# Danger of brokerage account being hacked



## james4beach (Nov 15, 2012)

https://finance.yahoo.com/news/cybercrooks-targeting-retirement-accounts-theres-090008063.html

This is a US article that talks about dangers to investment accounts due to hacking crimes. If a criminal steals your identify (for example compromises the password or uses other stolen personal data to gain access to an account) they can draw money out of it. In the US, apparently it's very difficult to recover.

One thing I would add is that a "strong password" does not totally solve this problem. There are other methods an attacker can use to get into accounts by pretending to be you. So I wouldn't get overconfident just based on password strength.

I presume the only thing a person can really do is keep a close eye on brokerage accounts, log in and check every week or so that there aren't any strange transactions... what are your thoughts? I also spread my assets into two separate big bank brokerages, to "diversify" a bit.


----------



## AltaRed (Jun 8, 2009)

I typically log on every day or two just to see what is 'happening'. What I have not done is see if brokerage accounts have some Alerts one can set up for an MMS text or email if there is a withdrawal (transfer out) of anything exceeding X or a change in an Alert or similar. Banks and credit card accounts have all kinds of alerts one can set up to be informed of activity.


----------



## Beaver101 (Nov 14, 2011)

^ I think what is scarier here in Canada is your investment accounts are linked to your bank accounts. 

Since online banking is supposedly 100% guaranteed to be safe, then I would expect the same with the automatic linkage to our brokerage accounts. Moreover, many Canadian brokerages has a second security level where you are required to answer PVQs (personal verification questions). 

As for the problem in the US, I think it is an inside job. Ie. the cybercrooks are working inside the banks to get such easy access given the lame response:



> Asked about Bennett’s case, American Fund issued a statement: “Our mission is to help people save for a secure retirement. When one of our customers is the victim of identity theft, we hold ourselves accountable to immediately conduct a thorough examination of what happened and take appropriate action. *We use instances like this to strengthen our practices and conduct additional staff training if needed.* We have communicated to the customer that her savings, including any accrued dividends or appreciation, will be reinstated. We will work with law enforcement to aid in their investigation.”


----------



## Beaver101 (Nov 14, 2011)

AltaRed said:


> I typically log on every day or two just to see what is 'happening'. What I have not done is see if brokerage accounts have some Alerts one can set up for an MMS text or *email if there is a withdrawal (transfer out) *of anything exceeding X or a change in an Alert or similar. Banks and credit card accounts have all kinds of alerts one can set up to be informed of activity.


 ... I'm no cybersecurity expert. Just taking a guess here ... couldn't Trojans be infused into these alerts? Working similarly along the lines of "I forgot my password" and then use your cell to reset and slip in?


----------



## james4beach (Nov 15, 2012)

AltaRed said:


> I typically log on every day or two just to see what is 'happening'.


I think this is a really good idea. Look at transactions, poke around. I do the same thing and am trying to get my parents to log into theirs more often.


----------



## AltaRed (Jun 8, 2009)

Beaver101 said:


> ... I'm no cybersecurity expert. Just taking a guess here ... couldn't Trojans be infused into these alerts? Working similarly along the lines of "I forgot my password" and then use your cell to reset and slip in?


Maybe. I was thinking of simply a case where an alert, MMS or email, could be sent out whenever there is a withdrawal OR a change in alert notification and to where (cell number, email address). True, one's cell or email addy could have been compromised in addition, but something is better than nothing. A bulletproof password for email addy is probably one of the most important things in one's system of security. We already know agents of mobile providers can be duped and SIM credentials stolen.

For most online accounts of various kinds, I get notifications of password changes, email addy changes, security question changes, alert notification changes... with 'your X was changed. If this is not you, call us immediately'. Nor fail proof but as good as the passwords we use.


----------



## AltaRed (Jun 8, 2009)

james4beach said:


> I think this is a really good idea. Look at transactions, poke around. I do the same thing and am trying to get my parents to log into theirs more often.


Of course, I only do this from secured WiFi, so when on vacation or traveling, that does not happen. That is acceptable risk I suppose.


----------



## cainvest (May 1, 2013)

AltaRed said:


> Maybe. I was thinking of simply a case where an alert, MMS or email, could be sent out whenever there is a withdrawal OR a change in alert notification and to where (cell number, email address).


That would be good IMO. Just a notification sent on specified changes/activities within your accounts.


----------



## james4beach (Nov 15, 2012)

An alert feature (SMS or email) on any transaction in/out of accounts would be a great feature. That should help alert someone to any unauthorized withdrawal.


----------



## AltaRed (Jun 8, 2009)

cainvest said:


> That would be good IMO. Just a notification sent on specified changes/activities within your accounts.


FWIW, this is what I had previously set up in Scotia iTRade and it seems to cover most of what I need


> Manage My Wealth & Brokerage Email Alerts
> Send me an email alert to notify me when:
> 
> The status of my trade changes*
> ...


The first and last one should be all I need to know about nefarious activity. Plus I would already get an alert if someone tried to change my email addy too.


----------



## newfoundlander61 (Feb 6, 2011)

I don't use my cell phone for any money or investing related activites. I stick to my home internet for all of that. As public WiFi never gets used for money related activities, these are the easiest way to be hacked. Especially at airports and locations like that.


----------



## m3s (Apr 3, 2010)

Interactive Brokers provided a card with codes as a simple secondary form of authentication. Only recently have Canadian brokers started to implement SMS "2 step authentication" which is already known to be a poor version of 2FA

If you think about it your email account is the gateway to all accounts as you can reset most logins with your email account. I have 2FA setup on most accounts but I can't believe people who don't at least have true 2FA on their email


----------



## james4beach (Nov 15, 2012)

AltaRed said:


> FWIW, this is what I had previously set up in Scotia iTRade and it seems to cover most of what I need
> 
> The first and last one should be all I need to know about nefarious activity. Plus I would already get an alert if someone tried to change my email addy too.


That feature looks nice, but I am not confident that it is properly (or thoroughly) implemented. For example, I also have the first and last checked.

Today I changed the brokerage email address on file, and there was no notification sent to the previous email. Note that there are two emails: what they call "primary" and a second one for brokerage notifications. I changed the second brokerage notification email, which is where you get your alerts. But I did not receive any email notification about changing the email address. I checked my spam folder too.

The second problem I've seen is that when I transfer cash from my chequing account into iTrade, I don't see any email alert for that, even though "A deposit or transfer has occurred" is checked. Again I would expect a notification for this. Maybe they are excluding it because it's a transfer from the same person's chequing?

However I do see email alerts for trade fills, as expected. So that part seems good.


----------



## james4beach (Nov 15, 2012)

This may be a bug, so I just sent them a secure message to inform them that changing the email did not result in an alert.


----------



## kcowan (Jul 1, 2010)

AltaRed said:


> FWIW, this is what I had previously set up in Scotia iTRade and it seems to cover most of what I need
> 
> The first and last one should be all I need to know about nefarious activity. Plus I would already get an alert if someone tried to change my email addy too.


I think you list although incomplete is a good start. How about James complete a list of what he considers adequate and we can all write to,our brokers demanding protections with the list?


----------



## cainvest (May 1, 2013)

Would be nice to get an email each time an account login occurs. That along with an email on any deposits/widthdrawals/transfers and account settings changes (e.g. password/email) would be good enough for me.


----------



## james4beach (Nov 15, 2012)

kcowan said:


> I think you list although incomplete is a good start. How about James complete a list of what he considers adequate and we can all write to,our brokers demanding protections with the list?


I can help come up with a list.

Unfortunately though the problem is also about the quality of the implementation. TD Direct Investing for example has a bug where they show an inaccurate last date/time of login. The concept is correct (we should be able to see the last time of login and ideally the IP address) but TD screwed it up and it's been broken for many months.


----------



## m3s (Apr 3, 2010)

Questrade emails by default when a new device logs in and I get notifications from the Questrade app and windows. They show last login data at the top right next to logout along with browser, os and location. What Questrade lacks is true 2FA rather than sms 2 step

I've read accounts of email and sms getting hijacked to steal crypto. These are the gateways to all your accounts. The owners were notified of password changes but the damage is already done. Email and sms can be hijacked to access any account

On the plus side these people are going to target large crypto accounts before brokerage accounts because it's easier to transfer crypto out than to setup some elaborate trading scheme. It's advised to store crypto offline I'm not sure if anyone stores their stocks offline


----------



## AltaRed (Jun 8, 2009)

james4beach said:


> Today I changed the brokerage email address on file, and there was no notification sent to the previous email. Note that there are two emails: what they call "primary" and a second one for brokerage notifications. I changed the second brokerage notification email, which is where you get your alerts. But I did not receive any email notification about changing the email address. I checked my spam folder too.


That seems problematic. Good on you to have it pursued.



> The second problem I've seen is that when I transfer cash from my chequing account into iTrade, I don't see any email alert for that, even though "A deposit or transfer has occurred" is checked. Again I would expect a notification for this. Maybe they are excluding it because it's a transfer from the same person's chequing?


There is no reason to alert on incoming transfers to iTrade though I agree with you that is what the sentence says. Was the transfer from Scotia chequing? If so, I can see the reason for no alert on in-house transfers. If not, then it is a potential problem.


----------



## james4beach (Nov 15, 2012)

AltaRed said:


> There is no reason to alert on incoming transfers to iTrade though I agree with you that is what the sentence says. Was the transfer from Scotia chequing? If so, I can see the reason for no alert on in-house transfers. If not, then it is a potential problem.


Yes it was in house. I agree there is nothing dangerous about that, but how about a withdawal from iTrade to chequing?

I would like to know about those. Do you recall if iTrade sends a notification upon withdrawal from iTrade, to your linked chequing account?


