Personal Finance

Bank (BMO) won't reimburse Ottawa woman who lost $23K to fraudsters, family says

  • Last Updated:
  • Sep 8th, 2021 8:08 pm
[OP]
Sr. Member
Dec 22, 2010
628 posts
599 upvotes
Ontario

Bank (BMO) won't reimburse Ottawa woman who lost $23K to fraudsters, family says

https://www.cbc.ca/news/canada/ottawa/ottawa-senior-online-bank-fraud-bmo-1.6150127

Just saw this news and I have some questions about it. In this article, it says the fraudster fulfilled 3 security questions below. The family claims that the questions are too simple, but I don't think they are that simple especially with number 1 and 3. So my questions are, how did they find out those answers (security information) in the first place? Also, how can I prevent these security leaks?

  1. Where was the account opened?
  2. What kind of BMO products do you have?
  3. Name one direct deposit received in the past 30 days.

*Let's focus on preventing the scam by understanding this specific scam instead of talking shit of the bank. There are plenty of places for that.
Last edited by testmann on Aug 25th, 2021 9:17 am, edited 1 time in total.
Reason: Title edit
55 replies
Deal Expert
User avatar
Feb 8, 2014
25947 posts
10680 upvotes
Socially Distanced
They didn't even ask birthdate :rolleyes:
I have a thread about that
what-security-considerations-applying-contest-2481137/

Some of these are simple brute force, try it enough times you will win eventually.

Where account opened needs a list of branches, shown on every banks website, and if you have a name and address just pick the closest one. No, oh sorry the second closest one.
What products you have is also simple brute force, chequing account and savings account is common. Or just chequing account.
One direct deposit may be as simple as CPP.

This could probably get into many accounts :facepalm:
Last edited by Quentin5 on Aug 25th, 2021 9:34 am, edited 1 time in total.
In fact in Rand McNally they wear hats on their feet and hamburgers eat people
Newbie
Nov 23, 2019
55 posts
88 upvotes
Edmonton, AB
Just because the questions are “easy” doesn’t mean the answer has to match. I use random passwords for all security questions and keep track of it in a password manager. Too many of these questions are information that has been entered on the internet somewhere for most people or could be phished.
It’s mildly inconvenient but I don’t usually have to answer them that often.
Deal Addict
User avatar
Jan 15, 2017
1894 posts
1417 upvotes
BMO didn't seem to have a problem blocking my $500 eBay purchase with Paypal the other day, so for them to watch $23,000 waft out of someone's account over several days seems like some kind of security gap.

If you change a PIN, the back-end system will have this information, but I'm guessing it's also stored on the card and not checked by the back-end for transactions, which might support the cloned card explanation.
Deal Fanatic
Jan 21, 2018
7511 posts
8076 upvotes
Vancouver
I read the story. Given all the details, I would suspect a family member or other insider rather than a random stranger, so I can see why the bank is suspicious.

But I agree that the security questions asked by banks and other financial institutions are not sufficiently secure against a competent fraud attempt.
Deal Guru
Dec 5, 2006
13028 posts
8270 upvotes
Markham
In the article, it said

"a senior BMO employee admitted a bank telephone agent had breached security protocol when he granted online account access to someone posing as the mother"

so this is not just whether questions are easy or not.
Deal Addict
User avatar
Jan 15, 2017
1894 posts
1417 upvotes
Scote64 wrote: I read the story. Given all the details, I would suspect a family member or other insider rather than a random stranger, so I can see why the bank is suspicious.

But I agree that the security questions asked by banks and other financial institutions are not sufficiently secure against a competent fraud attempt.
At the root of this problem is the question of how BMO or other institutions should ensure that it is actually the customer that is making the request.

I would think that knowing the PIN (conveniently forgotten according to the requestor) should be part of that process. A sudden interest in setting up online banking at the same time as a PIN reset should definitely be a red flag, so I'd fault BMO for that.

Ignoring the PIN change for a moment, do those 3 security questions (products, recent deposit, original account location) adequately identify the customer? I would say no.

