Credit Cards

Glitch in Koho system led to $1-million in fraudulent transactions, sources say

  • Last Updated:
  • Oct 24th, 2020 12:39 pm
Tags:
None
[OP]
Deal Expert
Jan 7, 2002
23491 posts
19056 upvotes
Waterloo, ON

Glitch in Koho system led to $1-million in fraudulent transactions, sources say

Glitch in Koho system led to $1-million in fraudulent transactions, sources say
Koho Financial Inc. processed more than $1-million in allegedly fraudulent transactions after users exploited a glitch in the Power Corp.-backed mobile banking startup, according to sources familiar with the situation and internal company documentation.

The transactions took place between July, 2019, and early March, 2020. In all, there were more than 1,000 transactions totalling $1.049-million that the company labelled as “fraudulent,” the document shows.

Sources told The Globe and Mail that the transactions were enabled by a technical glitch during the transfer of money between accounts that deposited the value into the accounts of both the sender and the receiver.
Koho is/was a prepaid credit card. What's also interesting is that other prepaid CCs like Stack use Peoples Trust as their bank. It's not clear from the article if those other cards were vulnerable to the same exploit and if so what PT's liability would be:
Because it’s not a federally regulated bank, Koho has partnered with Peoples Trust Co., which is federally regulated, to hold clients' money. Peoples Trust did not respond to multiple requests for comment Sunday and Monday.
veni, vidi, Visa
5 replies
Deal Addict
User avatar
Jul 20, 2017
1038 posts
1210 upvotes
bylo wrote: Because it’s not a federally regulated bank, Koho has partnered with Peoples Trust Co., which is federally regulated, to hold clients' money. Peoples Trust did not respond to multiple requests for comment Sunday and Monday.
Not surprised, very shady company. (Peoples Trust)
Koho lately hasn't been much better for me:
I got a dispute in with KOHO when ebgames screwed me over and ignored all my requests to refund me after I did a return.. Pretty sure I'll have lost that $90 forever . Been 4+ months and KOHO just keeps replying that their third party wants another 90 days.
[OP]
Deal Expert
Jan 7, 2002
23491 posts
19056 upvotes
Waterloo, ON
Eleventeen wrote: Not surprised, very shady company. (Peoples Trust)
What's shady about PT?

BTW I just realized the article is behind the G&M's paywall, so here's more info about what happened:
Sources told The Globe and Mail that the transactions were enabled by a technical glitch during the transfer of money between accounts that deposited the value into the accounts of both the sender and the receiver. The Globe is not identifying the sources because they were not authorized to discuss the situation publicly.

In a statement, Koho acknowledged that its system had been exploited, which it said was the result of a cyberattack that was discovered on March 5 and that no customer funds or data were affected.

“The issue was fixed within hours of its discovery, and external auditors were brought in to validate our findings. They found that no customer funds or data were impacted,” the company said in response to written questions from The Globe. “Koho processes billions of dollars a year and is committed to maintaining the highest security standards to keep our customers safe against new threats.”

There are no allegations of wrongdoing on the part of anyone at Koho.

Koho lets clients use a proprietary app and prepaid Visa credit cards as a kind of hybrid bank account, with built-in budget tracking and cash-back perks. Its revenue comes largely from interchange fees that credit card companies earn from retailers and premium accounts. The company says it has more than 175,000 Canadian users.

According to the documentation and sources, more than 30 Koho users exploited the glitch, which could be triggered when the sender cancelled and the receiver accepted within milliseconds of each other.

Some of the users appeared to perform the transaction many times – sometimes on a daily basis – and sometimes claimed thousands of dollars a day, according to the document.

The company declined to describe the nature of the transactions, but said on March 5, ″We were improving our internal financial controls and discovered a failure to reconcile on operational capital."

Koho said the transactions only affected its own operational capital and not user funds...
veni, vidi, Visa
Member
Apr 14, 2006
410 posts
267 upvotes
People's Trust saved customer's information such as SIN, DOB, address, ID on their web site out in the open for anyone to download. This was not the first time it happened. Many people had a flag put on their account making it difficult to apply for credit card promos, loans, mortgages etc.

------------------

October 25th, 2013

RE: Important Notice Regarding Your Personal Information

Dear XXX,

As is common with most Financial Institutions, and indeed most successful companies, Peoples Trust is constantly on guard against undesirable third parties gaining access to our systems and data, and is repeatedly required to repel unwanted incursions. Over the past 25 years we have successfully fended off all attempts to compromise our systems. However during the past week of October 7th, we became suspicious of a few events that might indicate a possible intrusion into a database on our website. This database was totally separate from our banking systems so no banking information, such as balances, account numbers, logins or passwords could be obtained. As a precautionary measure, we immediately removed all data from this area and enhanced identification procedures and daily processes in our Deposit Services area to monitor for unusual activity pending a full investigation. To date we have seen no suspicious activity.