----------



## AltaRed (Jun 8, 2009)

james4beach said:


> Yes it was in house. I agree there is nothing dangerous about that, but how about a withdawal from iTrade to chequing?
> 
> I would like to know about those. Do you recall if iTrade sends a notification upon withdrawal from iTrade, to your linked chequing account?


No, they don't and I don't need that either. I have withdrawal transfers every month to Scotia chequing. However, I have many alerts set up in Scotia chequing, so even if there is a nefarious transfer to chequing, it isn't leaving chequing without an alert.


----------



## james4beach (Nov 15, 2012)

You've figured out much more about Scotia's system than I have! I didn't realize Scotia had alerts available on chequing as well.

Time for me to go discover those and add some alerts. Any tips or guidance on what worked well for you? My priority here is watching for theft and fraud.

I can imagine that the chequing account could be used as a conduit for stealing money out of the brokerage.


----------



## AltaRed (Jun 8, 2009)

There is a long list of them at "Scotia InfoAlerts" Tailor them for your lifestyle. I have all the Safeguard ones engaged...but few of the Transaction ones. No Balance ones are engaged. It is a question of how much text or email notifications you are prepared to put up with.


----------



## james4beach (Nov 15, 2012)

AltaRed said:


> There is a long list of them at "Scotia InfoAlerts" Tailor them for your lifestyle. I have all the Safeguard ones engaged...but few of the Transaction ones. No Balance ones are engaged. It is a question of how much text or email notifications you are prepared to put up with.


I don't think this is working properly. I set an alert for account balance on chequing falling below a threshold. Today (afternoon) I transferred some money out to test it and the balance is now below the threshold. There was no alert sent by email. Not in spam either. Maybe it will come at some point in the future, after a day?

However I do see it send email alerts when I change the settings, so emails are getting through. I just really expected an alert when the balance dropped.

If it arrives on a daily basis that would still be OK, I'll wait and report back.


----------



## AltaRed (Jun 8, 2009)

I suspect certain actions may not be immediate, not like alerts on credit card, debit/ATM, or e-transfer transactions, all of which I get within minutes typically. It may take hours or overnight for a below minimum account balance to show because there could be deposits that erase that minimum that same business day (may work on end-of-day balances only). Worthy of a Secure Messsage to find out why though.


----------



## james4beach (Nov 15, 2012)

I did not end up getting any alert on this balance crossing below the threshold. At first glance it looks like a failure of their system to notify me as expected.

Today I phoned Scotia and the agent said that when the settings are changed online (including threshold amounts) they may not take effect until midnight. So maybe the timing was off.

I am doing a new test and recording exact details and time log. Today I set a new threshold to alert me of balance dropping below a level. Currently my balance is above. I am going to give their system time over the weekend to absorb this new instructions. Next week, I will reduce the balance below the new threshold. This should hopefully send me an email alert.


----------



## CPA Candidate (Dec 15, 2013)

Two factor authentication and the fact that the only way to withdraw money from my investment account is into my bank account.


----------



## james4beach (Nov 15, 2012)

I did a careful experiment, logging the starting balance, the time I set the Scotia alert, and when the balance crossed below the threshold.

24 hours after that happening, I have not receive an alert. I got in touch with Scotia and the rep thinks this is a malfunction -- he says I should have received an alert by now. The rep is going to follow up with me after another 24 hours to see if an alert comes through with delay.

I'm curious to see what happens with the Scotia alerts but what I'm seeing so far is not very encouraging.


----------



## AltaRed (Jun 8, 2009)

Does not sound satisfactory. Especially so when they advertise it.


----------



## m3s (Apr 3, 2010)

CPA Candidate said:


> Two factor authentication and the fact that the only way to withdraw money from my investment account is into my bank account.


Do you mean SMS codes? (2 step vs 2FA) SMS is not considered a true form of authentication. If you have ever ported a number to another provider you know how easy it is to hijack an SMS account

Given access to your email and sms one could also easily update your banking information. Even if they require some scribbles.. a signature is only useful long after the fact (who compares signatures during a transaction etc)

However given that financial transfers are traceable they wouldn't transfer to a bank. I've heard of sketchy trade manipulation to get the funds out. Using something with low volume I suppose


----------



## MrMatt (Dec 21, 2011)

m3s said:


> Do you mean SMS codes? (2 step vs 2FA) SMS is not considered a true form of authentication. If you have ever ported a number to another provider you know how easy it is to hijack an SMS account
> 
> Given access to your email and sms one could also easily update your banking information. Even if they require some scribbles.. a signature is only useful long after the fact (who compares signatures during a transaction etc)
> 
> However given that financial transfers are traceable they wouldn't transfer to a bank. I've heard of sketchy trade manipulation to get the funds out. Using something with low volume I suppose


Lots of people port cell phone numbers to hack accounts. 
It's one of the easiest ways to steal a cell phone number, SMS 2FA is a bad idea.


----------



## cainvest (May 1, 2013)

james4beach said:


> I did a careful experiment, logging the starting balance, the time I set the Scotia alert, and when the balance crossed below the threshold.
> 
> 24 hours after that happening, I have not receive an alert. I got in touch with Scotia and the rep thinks this is a malfunction -- he says I should have received an alert by now. The rep is going to follow up with me after another 24 hours to see if an alert comes through with delay.
> 
> I'm curious to see what happens with the Scotia alerts but what I'm seeing so far is not very encouraging.


Very interesting, you'd think these features would be fully tested.


----------



## james4beach (Nov 15, 2012)

cainvest said:


> Very interesting, you'd think these features would be fully tested.


Still no Scotia alert today. This is now well over 24 hours since the balance fell below the threshold.

The safety feature is useless and appears to give a false sense of security. I'm keeping records of this and plan to file paperwork with Scotia (as well as TD, who also has a bug in their system). My plan is to file written documentation of their failures to provide functional security measures, to get ahead of the problem in case I ever have a legal dispute with them over theft.

I plan to point out, with this evidence, that the banks (Scotia and TD for example) are not providing sufficient tools for security measures and are failing in their duty ... their side of our joint responsibility ... to keep the account safe, despite my best efforts to keep it safe.

In my eyes, this increases the bank's liability in case of fraud or theft. The bank will try to say that the customer failed in their duties.

Now I have evidence the banks are failing in their duties. Let's say that I was a responsible customer trying to use all the tools available to me to protect my account. Then some fraud slips through unnoticed, because I was relying on Scotia's feature.


----------



## james4beach (Nov 15, 2012)

Does anyone know what the best avenue would be for providing written (paper documentation) notifications to Scotia and TD Direct Investing, keeping in mind I may reference this in case of a future legal dispute?

Ombudsman? Compliance department? I would be mailing paper documentation.

I am, of course, using their online tools and phone to report the problems but I want to send them solid written documentation that can be used in case of a legal dispute. Their phone reps don't really care about my bug reports at all and the Scotia 'secure message' system sends me back generic responses with no indication they will fix the problems.

After I mail my documents I will be share with people here the details in case you are also customers of Scotia and TD Direct Investing. I don't know if the bugs I'm experiencing affect everyone else and can't speak for others, but I will be reporting the malfunctions that I am seeing.


----------



## m3s (Apr 3, 2010)

MrMatt said:


> Lots of people port cell phone numbers to hack accounts.
> It's one of the easiest ways to steal a cell phone number, SMS 2FA is a bad idea.


The banks are calling it "2 step verification" They know it's not true 2FA

My german bank and Interactive Brokers account required true 2FA a decade ago. IB used a simple card with verification codes.. probably costs pennies to implement. It means someone would need to see the physical card which is much harder to do from cyberspace than port a mobile number

No Cdn bank I know of has ever even offered a true 2FA


----------



## cainvest (May 1, 2013)

james4beach said:


> Does anyone know what the best avenue would be for providing written (paper documentation) notifications to Scotia and TD Direct Investing, keeping in mind I may reference this in case of a future legal dispute?


Honestly I'd just email them and list the problems here.

What do you think you'll get out of snail mailing them?


----------



## james4beach (Nov 15, 2012)

cainvest said:


> Honestly I'd just email them and list the problems here.


How would I know the email is received? Do you think this would be strong enough to use during a legal dispute later on?


----------



## cainvest (May 1, 2013)

james4beach said:


> How would I know the email is received? Do you think this would be strong enough to use during a legal dispute later on?


You don't, just like regular mail. If you have documented it in email, as well as here on CMF that's good enough in my eyes.


----------



## kcowan (Jul 1, 2010)

I would put all your hard copy proof into a Registered letter to their chief of security with a copy to the CEO.

When they don't respond, you will have to find someone who,has suffered actual losses and take their case to,the Obudsman!


----------



## Money172375 (Jun 29, 2018)

james4beach said:


> Does anyone know what the best avenue would be for providing written (paper documentation) notifications to Scotia and TD Direct Investing, keeping in mind I may reference this in case of a future legal dispute?
> 
> Ombudsman? Compliance department? I would be mailing paper documentation.
> 
> ...


Wealth Management & Direct Investing Services

(Includes TD Wealth and TD Direct Investing) 
Fax: 1-877-725-9525 
Email: [email protected] 
Mail: Client Complaint Resolution Team, 
P.O. Box 5999, Station F, Toronto, ON, M4Y 2T1

If you’re not satisfied with their response, then go here:
Email: [email protected] 
Mail: Attn: Office of the Ombudsman P.O. Box 1, Toronto-Dominion Centre, Toronto, ON M5K 1A2

Don’t start with the ombudsman, they’ll just kick it back to you and tell you to go back a step in their process.


----------



## james4beach (Nov 15, 2012)

Thanks kcowan and Money172375. One reason I will be sending paper mail is that I am going to attach evidence and history. It's too much for email. And I also want tracking/evidence of delivery.