I think I'm leaning towards putting the blame on BMO.
Deal Addict
Dec 22, 2007
1390 posts
1012 upvotes
Mississauga
From the inside POV without working at BMO if the transaction was chip and pin the bank is kinda looking at it very closely as the card has keys which if they are duplicated means were all up the creek without a paddle to put it mildly.

so while I know the bank is the villain in this case it looks suspect. could be anyone she knows eg. hired help that had access to her info / card
Deal Guru
Dec 5, 2006
13028 posts
8270 upvotes
Markham
taxrage wrote: At the root of this problem is the question of how BMO or other institutions should ensure that it is actually the customer that is making the request.

I would think that knowing the PIN (conveniently forgotten according to the requestor) should be part of that process. A sudden interest in setting up online banking at the same time as a PIN reset should definitely be a red flag, so I'd fault BMO for that.

Ignoring the PIN change for a moment, do those 3 security questions (products, recent deposit, original account location) adequately identify the customer? I would say no.

I think I'm leaning towards putting the blame on BMO.
BMO definitely has to share some fault. Even they admitted it

In terms of question, it's really the balance between convenient vs fraud. 99.99% call is from legit customers who forgot password. The question 2 is too easy, other two questions are not easy to answer
Member
User avatar
Jan 7, 2019
368 posts
373 upvotes
If you know the account number along with transit, a simple search of the transit number gives you the branch where you opened the account.
Remember to always Thumbs Up good responses! Spread positively.
Deal Addict
Feb 4, 2003
3285 posts
1598 upvotes
BrokeMillennial wrote: If you know the account number along with transit, a simple search of the transit number gives you the branch where you opened the account.
Account number is different than your debit card number, so somehow the fraudster also got their hands on their account number/cheque etc to figure out where she open the account.
Deal Fanatic
Apr 5, 2016
5933 posts
4379 upvotes
Calgary/Vancouver
Too bad I can't get more info. Something is definitely up. The branches I usually frequent at reimbursed quite a lot of fraudulent transactions these days as fraud is crazy high. To deny them even after media exposure, there must be some evidence putting the family at fault.
Sr. Member
Dec 3, 2019
505 posts
461 upvotes
Ontario
The bank is suspicious of how the customer was able to use the debit card after the pin was changed by the fraudster. (hopefully not just tap)
The bank states there is proof the card was not duplicated. (although would not elaborate)

If at least one of the above is true I can see why the claim was denied.
Deal Guru
Dec 5, 2006
13028 posts
8270 upvotes
Markham
buysellbuy wrote: The bank is suspicious of how the customer was able to use the debit card after the pin was changed by the fraudster. (hopefully not just tap)
The bank states there is proof the card was not duplicated. (although would not elaborate)

If at least one of the above is true I can see why the claim was denied.
This part is what I don't understand: did that mean customer used new pin for their purchase?
Deal Addict
User avatar
Dec 17, 2008
2774 posts
2235 upvotes
Winnipeg
My thoughts on the three questions.

Where did you open the account? If the fraudster obtained a statement (from a mailbox) or DD form or cheque as the transit number can be found on all of those. That will tell you where the account was opened originally.

I personally feel they obtained a statement from her mailbox because we already know she doesn't do online banking so likely still gets paper statements. If they didn't have a statement, a good guess would be the branch closest to her home.

Based on what I said above.. Question 2 What accounts do you have? If she only has Chequing and or/Savings... They would have all that information from the statement to answer that question. Even without the statement it's a safe guess to say Chequing and Savings when answering the question.

Third question One direct deposit in the past 30 days? Again this would be on the statement.

If they did not have a statement, considering this woman is a senior, she likely gets CPP every month so that would be a very safe guess.

Those are my thoughts on the questions asked on the phone.
*Do you like someone's idea, post, or response? Why not consider giving them "thanks" and clicking the thumbs up to give them the credit they deserve.*
Deal Addict
User avatar
Jan 15, 2017
1894 posts
1417 upvotes
buysellbuy wrote: The bank is suspicious of how the customer was able to use the debit card after the pin was changed by the fraudster. (hopefully not just tap)
The bank states there is proof the card was not duplicated. (although would not elaborate)

If at least one of the above is true I can see why the claim was denied.
I asked my daughter (works for Big 5 bank) if the PIN is stored on the card. She said it isn't and that it always has to be verified by the back-end system.