We retained a forensic investigator to identify the nature of the problem, extent and source of a potential data compromise. On October 11, 2013, the forensic investigator confirmed that a database used to collect on-line application information on our website was compromised by unauthorized access originating in the Peoples Republic of China. None of our banking systems were infected.

The personal information that may have been accessed on this database includes customer name, address, telephone number, email address, date of birth and social insurance number. We can confirm with confidence that your financial information, account data and password information have not been compromised in any way. However this incident may still place some customers at risk for identity theft. We have informed the Police and Canada's Privacy Commissioner, as well as the two major Canadian Credit bureau service providers. To mitigate the risk, Peoples Trust has arranged for a flag to be placed on your credit file which will alert companies accessing your credit information that your data may have been compromised and that lenders should take additional steps to verify your identity before transacting further. The notation will stay on your credit file for a period of 6 years unless you choose to have it removed.

It is not possible to verify the extent of access - or the amount of customer data that could possibly have been compromised - and we are hopeful the impact will be minimal, given the responses we've received from our customers to data (which has been limited to the receipt of a text message requesting a call to an inactive number).

Nothing is more important to Peoples Trust than the security of our customers' personal information. In addition to the steps we have taken, we would like to recommend the following to protect yourself from risk of identity theft or fraud:

- If you receive emails or text messages in the days ahead purporting to be from Peoples Trust asking for account or any other information, please consider that email or text to be fraudulent, and contact us immediately at 1-855-286-8505. Peoples Trust does not solicit account information from customers by email or text.

- Never respond to any unsolicited requests for your banking or personal information.

- As a precautionary measure, we recommend you monitor your accounts for any unusual activity and report any irregularities to to Peoples Trust immediately at 1-855-286-8505.

- You obtain a free copy of your credit file which may be done by calling the following services: Equifax Canada (1-800-465-7166) or TransUnion Canada (1-800-663-9980) and requesting a printed copy be delivered to you by mail. You may also obtain further information on removing the alert by visiting their websites: http://www.equifax.ca or http://www.transunion.ca

If you have any questions about this incident, how it may affect you and the steps Peoples Trust is taking to protect you and your personal information, please call our special information line at 1-855-286-8505. You can also contact Peoples Trust's Privacy Officer:

Darren Kozol, Privacy Officer
14th Floor, 888 Dunsmuir St
Vancouver, BC
V6C 3K4
PH: 604-331-2238
@: Privacy0@peoplestrust.com

Unfortunately, unauthorized privacy incursions are becoming more and more common all over the world. Peoples Trust will continue to take steps to safeguard your information with us. Moe information on personal information security and protecting yourself against identity theft is available from the Office of the Privacy Commissioner at http://www.priv.gc.ca. You should note that they provide a fact sheet on their website entitled "Identity Theft: What it is and what you can do about it" which may be of assistance to you in the present circumstances.

Peoples Trust deeply regrets that this occurred and is doing everything in our means to prevent an incident like this from happening again. Thank you for your understanding, and do not hesitate to call us if you have any questions or concerns.

Yours Sincerely,
Bill Moffatt
Chief Operations Officer
Peoples Trust Company
[OP]
Deal Expert
Jan 7, 2002
23491 posts
19056 upvotes
Waterloo, ON
cal653 wrote: People's Trust saved customer's information such as SIN, DOB, address, ID on their web site out in the open for anyone to download. This was not the first time it happened. Many people had a flag put on their account making it difficult to apply for credit card promos, loans, mortgages etc.
This is old news. AFAIK there has been no evidence that the information that was exposed was actually copied, let alone used in any nefarious way, in the seven years since. I know this in part because I was one of the people affected and I had the flag put on my credit file. I've been following this possible breach ever since. Apart from a class-action that's still working its way through the court system, there's been no news since.

In any case, other than a weak attempt to cast negative aspersions against PT, what does this issue have to do with what happened to Koho? Can you link the two in some meaningful way? I'm sure people following this thread would be grateful for such information.
veni, vidi, Visa
Deal Addict
May 16, 2017
1853 posts
2348 upvotes
cal653 wrote: People's Trust saved customer's information such as SIN, DOB, address, ID on their web site out in the open for anyone to download. This was not the first time it happened. Many people had a flag put on their account making it difficult to apply for credit card promos, loans, mortgages etc.

------------------
...
The data was NOT "out in the open for anyone to download". The issues are alleged to be two-fold:
- Database was made vulnerable due to failure to apply security updates in a timely manner,
- Database was unencrypted.

Top