I am not trying to pick a fight with them. I'm just setting up a paper trail in the unlikely event that I ever suffer theft and need to fight the bank, if they claim that they did everything they could. I know for certain that they did NOT do everything they could.

I promise to share full details here as well but I'm still collecting evidence. Superficially these are not big bugs or glitches, but they are all part of the security story. In other words I don't lose any sleep over my BNS and TD accounts, but I'd rather they fix these shortcomings. I would still happily recommend either bank to others.


----------



## kcowan (Jul 1, 2010)

james4beach said:


> Thanks kcowan and Money172375
> I promise to share full details here as well but I'm still collecting evidence. Superficially these are not big bugs or glitches, but they are all part of the security story. In other words I don't lose any sleep over my BNS and TD accounts, but I'd rather they fix these shortcomings. I would still happily recommend either bank to others.


Just remember that you must have a provable case of loss to get them to act immediately. Otherwise you will get pablum responses like they will make their best efforts to satisfy you. (Best efforts = no effort, please go away)

The final step will be the FI ombudsman and politicians. I would warm that path by copying a "responsible" politician at the outset. The government is concerned about people being scammed.

You might even point out the flaw in Interac payments that is easily fixed if the banks would push it.


----------



## Beaver101 (Nov 14, 2011)

This is getting very interesting. Please keep us posted of the response(s) (and/or any proposed action).


----------



## james4beach (Nov 15, 2012)

I'm continuing to run tests on Scotia. Some positive news to report: the ATM alert did work. I got an email when the card was used for withdrawal, as expected. So that's good.


----------



## latebuyer (Nov 15, 2015)

Wouldn't TD Direct investing be more secure as you are only able to link your td chequing account to it rather than an external account?


----------



## m3s (Apr 3, 2010)

latebuyer said:


> Wouldn't TD Direct investing be more secure as you are only able to link your td chequing account to it rather than an external account?


Doesn't matter if they use trade manipulations. Sell all your assets and then buy some bogus low volume stock and trade it to themselves etc. If someone moved funds out the traditional way it's easy to trace


----------



## Eclectic12 (Oct 20, 2010)

latebuyer said:


> Wouldn't TD Direct investing be more secure as you are only able to link your td chequing account to it rather than an external account?


IIRC there are posts saying a link from TDDI to external accounts *can* be setup. The TD chequing account is the easiest with I believe less paperwork and waiting.
See post # 11, 12, 13, 15 and 19 ... https://www.canadianmoneyforum.com/showthread.php/127530-Withdrawing-TFSA-money-from-TDDI/page2


Cheers


----------



## m3s (Apr 3, 2010)

"Porting fraud is something the entire wireless industry in Canada has seen an increase in in recent months and it's something that we're all dealing with"
CBC source

SMS "2 step" is not true 2FA. SMS was a known weakness to hack crypto accounts and now we have an example of Canadian banks as well.

At least get 2FA on your email and we should all be asking Cdn banks for real 2FA not SMS bs


----------



## james4beach (Nov 15, 2012)

I'm not familiar with this type of fraud. The link m3s posted was
Farming family warning others after bank accounts emptied in port-out scam

I can't make sense of what happened here. Porting out a number means taking over someone's phone account, so the criminal now has complete control of the phone number. How is that enough to empty out a bank account?

Controlling a phone number should not be enough on its own to compromise a bank account. What happened in this case?


----------



## m3s (Apr 3, 2010)

james the Cdn banks are now trusting SMS for "2 step" verification. 1st step being the password that can be reset by email. Mobile numbers in Canada can be ported out to another sim card online with a few clicks and some very basic info. This was a known vulnerability in the crypto world long ago so I was always surprised when the Cdn banks recently adopted such a poor security measure.

Email can often be unlocked by answering 3 "security questions" of very basic info if you don't use 2FA like authenticator. In high school when emails were new and novel we used to hack each other by answering the security questions (usually public knowledge or easy enough to figure out) Security questions have always been a known vulnerability and even today used to unlock celebrity cloud accounts etc


----------



## cainvest (May 1, 2013)

m3s said:


> james the Cdn banks are now trusting SMS for "2 step" verification. 1st step being the password that can be reset by email. Mobile numbers in Canada can be ported out to another sim card online with a few clicks and some very basic info. This was a known vulnerability in the crypto world long ago so I was always surprised when the Cdn banks recently adopted such a poor security measure.
> 
> Email can often be unlocked by answering 3 "security questions" of very basic info if you don't use 2FA like authenticator. In high school when emails were new and novel we used to hack each other by answering the security questions (usually public knowledge or easy enough to figure out) Security questions have always been a known vulnerability and even today used to unlock celebrity cloud accounts etc


I think the vast majority (maybe all?) of these "hacked" accounts stems from weak passwords and weak security question answers whether it is 2FA, 2 step or not.


----------



## m3s (Apr 3, 2010)

Passwords are inherently weak because they can be hacked remotely (from anywhere online) whether by keylogger software or backdoor security questions

2 step or 2FA adds the second layer but 2 step is far far easier to hack than 2FA. 2 step is called 2 step because it is not a true form of authentication but rather just a second step

2FA should ideally be a physical token like the euro banks use (and government/military) The apps like authenticator provide a 30 second authentication.. that is the hacker has to be very fast

SMS 2 step is just a minor inconvenience. 2FA should require either physical theft of a token (in real life card not digital) or a timed digital code that requires access to a known device


----------



## cainvest (May 1, 2013)

m3s said:


> Passwords are inherently weak because they can be hacked remotely (from anywhere online) whether by keylogger software or backdoor security questions
> 
> 2 step or 2FA adds the second layer but 2 step is far far easier to hack than 2FA. 2 step is called 2 step because it is not a true form of authentication but rather just a second step
> 
> ...


Yes, everything can be hacked but if you're using strong passwords and have a reasonable sense of online digital security that'll knock out 99.99% of hackers.


----------



## m3s (Apr 3, 2010)

I would say true 2FA knocks out 99.9% but a strong password alone is not that good because there is often a way to bypass, reset or hijack a password

Doesn't matter how strong your password is if it can be bypassed by 3 "security questions" or intercepted by software/keyloggers. Only as strong as the weakest link

Your email at least should have a true 2FA because you can reset most other online accounts with the email regardless if they all have strong unique passwords


----------



## cainvest (May 1, 2013)

m3s said:


> Doesn't matter how strong your password is if it can be bypassed by 3 "security questions" or intercepted by software/keyloggers. Only as strong as the weakest link


You make it sound like key loggers can be deployed on everyone's computer ... not easy unless you are prone to downloading malware.

Also remember your 3 security questions are passwords themselves, how does that make it easier to bypass?


----------



## james4beach (Nov 15, 2012)

m3s said:


> james the Cdn banks are now trusting SMS for "2 step" verification. 1st step being the password that can be reset by email. Mobile numbers in Canada can be ported out to another sim card online with a few clicks and some very basic info. This was a known vulnerability in the crypto world long ago so I was always surprised when the Cdn banks recently adopted such a poor security measure.


Thanks for the info. So the hackers need to compromise both the email and phone, but in reality is this relatively easy to do. Email is very frequently compromised, and phones are just a bit more work to hack.

As you point out, Canadian phone numbers have been known to vulnerable for a long time. 

This is really bad news. If you are correct, and having control of email+phone is enough to completely take over a Canadian bank account, it means that the banks are being negligent in their responsibility to protect our assets.


----------



## m3s (Apr 3, 2010)

Security questions are by design not strong passwords for multiple reasons. They are far more predictable just by being words, often public/known information and even if you treat them like unique random passwords yourself they are typically not treated as passwords by the system itself.

They are often displayed, transmitted and stored in plain text in insecure email/server/clouds etc. They are often repeated rather than unique. You are forced to use them by weaker accounts as a back door to recover your account and it often defeats any security practice/features of your password

Again if someone gets access to your email they can probably reset any of your other account passwords regardless how strong/unique the passwords. They only need to intercept that 1 password and this can be done in many many ways such as hacking a random other database that stored similar login.

True 2FA on email is a bare minimum imo. True 2FA on financial accounts makes a lot of sense. Again other countries had this decades ago


----------



## Money172375 (Jun 29, 2018)

Is anyone up to speed on the insurance available for impersonations, account takeovers, fraud? I believe I have a little through my home insurance policy and I think I recall them offering more for a price.

I’d also like to mention that in over 20 years of banking, I witnessed all kinds of fraud. PIN skimming, impersonations, cheque frauds of every nature etc etc. The only time I remember a customer not being reimbursed is when the customer admitted to sharing or writing down their PIN number. That probably happened less than 5 times in 20 years. In every other case, the client was reimbursed. We probably saw 1 fraud claim per day in my branch. A pain in the butt when it happens, but you’ll most likely be fully reimbursed. Prevention is obviously better than remediation.


----------



## james4beach (Nov 15, 2012)

m3s said:


> True 2FA on email is a bare minimum imo. True 2FA on financial accounts makes a lot of sense. Again other countries had this decades ago


Even my Interactive Brokers account from 15 years ago included a wallet card with a code lookup on it. Extremely simple measure that adds significant security, though of course true hardware 2FA is much better. My Australian bank issued me a 2FA fob many years ago; this technology is readily available.

Canadians banks have dropped the ball here and we're all at risk because of it.


----------



## AltaRed (Jun 8, 2009)

Most customers don't want to have anything to do with 2FA. From what I have heard anecdotally, they'd change banks first. Getting more security in place on a broad scale will have to be regulatory mandated.