If that's the case, and the customer used the card after the change (other than simple tap), then some kind of collusion has occurred.
Member
User avatar
Jan 7, 2019
368 posts
373 upvotes
Shawguy wrote: My thoughts on the three questions.

Where did you open the account? If the fraudster obtained a statement (from a mailbox) or DD form or cheque as the transit number can be found on all of those. That will tell you where the account was opened originally.

I personally feel they obtained a statement from her mailbox because we already know she doesn't do online banking so likely still gets paper statements. If they didn't have a statement, a good guess would be the branch closest to her home.

Based on what I said above.. Question 2 What accounts do you have? If she only has Chequing and or/Savings... They would have all that information from the statement to answer that question. Even without the statement it's a safe guess to say Chequing and Savings when answering the question.

Third question One direct deposit in the past 30 days? Again this would be on the statement.

If they did not have a statement, considering this woman is a senior, she likely gets CPP every month so that would be a very safe guess.

Those are my thoughts on the questions asked on the phone.
And since she was not an online banking customer, she would've only received paper statements. Probably forgot to shred a statement or just lost it somewhere.
Remember to always Thumbs Up good responses! Spread positively.
[OP]
Sr. Member
Dec 22, 2010
628 posts
599 upvotes
Ontario
Shawguy wrote: My thoughts on the three questions.

Where did you open the account? If the fraudster obtained a statement (from a mailbox) or DD form or cheque as the transit number can be found on all of those. That will tell you where the account was opened originally.

I personally feel they obtained a statement from her mailbox because we already know she doesn't do online banking so likely still gets paper statements. If they didn't have a statement, a good guess would be the branch closest to her home.

Based on what I said above.. Question 2 What accounts do you have? If she only has Chequing and or/Savings... They would have all that information from the statement to answer that question. Even without the statement it's a safe guess to say Chequing and Savings when answering the question.

Third question One direct deposit in the past 30 days? Again this would be on the statement.

If they did not have a statement, considering this woman is a senior, she likely gets CPP every month so that would be a very safe guess.

Those are my thoughts on the questions asked on the phone.
That's really spot on.
Nazma Sayeeda Yousuf, 66, has banked with Bank of Montreal (BMO) for 38 years, during which time she never set up online banking, instead relying on monthly paper statements and in-person trips to the branch on Prince of Wales Drive.
It's hard to believe that those three "security" questions can be answered by just looking at the statement, lol
Deal Addict
User avatar
Mar 10, 2018
4975 posts
1455 upvotes
does it matter?
Shawguy wrote: My thoughts on the three questions.

Where did you open the account? If the fraudster obtained a statement (from a mailbox) or DD form or cheque as the transit number can be found on all of those. That will tell you where the account was opened originally.

I personally feel they obtained a statement from her mailbox because we already know she doesn't do online banking so likely still gets paper statements. If they didn't have a statement, a good guess would be the branch closest to her home.

Based on what I said above.. Question 2 What accounts do you have? If she only has Chequing and or/Savings... They would have all that information from the statement to answer that question. Even without the statement it's a safe guess to say Chequing and Savings when answering the question.

Third question One direct deposit in the past 30 days? Again this would be on the statement.

If they did not have a statement, considering this woman is a senior, she likely gets CPP every month so that would be a very safe guess.

Those are my thoughts on the questions asked on the phone.
reading your post is it possible someone who knows her and have access to the details like statement might be involved? can be anybody who is care giver, a friend, relative, neighbourly young person who helps her regularly.

I have called very few times TD support and sometimes they ask such questions. You can just throw the term TFSA and RRSP. And like you said the amount of TFSA/RRSP will be in some statement. Which TD had asked me twice.
Tried new coffee and doughnut. Found same old stale thing. expected bill of six bucks but it was 600 million. Big mistake so the guy said don't worry it is on the house. going back to McD.
Jr. Member
Jul 3, 2021
121 posts
83 upvotes
My bank doesn’t support 2fa so I setup an alert for any movement over $10

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)