine client.
Tangerine client.
- billford
- Deal Addict
- Feb 6, 2011
- 2372 posts
- 3008 upvotes
I deal with Scotiabank. Have both text alerts and email alerts setup.
If my password or security questions are changed, I get email and text alerts with a phone number to call if I didn't authorize it.
Also get alerts for payments without credit card, paypal, amazon, etc. Atm withdrawals and if a new payee is added to bill payments. Theres other alerts you can add also.
Also, when logging in, they ask you a security question.
Its a little annoying at times with the alerts, but I think its good to have as I know whats going on at all times.
If my password or security questions are changed, I get email and text alerts with a phone number to call if I didn't authorize it.
Also get alerts for payments without credit card, paypal, amazon, etc. Atm withdrawals and if a new payee is added to bill payments. Theres other alerts you can add also.
Also, when logging in, they ask you a security question.
Its a little annoying at times with the alerts, but I think its good to have as I know whats going on at all times.
- tonyb
- Jr. Member
- Nov 18, 2008
- 113 posts
- 26 upvotes
- Thornhill
This is all good, don't get me wrong. But they hacked into my account at midnight so I wouldn't receive the text until the next morning, by which time it's too late.
That's why I am enquiring about 2FA coz it seems the best way of protecting yourself in Canada. But I may be wrong. Just asking the question.
That's why I am enquiring about 2FA coz it seems the best way of protecting yourself in Canada. But I may be wrong. Just asking the question.
- springdays
- Sr. Member
- Mar 23, 2016
- 821 posts
- 227 upvotes
I use these and find them very easy to use and a good security measure. For the security, I think the hassle is very low personally and have no issues with it. Can understand why elderly folk might not like it though.
*Faux transparency / censorship warning for RFD*
- springdays
- Sr. Member
- Mar 23, 2016
- 821 posts
- 227 upvotes
Wow - so BMO accounts are all compromised? How the f do they get away with that and not have any publicity about it?
*Faux transparency / censorship warning for RFD*
Thread Information
There is currently 1 user viewing this thread. (0 members and 1 guest)