----------



## m3s (Apr 3, 2010)

Yes my German bank *required *a physical fob to access online banking. There was no "opt-in" like the recent SMS in Canada. You could bank in person or you could use the fob to bank online.

Same with the IB card if I remember correct it was not an option. This code card is very simple but achieves the same effect of a physical key or a physical token like the gov/military use

I'm not convinced the digital 2FA is actually better (at least not authentication apps) There are known cases of crypto theft that had 2FA apps but the person's email or phone was hacked.


----------



## cainvest (May 1, 2013)

m3s said:


> Security questions are by design not strong passwords for multiple reasons. They are far more predictable just by being words, often public/known information and even if you treat them like unique random passwords yourself they are typically not treated as passwords by the system itself.
> 
> They are often displayed, transmitted and stored in plain text in insecure email/server/clouds etc. They are often repeated rather than unique. You are forced to use them by weaker accounts as a back door to recover your account and it often defeats any security practice/features of your password


I find that hard to believe that the security question answers are "in the clear" or stored plain text unless one specifically does so themselves which is their own fault.



m3s said:


> Again if someone gets access to your email they can probably reset any of your other account passwords regardless how strong/unique the passwords.


Again, don't see how unless you've made a significant blunder to store passwords (or security question answers) in plain text in your email. We're not talking about "forum level" password resets here, we're talking banks which require your login/password(s) to reset.


----------



## m3s (Apr 3, 2010)

cainvest said:


> I find that hard to believe that the security question answers are "in the clear" or stored plain text unless one specifically does so themselves which is their own fault.


I agree the banks are probably smart enough to properly store security question answers

However many other accounts do not (a key tell is when the answer is displayed on your screen - probably stored and transmitted clear as well) And they all ask similar questions

They often don't have the same controls for whatever reason. You can try multiple times, answers are more predictable, don't allow symbols/numbers rather than require them

Security questions are also pretty basic to dox just like any other id theft.

If they are weaker than the password in any way they defeat those features of the password


----------



## cainvest (May 1, 2013)

m3s said:


> Security questions are also pretty basic to dox just like any other id theft.
> 
> If they are weaker than the password in any way they defeat those features of the password


Yup, I think banks and clients need a better system. The banks "lead you" into answering security questions as they are which is bad and not many people give it a second thought.

I bet almost all people answer the questions "as is" so my Mom's maiden name is "Smith" instead of answering, like I do, "[email protected]".

P.S. That's not my real security question answer BTW


----------



## james4beach (Nov 15, 2012)

Passwords and English text are inherently weak. Yes of course you can do a great job setting a strong password, or setting strong answers to the "Questions", but it's too easy to slip up and end up with weak security. For example, accidentally using the same password at two sites is one easy way to ruin the strength of even a strong password.

Email has *never* been particularly secure and frankly it's shocking that banks allow password resets by email. I almost don't believe it, want to try it myself.

As for keyloggers, there is now very sophisticated malware (trojans) that infiltrate personal computers and are meant to grab passwords. Some can evade anti-virus and they are specifically designed to steal banking credentials. They've been around a long time but are only getting more powerful.

Two factor authentication is really the best defence against all of these. What we really need is something like what Interactive Brokers does, and other global banks use with a separate physical thing which is used in authentication. This simultaneously protects against weak email, weak passwords, and banking trojans.


----------



## cainvest (May 1, 2013)

james4beach said:


> Passwords and English text are inherently weak.


I don't agree, when done correctly they are safe. Even more so when brute force attacks are limited or blocked.

Now if one's device becomes compromised with a virus/malware that can create a problem but if you are careful it's very unlikely to happen.


----------



## Retired Peasant (Apr 22, 2013)

keylogging: Would those in the know please comment on using a keyscrambler such as https://www.qfxsoftware.com/index.html


----------



## cainvest (May 1, 2013)

Retired Peasant said:


> keylogging: Would those in the know please comment on using a keyscrambler such as https://www.qfxsoftware.com/index.html


Your best defense is to not to get infected by any viruses, spyware or malware.


----------



## off.by.10 (Mar 16, 2014)

Retired Peasant said:


> keylogging: Would those in the know please comment on using a keyscrambler such as https://www.qfxsoftware.com/index.html


lol I wouldn't install that thing unless you paid me enough to buy a dedicated computer and internet connection for it, with some money left over for my trouble. And free? You can be almost certain it scans what you type and injects ads somewhere based on it. Probably has several security issues too.


----------



## m3s (Apr 3, 2010)

Any device with an internet connection is sending data to various sources from the factory. The only true defense is to not connect to the internet. Just open up any network analyser like wireshark and realize it's hopeless for any anti-virus to determine what is malicious

You can pretty much assume that your passwords have been compromised at some point no matter what you do. Use a 2FA authenticator app for any site that allows it and use a password manager to set strong unique passwords for all sites


----------



## cainvest (May 1, 2013)

m3s said:


> You can pretty much assume that your passwords have been compromised at some point no matter what you do.


That's a pretty broad doom and gloom statement. No respectible company is going to transmit your passwords (or personal info for that matter), the lawsuits would be flying!

If it was like you are suggesting I would imagine we'd be seeing a massive outbreak of people getting hacked, bank accounts being drained, etc. Since this is not happening ....


----------



## m3s (Apr 3, 2010)

cainvest said:


> That's a pretty broad doom and gloom statement. No respectible company is going to transmit your passwords (or personal info for that matter), the lawsuits would be flying!


The company that runs this forum was compromised more than once. So was equifax and thousands of other companies. I signed up for a 3rd party service and found a few random accounts were compromised.

Who knows how many more that weren't detected/reported seeing as the company themselves typically hide it as long as possible, or aren't even aware themselves.

Passwords are pretty weak and can be compromised in multiple ways. Or do you think the gov/military and foreign banks are over reacting with 2FA?


----------



## cainvest (May 1, 2013)

m3s said:


> Any device with an internet connection is sending data to various sources from the factory. The only true defense is to not connect to the internet. Just open up any network analyser like wireshark and realize it's hopeless for any anti-virus to determine what is malicious


I was responding more to your first part (above) suggesting your passwords are being sent from your own computer, very unlikely.



m3s said:


> The company that runs this forum was compromised more than once. So was equifax and thousands of other companies. I signed up for a 3rd party service and found a few random accounts were compromised.
> 
> Who knows how many more that weren't detected/reported seeing as the company themselves typically hide it as long as possible, or aren't even aware themselves.
> 
> Passwords are pretty weak and can be compromised in multiple ways. Or do you think the gov/military and foreign banks are over reacting with 2FA?


Sure sites can be hacked, has happened and likely will again. If a site gets directly hacked will 2FA even help you? Guess it depends on the level of intrution right, did they just scrape personal data or get direct read/write access to their site code and database?

I don't think 2FA is a bad idea, I use it in places and think it should be an option for people to use at our banks.


----------



## MrMatt (Dec 21, 2011)

cainvest said:


> I was responding more to your first part (above) suggesting your passwords are being sent from your own computer, very unlikely.
> 
> 
> Sure sites can be hacked, has happened and likely will again. If a site gets directly hacked will 2FA even help you? Guess it depends on the level of intrution right, did they just scrape personal data or get direct read/write access to their site code and database?
> ...


I would use 2FA more, but how do they make sure the 2FA stays secure.
Your token battery dies and what?

Phone SMS is even worse.


----------



## cainvest (May 1, 2013)

MrMatt said:


> I would use 2FA more, but how do they make sure the 2FA stays secure.
> Your token battery dies and what?
> 
> Phone SMS is even worse.


I think having multiple options is likely the best, many will not want to go through the hassles required for high security (tokens,fobs,etc).
Even having a simple SMS code reply would stop all that may breech a single login/password method providing it is on a different device.


----------



## Eclectic12 (Oct 20, 2010)

james4beach said:


> Thanks for the info. So the hackers need to compromise both the email and phone, but in reality is this relatively easy to do. Email is very frequently compromised, and phones are just a bit more work to hack ...


Keep in mind that most forgotten password systems assume the phone or email is secure. So by porting the phone, likely the email can also be stolen via the forgotten password link.

Rinse repeat for accounts like PayPal or similar that use the email address as the account.

Bank/brokerage accounts might use a specific account number, adding a bit of a barrier but I suspect their forgotten password systems make similar assumptions about the backup method being secure. I've also seen bank "help" with the problem of remembering the account number by creating an account name. I'd bet some are choosing their email address to match up to other accounts.




james4beach said:


> ... This is really bad news. If you are correct, and having control of email+phone is enough to completely take over a Canadian bank account, it means that the banks are being negligent in their responsibility to protect our assets.


Is this surprising?

My co-worker had his bank account cleaned out while in Columbia. The bank returned his money where he asked how often this happens. He was told it was happening at each branch for at least one account a week. The totals hadn't added up to enough for the bank to invest in upgraded procedures to stop it.


Cheers


----------



## Eclectic12 (Oct 20, 2010)

cainvest said:


> I think the vast majority (maybe all?) of these "hacked" accounts stems from weak passwords and weak security question answers whether it is 2FA, 2 step or not.


Where the forgotten password uses the cell phone SMS that is sent to a fraudulently transferred phone number - what does the password strength matter?

I don't recall any of the forgotten password systems asking for security questions as part of the password process. When a phone SMS text is sent, I haven't been asked any of the security questions ... just the SMS code. The assumption seems to be that where one has a phone number for the resetting passwords, the phone number is secure.


https://www.cbc.ca/news/canada/brit...ieves-try-to-drain-his-bank-account-1.5384432


Cheers


----------



## cainvest (May 1, 2013)

james4beach said:


> Still no Scotia alert today. This is now well over 24 hours since the balance fell below the threshold.


Any update on the balance alert?


----------



## Money172375 (Jun 29, 2018)

It’s rare that an account is “cleaned out”. The banks are pretty good at identifying patterns. It normally only takes 2-3 “unusual” transactions before they freeze the account.

Just check out the banks twitter pages......the complaints about accounts being frozen to suspected fraud are ten times the complaints for frauds which are allowed to occur.

The banks can do better....yes....it’s a never ending battle though.....you’re just trying to keep the enemy at bay. Overall the risk of catastrophic loss is low.....reimbursement in full occurs in the vast majority of cases.


----------



## Eclectic12 (Oct 20, 2010)

cainvest said:


> I find that hard to believe that the security question answers are "in the clear" or stored plain text unless one specifically does so themselves which is their own fault ...


I guess you are assuming the online services have all improved then?



> “The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, *encrypted or unencrypted security questions and answers*,” Yahoo says of the 2013 data breach.


https://money.com/yahoo-data-breach-security-passwords-help/




cainvest said:


> m3s said:
> 
> 
> > Again if someone gets access to your email they can probably reset any of your other account passwords regardless how strong/unique the passwords.
> ...


So what was different when you reset your bank password online?


Cheers


----------



## m3s (Apr 3, 2010)

Sounds like it happens more often than we know because banks would be quick to pay and hush the underlying issue. Wouldn't it be covered by CIPF/CDIC insurance? These are paid by the financial firm correct so really us stock holders are paying for stupidity. Again IB uses a wallet card with printed codes ($1?) and the gov/mil use a chip card and card reader ($10?)



Eclectic12 said:


> My co-worker had his bank account cleaned out while in Columbia. The bank returned his money where he asked how often this happens. He was told it was happening at each branch for at least one account a week. The totals hadn't added up to enough for the bank to invest in upgraded procedures to stop it.





Money172375 said:


> Is anyone up to speed on the insurance available for impersonations, account takeovers, fraud? I believe I have a little through my home insurance policy and I think I recall them offering more for a price.
> 
> I’d also like to mention that in over 20 years of banking, I witnessed all kinds of fraud. PIN skimming, impersonations, cheque frauds of every nature etc etc. The only time I remember a customer not being reimbursed is when the customer admitted to sharing or writing down their PIN number. That probably happened less than 5 times in 20 years. In every other case, the client was reimbursed. We probably saw 1 fraud claim per day in my branch. A pain in the butt when it happens, but you’ll most likely be fully reimbursed. Prevention is obviously better than remediation.


TD Bank (USA) tried to verify my ID by phone by asking about recent transactions. I don't bother to memorize how much I spent on every transaction so they said I'd have to come to a branch. There was no branch anywhere nearby so I called back later and played along. Now they have my "voice print" to ID by voice which seems better than asking simple questions


----------



## cainvest (May 1, 2013)

Eclectic12 said:


> Where the forgotten password uses the cell phone SMS that is sent to a fraudulently transferred phone number - what does the password strength matter?
> 
> I don't recall any of the forgotten password systems asking for security questions as part of the password process. When a phone SMS text is sent, I haven't been asked any of the security questions ... just the SMS code. The assumption seems to be that where one has a phone number for the resetting passwords, the phone number is secure.
> 
> ...


Not sure about SMS with a bank but without it the security questions are used.

So your bank allows you to reset the password just from a simple SMS text? Do you need to reply any sort of passcode for the reset?


----------



## Money172375 (Jun 29, 2018)

m3s said:


> Sounds like it happens more often than we know because banks would be quick to pay and hush the underlying issue. Wouldn't it be covered by CIPF/CDIC insurance? These are paid by the financial firm correct so really us stock holders are paying for stupidity. Again IB uses a wallet card with printed codes ($1?) and the gov/mil use a chip card and card reader ($10?)
> 
> 
> 
> ...


CDIC and CIPF are for the insolvency of the firm. Not fraud related losses. Fraud related losses are a regular occurrence. The losses to the bank per instance are relatively small though.....I’d guess less than $1000 per occurrence. The larger ones that I witnessed or heard about revolved around customer impersonation. Ie. a crook Enters a branch with fake ID matching your legitimate ID (other than the photo). Even in these cases it’s rare. Tellers (due the dismay of clients) are trained to probe when transaction seems unusual. Used to get a lot of complaints when we asked “ what’s this $10,000 bank draft for?” “Why are you wiring $5000 to South America”. I recently saw a news story where the actual customer was “allowed” to make multiple withdrawals from her own account, and now she’s suing the bank for not stopping her. She was not coerced or threatened, she was just following a crooks requests.


----------



## cainvest (May 1, 2013)

Eclectic12 said:


> I guess you are assuming the online services have all improved then?
> 
> https://money.com/yahoo-data-breach-security-passwords-help/


Not really discussing sites other than CDN banks, not sure how secure those are ... likely less I would gather.



Eclectic12 said:


> So what was different when you reset your bank password online?


I need to answer the security questions.


----------



## Eclectic12 (Oct 20, 2010)

Money172375 said:


> It’s rare that an account is “cleaned out”. The banks are pretty good at identifying patterns. It normally only takes 2-3 “unusual” transactions before they freeze the account ...





> Approximately $16,800 of the family's money was withdrawn in the span of a day, each transaction occurring in Regina — far from Walmsley's rented apartment in Vancouver's Kitsilano neighbourhood ... Walmsley says she would expect unusual banking activity taking place in a different city to trigger an alert from her bank, but she received nothing from Scotiabank to tip her off.


https://www.cbc.ca/news/canada/british-columbia/unexplained-bank-fraud-1.5359805


Cheers


----------



## Eclectic12 (Oct 20, 2010)

cainvest said:


> Not really discussing sites other than CDN banks, not sure how secure those are ... likely less I would gather ...





> "Criminals will use Simplii and BMO client informations to apply for products credit using social insurance number, date of birth and all other personnal info," the letter said.
> 
> The email ended with a sample of the information in question: the names, dates of birth, SIN and account balances of an Ontario man and a woman living in B.C.
> 
> ...


https://www.cbc.ca/news/business/simplii-data-hack-1.4680575

Any bets on whether the info stolen from BMO also included security Q&A's?


The security Q&A's might not have been in clear text but for at least Simplii Financial and possibly BMO, it didn't matter.


Cheers


----------



## m3s (Apr 3, 2010)

*Family lost hundred of thousands* from its farm operations account (SMS port out scam) CBC link

"The fraud, which appears to have started with the *theft of a SaskTel phone number and email* last week, affected Johnson Livestock near Peebles, Sask. The bank account the family uses for farming operations and expenses was *completely drained.*

Johnson said after they made the Facebook post, they heard from other farmers in Saskatchewan that experienced *similar instances of fraud around the same time.*"

Again SMS "security codes" are well known in the crypto world as a no-no. It is not secure and it is not considered true 2FA. Entire crypto accounts were drained and now Cdn bank family business accounts are being drained.

Sure the bank pays it off but Cdn financials are the vast majority of Cdn stocks that most of us hold with home bias

I drain my own bank accounts chasing promo rates and buying things that require multiple transfers of 5 figures and nobody asks me anything besides the basic purpose (they give you example answers no thief can mess that up)


----------



## m3s (Apr 3, 2010)

Eclectic12 said:


> Any bets on whether the info stolen from BMO also included security Q&A's?


I doubt security questions are always protected the same as passwords. Just the fact that they are so simple defeats using strong unique passwords

The questions are so common that if weaker databases from other online accounts (like Verticle Scope which runs CMF) then you could answer the questions at banks etc

Heck it's not implausible to dox a mother's maiden name, street you lived on or what things one likes on social media etc


----------



## Money172375 (Jun 29, 2018)

(The cell phone provider)... stressed that in order for a person to execute a port-out fraud, they do need access to an individual's personal information.

I’m not saying these frauds don’t occur, but in my experience, the victim has often been lax or has “helped” it along. A few years ago, Facebook had a number of games and surveys which would ask about your fav colour or birthstone or vacation spot. People often use these responses in their secret questions. It doesn’t take a bot long to “guess” passwords based on info you’ve provided. I can’t tell you the number of times a customer would give me their PIN number or online password.....then we’d be forced to change it and the customer would refuse since they had their original one memorized. 

Like a lot of things in life.....driving, floods, food safety.......we do what we can to limit risk in what is a rare (but possibly costly) situation. 

Perhaps we need to differentiate out and out hacking vs traditional bank fraud (impersonations, pin skimming, cheque fraud, identify theft).


----------



## cainvest (May 1, 2013)

Eclectic12 said:


> https://www.cbc.ca/news/business/simplii-data-hack-1.4680575
> 
> Any bets on whether the info stolen from BMO also included security Q&A's?
> 
> ...


As mentioned, a direct hack of a bank's system is beyond your control ... no amount of "client side security" can protect you depending on the hacker's access. Did they get personal info only or did it include login, password and security question answers ... we'll never know. Your CBC link above states "the names, dates of birth, SIN and account balances" of two people which they "could have" got from other places.


----------



## Eclectic12 (Oct 20, 2010)

m3s said:


> I doubt security questions are always protected the same as passwords. Just the fact that they are so simple defeats using strong unique passwords
> 
> The questions are so common that if weaker databases from other online accounts (like Verticle Scope which runs CMF) then you could answer the questions at banks etc
> 
> Heck it's not implausible to dox a mother's maiden name, street you lived on or what things one likes on social media etc


Which is why I build complex answers that merge info and numbers, in some cases having nothing to do with the question. After all, if the fraudster gets the encrypted version and knows the encryption used, anything in a dictionary can be encrypted then compared ... revealing the info.


Cheers


----------



## Eclectic12 (Oct 20, 2010)

cainvest said:


> As mentioned, a direct hack of a bank's system is beyond your control ... no amount of "client side security" can protect you depending on the hacker's access ....


True ... but the talk was the security Q&A could only be in clear text if the user did it.

You didn't like the Yahoo hack that reported hashed, not encrypted info where some Q&A that stolen were listed as "unencrypted" as it wasn't a bank.
So I listed a hacked bank info where security Q&A were provided by email and confirmed as accurate by the account holder.




cainvest said:


> Did they get personal info only or did it include login, password and security question answers ... we'll never know. Your CBC link above states "the names, dates of birth, SIN and account balances" of two people which they "could have" got from other places.


It also included the correct security answers for that bank account ... but without knowing the specifics, it might have come from other sources.


Maybe I just being jaded for what I think the banks are or are not doing for security. After all, it was the bank that cut my access card PIN from eight to four, supposedly because of network limits. There's also dealing with identity theft being used for bogus mortgages by selling title insurance instead of requiring better verification that they are dealing with the actual owner.


Cheers


----------



## m3s (Apr 3, 2010)

If you're going to build strong passwords out of security questions then why have security questions in the first place. More passwords just waters down the system with more passwords to potentially mismanage

I use a password manager to generate/store unique passwords with little effort but doing what you recommend means writing down 3x questions and passwords as notes. PITA when you have hundreds of accounts

Apple iPhone can unlock Apple devices automatically by proximity and biometrics now using secure enclave hardware. Ideally this should be the gateway to bank accounts instead of email/sms/personal questions


----------



## cainvest (May 1, 2013)

Eclectic12 said:


> It also included the correct security answers for that bank account ... but without knowing the specifics, it might have come from other sources.
> 
> 
> Maybe I just being jaded for what I think the banks are or are not doing for security. After all, it was the bank that cut my access card PIN from eight to four, supposedly because of network limits. There's also dealing with identity theft being used for bogus mortgages by selling title insurance instead of requiring better verification that they are dealing with the actual owner.


It can be difficult to tell with these media reports what actually went on but no doubt people and banks are getting hacked.


I do agree with you that bank security could be much better, honestly I wish they had more security options.


----------



## cainvest (May 1, 2013)

m3s said:


> If you're going to build strong passwords out of security questions then why have security questions in the first place.


They need some "easy" way to tell if it is you or not. BTW, same questions they ask you when you call them on the phone.

As I mentioned above, I do wish they would provide more security options.

Just for fun I asked a few of my friends I met today if they answered the security questions with the correct information, 4 out of 5 did. The other one, an IT tech guy, said he uses them as "passwords" not related to the question.


----------



## Eclectic12 (Oct 20, 2010)

m3s said:


> If you're going to build strong passwords out of security questions then why have security questions in the first place ...


Because the account forces me to setup security questions and answers. I'd rather have strong security Q&As to go with strong passwords rather than leaving a weak link.




m3s said:


> ... I use a password manager to generate/store unique passwords with little effort but doing what you recommend means writing down 3x questions and passwords as notes. PITA when you have hundreds of accounts


Why would I write them down?
The notes in my password manager keeps track of the security Q&As, same as the password so it's not as bad as you seem to think. 

FWIW ... I have a fair number of accounts but am no where near one hundred, never mind hundreds.




m3s said:


> ... Apple iPhone can unlock Apple devices automatically by proximity and biometrics now using secure enclave hardware. Ideally this should be the gateway to bank accounts instead of email/sms/personal questions


Sure ... but while I'm forced to have password/SMS/security questions, I'd much rather have as much as possible setup to be strong.


Cheers


----------



## Eclectic12 (Oct 20, 2010)

cainvest said:


> It can be difficult to tell with these media reports what actually went on but no doubt people and banks are getting hacked ...


I was thinking more along the lines of the user who confirmed the security Q&A as accurate potentially re-using the same ones on a less protected site than a bank one.




cainvest said:


> ... I do agree with you that bank security could be much better, honestly I wish they had more security options.


The bank seem to be taking a similar approach to companies I have worked for ... until it happens often enough with enough cost or perceived potential loss, changes that improve security take a back seat.


Cheers


----------



## m3s (Apr 3, 2010)

cainvest said:


> They need some "easy" way to tell if it is you or not. BTW, same questions they ask you when you call them on the phone.


Do Canadian banks use voice print yet? They basically ask you some "easy" questions but it's not for the answer rather your voice print matches what they have on file. They ask your permission for this in the states otherwise they ask some annoying questions like how much you spent on x transaction


----------



## kcowan (Jul 1, 2010)

Yes TD telephone banking uses voiceprint.


----------



## james4beach (Nov 15, 2012)

Sorry I just haven't gotten around to following through on these bank security weaknesses. But I encourage everyone else to also carefully document and inform the banks of ANY glitch or shortcoming in security they see.

Online banking agreements protect banks, hold customers liable for losses, expert says

The banks are trying to wiggle out of liability in case of theft. Hopefully by getting it on the record that they are being delinquent in their responsibilities to provide secure systems, we can reduce their ability to wash their hands when theft occurs.

After Scotia told me they would investigate the failings I found in their alerts system, I never heard any follow up. I have not yet filed the paperwork with their complaints division... obviously I should go through the correct procedure for all that. This is more about establishing a paper trail for liability purposes and lawsuits, than anything else.


----------



## larry81 (Nov 22, 2010)

Just had long talks with TDDI regarding this (multiple phone calls over the last 2 weeks), they are generally clueless and the reps give wrong/conflicting information’s.

Here what you can do as a customer:

1. Change your default username
2. Use strong password
3. Enable multifactor authentication (PIN by SMS)
4. Enable transaction PIN for buy

There two others measure that can be put in place, but they have major drawbacks:

- Disable the possibility to exchange information’s with TD Canada Trust (so the tellers don’t see your TDDI accounts). = This will break your access to tax slips so beware.
- Enforce a "Transaction lock" on the account. = This goes both way, lock for the money going OUT and the money going IN. You will need to phone them every time you want to make a contribution.

Anyone with access to one of your monthly slip would be able to answer the dummy questions they always ask and get "verified". They questions are always the same:

- who is the main owner of the account?
- name me one stock and the amount held?
- what is the account total value?

Adding a custom question/answer that get asked on top of those dummy questions would fix the issue but its "not supported"!

TDDI phone support are really the weakest link. They assure me that everything is covered but we all know that when **** hit the fan and lawyers get involved, things are not that simples...

I encourage everyone to call them and ask the question: "as a TDDI customer, how can i protect myself from cybersecurity risks".


----------



## m3s (Apr 3, 2010)

larry81 said:


> TDDI phone support are really the weakest link. They assure me that everything is covered but we all know that when **** hit the fan and lawyers get involved, things are not that simples...
> 
> I encourage everyone to call them and ask the question: "as a TDDI customer, how can i protect myself from cybersecurity risks".


"Contract lawyer says terms overwhelmingly favour banks, calls for more consumer protections" Online banking agreements protect banks, hold customers liable for losses CBC

I agree phone support is a weak link. It's not hard to get hints out of them for the security questions or to find a workaround. 

TD phone rep once told me I would have to verify ID in person when I didn't know a specific transaction value. I was able to unlock it with another rep and some convincing which in hindsight isn't good

Now once you are in you can just change the security settings online anyways


----------



## Beaver101 (Nov 14, 2011)

james4beach said:


> Sorry I just haven't gotten around to following through on these bank security weaknesses. But I encourage everyone else to also carefully document and inform the banks of ANY glitch or shortcoming in security they see.
> *
> Online banking agreements protect banks, hold customers liable for losses, expert says*
> 
> ...


 ... WOW, WOW, WOW!!!! to that article in the link.

I'm wondering what will it take for the banks to smarten up their practice on this? Lawsuits? Multi-million ones or a billion or 2?


----------



## Money172375 (Jun 29, 2018)

I wonder (and suspect) that they are using other methods. Some simple, some sophisticated. If an incoming call to a bank is from a residential phone number that matches the number on file, that’s the first step. Checking if a phone number on file has recently changed is the next step. If a criminal is on your home phone impersonating you, then you probably have other concerns, beyond financial. The same goes for mobile incoming calls....although a risk with fraudulent number porting.

I may be naive, but I put quite a bit of faith in the banking sector. (Former banker, haha). These are multi-billion dollar companies with 100+ years of history. Safety and fraud prevention are continuously being improved and challenged. I was once involved with a project on the verification questions being asked. It’s a fine balance....make them too hard, and clients freak out, make them too easy, and there’s risk. I always found the questions that a client choose themselves the funniest. Clients would fight and argue with me about “what their favourite drink is”. They would accuse us of answering the question for them. Always made me laugh. 

Clients get their money back in almost all the time....I would guess 99% of the time. In my experience of 20 years, we probably declined a refund less than 10 times.....and that’s with frauds happening almost daily in my branch. I don’t want to minimize the risk, but the media tends to exaggerate the problem. The risk has been and continues to be very, very small for a fraud to occur. And the risk of not being reimbursed is even smaller. Albeit probably with some pain and aggravation. If the banks (or any other company) are aware of the risk, then they are working to resolve it. 

Finally, you probably don’t hear much about banks being sued or lawsuits.....because they will eventually settle before it gets that far.


----------



## Eclectic12 (Oct 20, 2010)

Not sure the point of checking the calling number when the scam "CRA has a judgement against you - act now or the police will show up" calls I've received are displayed as legit CRA numbers for a long time now. Gone are the days of the malformed numbers that instantly show it's a bogus call. Or are you thinking the banks have access to some system that identifies spoofed number better than what the telcos do?




Money172375 said:


> ... I may be naive, but I put quite a bit of faith in the banking sector. (Former banker, haha). These are multi-billion dollar companies with 100+ years of history ... Clients get their money back in almost all the time....I would guess 99% of the time. In my experience of 20 years, we probably declined a refund less than 10 times.....and that’s with frauds happening almost daily in my branch ...


Maybe ... I'm not filled with confidence when my PIN was cut from eight to ten digits down to four "because the system can only handle four". Strange that the system worked for years on the longer PIN and was able to change the PIN at the ATM but only the branch reset forced a four digit PIN. 

Most I have talked to who have suffered fraud have typically had the bank assume it was the customer's fault or your spouse took money out without telling you so it's not our fault. In a couple of case, it took the police talking to the bank or a consumer advocate talking to the bank to get the reimbursement.




Money172375 said:


> ... Finally, you probably don’t hear much about banks being sued or lawsuits.....because they will eventually settle before it gets that far.


True.


Cheers


----------



## james4beach (Nov 15, 2012)

What bothers me is that we have some systemic security weaknesses, things that m3s has written about as well. This means that all of our accounts are inherently exposed to risk, so even someone with a great password really cannot consider themselves to be safe.

Examples would be the ability to reset passwords or takeover accounts by using a combination of security questions / email / phone authentication. None of these things are particularly strong. Email is often easily compromised, and phones can be hacked, intercepted, or taken over pretty easily too. Furthermore, many people now do email & phone on the same hardware (smart phone) which creates a central point of failure.

And it was the choice of the banks to design their security systems in this inherently flawed way. When there is account compromise or theft, they are trying to throw blame back on the customer, whereas in fact they have designed a fundamentally weak system.

Pretend that I built a bridge that has fundamental design weaknesses. People are using the bridge in harsh weather and the bridge collapses. They blame me for their injuries. And then I have the audacity to say that the silly people shouldn't have used the bridge in harsh weather, they should have been more careful. Nope... the bank has liability here. We need government action or a class action lawsuit to correct their behaviour.

Their patchwork of various "sophisticated" security measures posted above are helpful, certainly, but does not change the fact that their authentication and account access mechanisms are fundamentally insecure.


----------



## Money172375 (Jun 29, 2018)

Eclectic12 said:


> Not sure the point of checking the calling number when the scam "CRA has a judgement against you - act now or the police will show up" calls I've received are displayed as legit CRA numbers for a long time now. Gone are the days of the malformed numbers that instantly show it's a bogus call. Or are you thinking the banks have access to some system that identifies spoofed number better than what the telcos do?
> 
> 
> Maybe ... I'm not filled with confidence when my PIN was cut from eight to ten digits down to four "because the system can only handle four". Strange that the system worked for years on the longer PIN and was able to change the PIN at the ATM but only the branch reset forced a four digit PIN.
> ...


Mind me asking which institution made the change to 4 digit PINs? Have you checked with them lately on their current parameters? Years ago, we advised people to stick to 4 digits if they planned on travelling out of CANADA, as we couldn’t guarantee a longer PIN would work in international machines.

As for the police involvement.....perfectly normal above a certain threshold. A crime has been committed and the police work closely with corporate security departments.


----------



## Money172375 (Jun 29, 2018)

james4beach said:


> What bothers me is that we have some systemic security weaknesses, things that m3s has written about as well. This means that all of our accounts are inherently exposed to risk, so even someone with a great password really cannot consider themselves to be safe.
> 
> Examples would be the ability to reset passwords or takeover accounts by using a combination of security questions / email / phone authentication. None of these things are particularly strong. Email is often easily compromised, and phones can be hacked, intercepted, or taken over pretty easily too. Furthermore, many people now do email & phone on the same hardware (smart phone) which creates a central point of failure.
> 
> ...


Not disputing anything you or others have mentioned....just that the risk is very very small. Having worked in a retail branch (being the face of most customer issues/concerns) for 20+ years, tells me that the risk is very, very small.

Flying and driving can be dangerous. We know the risks. We can lower speed limits and have 20km/hr governors to make it safer, and it still wouldn’t be safe. 

I’m no IT expert....yes the banks built the system.....probably decades ago when computing began. As things became more complex, the banks and all companies “bolted” on solutions, creating a patchwork that I suspect would be difficult to undo. I suspect, with no actual knowledge, that small and newer companies have an advantage here. Like thinking an older, massive home can not compete on an efficiency basis, with a brand new smaller home. It would be cost prohibitive to knock the old bigger house completely down to compete with the newer home.

The statement that the banks “are trying to throw blame back on the customer” is media driven. Talk to a banker you trust.....there is never any mention of “let’s deny clams”. For larger claims..yes, a min interview or questionnaire is done to determine what happened and where the breach occurred. Asking “is you bank card on you now, do you ever share or write down the PIN, when was the last time you used it, where?” are used to determine what happened......not look for ways to get out from making a claim. As a branch manager, I had no incentive, no compensation and no budget for electronic frauds. I’d much rather get your claim paid off quickly, so you’d get out of my hair. Lol. 
I did have responsibility for frauds that occurred face to face in my branch, but that was a different sort of fraud then were talking about here.

And I’ll finally reiterate, the banks are gonna reimburse you anyway. There’s tens, if not hundreds of thousands of frauds each year and a handful make the news every now and then.

If you are that concerned, vote with your wallet. Take your business elsewhere and change your banking habits. Disconnect all electronic banking. You know that’s the only way to get a corps attention. Legislation will take forever. 

And consider..if you’re into worst-case scenarios............creating a massive paper trail to one day present in a court of law outlining all your concerns and issues.........will be quickly turned around back to you........”Mr. James, as a customer you seemed to be very concerned and, in fact, knew the system was broken....yet you continued to use that system which you have stated is fundamentally broken. Isn’t it a fact then, that YOU are at fault for KNOWINGLY using a broken system? Bankers and lawyers are beauties! (Tongue in cheek)

I’m kidding of course and having a little fun..........the government and corporations told us weed killer, baby powder and cigarettes were all “safe”, but I’ve chosen not to use them. If your concern is that real, then I would sincerely look to de-risk how you conduct your banking. You don’t have to trade online, you don’t have to use an ATM. There are options.

Do I think email money transfers are safe? Not sure........for years we were told that email is unsecure. Customers would freak out when we wouldn’t accept email instructions. Would I send a $100 email transfer today....probably.....would I do it more than a few rimes a year.....no. Too many “external” players.....Interac, the email companies.....it’s inherently different. If I send a $100 from a td account via my yahoo email to your gmail account and bank at RBC......we’ve now got 5 entities involved. Not the same as writing a good old cheque that gets processed through a clearing centre owned by the banks. I digress.


----------



## Eclectic12 (Oct 20, 2010)

Money172375 said:


> Mind me asking which institution made the change to 4 digit PINs? Have you checked with them lately on their current parameters?


TD and I've since upgraded back to what I originally had.

The point is that the same card worked fine for years with a longer PIN so why did I need to dumb it down when it was reset in a branch?




Money172375 said:


> ... Years ago, we advised people to stick to 4 digits if they planned on travelling out of CANADA, as we couldn’t guarantee a longer PIN would work in international machines.


It was for use in Canada where the hardware in the branch rejected anything over a four digit pin. FWIW, there was no mention of travel where it was years later before there was travel.




Money172375 said:


> ... As for the police involvement.....perfectly normal above a certain threshold. A crime has been committed and the police work closely with corporate security departments.


Trouble was the bank's review had already determined it wasn't a crime where the conclusion was the spouse taking money from the joint account without admitting it. No fraud meant no compensation and no need for the police. 

The police involvement was from their initiative, not the bank. They'd arrested some of the skimming ring where the police had found the couple's card/PIN info on the ring's equipment. The police notification of the bank was the only thing that moved the bank away from "what fraud?".


Cheers


----------



## Beaver101 (Nov 14, 2011)

^^ Post #108 - what is its purpose? Divert, deflect, or justify the issues otherwise what a bunch of ramblings ... :rolleyes2:


----------



## latebuyer (Nov 15, 2015)

I found it interesting and topical, actually. Some people aren't capable of reading more than a sentence.


----------



## AltaRed (Jun 8, 2009)

+1 It never hurts to have the conversation.


----------



## james4beach (Nov 15, 2012)

I had no problem with the reply. I really do hope the banks usually make people whole.


----------



## AltaRed (Jun 8, 2009)

james4beach said:


> I had no problem with the reply. I really do hope the banks usually make people whole.


Obviously it is going to depend on how careless customers are with their passwords and PIN information, and how diligent people are on regular monitoring of their online accounts (except on public wifi). Customers have to take some responsibility on protecting their accounts and logon credentials.


----------



## m3s (Apr 3, 2010)

I would rather the minor inconvenience of 2FA (already do for major online accounts) than the stress of recovering an account and just hoping the institution decides I was subjectively 'diligent'

Equifax.. 150 million user data stored in plain text compromised by the Chinese military. Europe didn't have incompetent private companies profiting off everyone's credit data so why do we?

At least make 2FA an option for those who do want to be 'diligent' and let the boomers stick with the basic security questions and plain text archaic system if they must.

NA is in the dark ages of banking and financial security especially if one compares to Europe or even leading crypto brokerages today. The threat is evolving and the banks are staffed by dodos


----------



## Beaver101 (Nov 14, 2011)

latebuyer said:


> I found it interesting and topical, actually. Some people aren't capable of reading more than a sentence.


 ... and these same people prefer not to be sucked into reading paragraphs after paragraphs of BS narratives. And I like people who're capable of posting a sentence or two only.


----------



## Eclectic12 (Oct 20, 2010)

Money172375 said:


> ... I’m no IT expert....yes the banks built the system.....probably decades ago when computing began. As things became more complex, the banks and all companies “bolted” on solutions, creating a patchwork that I suspect would be difficult to undo. I suspect, with no actual knowledge, that small and newer companies have an advantage here ... It would be cost prohibitive to knock the old bigger house completely down to compete with the newer home ...


Sure ... and as an IT guy, I've seen the small/newer company's new house rot away, because like the company with the big, creaky house - the "all or the least that can prevent the biggest issues" approach adds to the issues.

From what I've seen, the "it's too expensive to do in one shot" is a red herring as lots of other areas faced the same issue where making smaller steps with a plan to eventually get there was used. It reminded me of the insurance company I worked at leading into Y2K. The "all or nothing" mentality meant the fixes were done with mixed results, with a much higher toll (ex. OT, staff burnout, more consultants). For some other insurance companies, they did the build a new home approach as management was sold on "spend $X to fix the Y2K issues or spend $X plus a bit to do that plus offer new features". Had it been a priority, there was lots of lead time to build a plan of smaller chunks to get there.




Money172375 said:


> ... The statement that the banks “are trying to throw blame back on the customer” is media driven ... As a branch manager, I had no incentive, no compensation and no budget for electronic frauds. I’d much rather get your claim paid off quickly, so you’d get out of my hair. Lol.


Sure, that may have been your experience. Others, not so much.




Money172375 said:


> ... If you are that concerned, vote with your wallet. Take your business elsewhere and change your banking habits. Disconnect all electronic banking.


The last time was offered by a bank to be kept off the main stream electronic banking was in the '90s. 

With you past work history and potential contacts, can you tell me which banks will let me disconnect? 
It seems doubtful the bank would let me connect considering the branches in my area no longer have tellers. Nice couches with staff that are advertised to help with all the electronic options available.

Basically anything but putting cash under a mattress is likely a pipe dream from what I can tell.




Money172375 said:


> ... You know that’s the only way to get a corps attention. Legislation will take forever.


I suspect getting the attention of the gov't is easier.




Money172375 said:


> ... If your concern is that real, then I would sincerely look to de-risk how you conduct your banking. You don’t have to trade online, you don’t have to use an ATM. There are options.


The bank branch explicitly says I *have* to use an ATM. I'm not sure how far I'd have to drive to find one that hasn't been converted yet.

The other bank with tellers still requires an electronic card, when talking to a teller ... which I suspect will move to the "ATM only" model in the future.


As for trading through other than online options, the electronic access is still there - whether I choose to wait on the phone to make a trade or not.




Money172375 said:


> ... Do I think email money transfers are safe?


It seems to largely depend on:
1) whether the receiver automatically deposits the money so that the email address is an identifier for back end transfers instead of a conduit.
or
2) whether the receiver's email account has been kept secure and the security question is reasonably secure.




Money172375 said:


> ... Not the same as writing a good old cheque that gets processed through a clearing centre owned by the banks.


Not that cheques were/are secure either ... having had the date ignored on the cheque and being told I could spend the funds when there was no where near enough time for the cheque to be verified/cleared.


Cheers


----------



## Beaver101 (Nov 14, 2011)

james4beach said:


> I had no problem with the reply. *I really do hope the banks usually make people whole.*


 ... impossible when the "hack" is an inside job which doesn't even require signing onto or into your account.


----------



## seh (Nov 10, 2014)

The danger IS real. My iTrade account was hacked this week. Their fraud department phoned me to check on some attempted outgoing wire transfers, but that was only after 2 previous fraudulent incoming transfers from linked external accounts (putting those accounts into a negative balance). They said someone had successfully logged in to my account, so I can only assume my computer was infected, though a virus scanner didn't find anything. i.e. a strong 12 character password of gobbleygook is no guarantee of safety. Access card and passwords have all been changed, but it still scary.

I asked when iTrade will have a 2FA on login, similar to TD, which allows you to register 2 phone numbers, AND offers the option of receiving the verification code either by SMS OR by voice. The answer was "they're working on it".


----------



## AltaRed (Jun 8, 2009)

Do actually mean iTrade? Or Scotiabank? I have accounts at both.


----------



## seh (Nov 10, 2014)

iTrade.


----------



## Money172375 (Jun 29, 2018)

seh said:


> The danger IS real. My iTrade account was hacked this week. Their fraud department phoned me to check on some attempted outgoing wire transfers, but that was only after 2 previous fraudulent incoming transfers from linked external accounts (putting those accounts into a negative balance). They said someone had successfully logged in to my account, so I can only assume my computer was infected, though a virus scanner didn't find anything. i.e. a strong 12 character password of gobbleygook is no guarantee of safety. Access card and passwords have all been changed, but it still scary.
> 
> I asked when iTrade will have a 2FA on login, similar to TD, which allows you to register 2 phone numbers, AND offers the option of receiving the verification code either by SMS OR by voice. The answer was "they're working on it".


Were the linked external accounts from major cdn institutions? I wonder why the crooks didn’t just transfer the funds to their accounts instead of transferring funds to your account. What allowed the external accounts to go into a negative balance? Was there an authorized overdraft limit?


----------



## seh (Nov 10, 2014)

Money172375 said:


> Were the linked external accounts from major cdn institutions? I wonder why the crooks didn’t just transfer the funds to their accounts instead of transferring funds to your account. What allowed the external accounts to go into a negative balance? Was there an authorized overdraft limit?


Yes - TD & RBC. It seems the only breech was into the iTrade account, which is linked to the external accounts. Those links allow transfer of funds to or from only. There's no evidence they were able to log directly in to the external accounts. There is no authorized overdraft limit. The requested transfer is treated as a written cheque, though it didn't immediately bounce, thus the negative balance. Their systems corrected/reversed this within 24-48 hours, along with the "NSF charges"!


----------



## Fain87 (Jan 20, 2018)

When i worked at a brokerage, it happened every few weeks, that they'd investigate claims of hacking.


----------



## james4beach (Nov 15, 2012)

seh said:


> The danger IS real. My iTrade account was hacked this week.


Sorry to hear about this seh. Have you filed a police report? It's good to have as much paper trail as possible; this is a criminal act.

Thanks for sharing this. I'd like to check that I understood what happened in your case. Please correct me if I'm wrong:

It sounds like someone logged into your iTrade account, somehow (by this I assume you mean 'Scotia Online' which is their login portal for both banking & iTrade). Once they were in, they used an electronic fund transfer (EFT) to pull money from your externally linked TD & RBC accounts. I think they used this feature, copied & pasted below from what I see in my own Scotia account

_The EFT service is designed to let you transfer funds between your Scotia iTRADE accounts and accounts that you hold with any Canadian banking institution.
. . .
You can request a cash transfer between your Scotia iTRADE accounts and personal bank accounts at any time._​
Taking advantage of these externally linked accounts, they were able to only log into Scotia, then pull money from those external banks. After bringing the cash into iTrade, they attempted to send money out using wire transfers. They probably did the two things back to back, rather quickly.

Does that sound about right?


----------



## AltaRed (Jun 8, 2009)

I would like to understand that sequence of events too. Is it as James suggests?

Was there any attempt to try and sell securities to raise cash? Most of us use a different trading password to try and thwart a hack as well. Nor do I have any appreciable cash sitting idle in iTrade accounts either, although a hack could get at some Scotiabank chequing account cash.


----------



## m3s (Apr 3, 2010)

seh said:


> I asked when iTrade will have a 2FA on login, similar to TD, which allows you to register 2 phone numbers, AND offers the option of receiving the verification code either by SMS OR by voice. The answer was "they're working on it".


SMS is just a speedbump

2FA would require a physical card of codes like IB uses, or a time based code from an authenticator app like most serious online accounts offer today

Luckily they couldn't withdraw your funds but they could have traded with themselves on some obscure low volume stock or option


----------



## like_to_retire (Oct 9, 2016)

james4beach said:


> _The EFT service is designed to let you transfer funds between your Scotia iTRADE accounts and accounts that you hold with any Canadian banking institution.
> . . .
> You can request a cash transfer between your Scotia iTRADE accounts and personal bank accounts at any time._​


When I decided to stop using my Tangerine account and stick exclusively with TDDI, I tried online to delete my account at Tangerine for the very reason stated above. I was concerned that someone might break into the Tangerine account and transfer from my TDDI account.

It was impossible to delete the account online. I was surprised. So I had to phone them and convince them to delete the account.

The people that play the HISA transfer game and have a boatload of accounts all linked to their brokerage are probably more at risk than someone that uses a single brokerage that employs 2FA security. I also use a separate password for trading at TDDI along with the 2FA security. I don't use any mobile apps since I could lose my phone fairly easily.

ltr


----------



## m3s (Apr 3, 2010)

like_to_retire said:


> The people that play the HISA transfer game and have a boatload of accounts all linked to their brokerage are probably more at risk than someone that uses a single brokerage that employs 2FA security. I also use a separate password for trading at TDDI along with the 2FA security. I don't use any mobile apps since I could lose my phone fairly easily.


SMS is not considered 2FA. If you watch whenever SMS is employed they call it "2 step" which is considered watered down 2FA. SMS accounts can be ported online and SMS can be monitored very easily

The purpose of 2FA is to have a second physical key. Ideally this would be a physical smart card token or USB key but the mobile app is far better than SMS. SMS was never intended for security codes. The mobile apps/USB keys use offline time based codes not codes transmitted in the clear like SMS

The weakness is always the recovery method. Pay attention to what happens when you reset/recover an account. 2FA generally uses recovery codes - this is the weak link imo as people will fail to properly store them.


----------



## seh (Nov 10, 2014)

The sequence of events appears to be as James suggested. 

iTrade fraud department said that in addition to their investigation, they will involve the police. It remains to be seen how much of what they find they are willing to share with me (they've already told me the attempted wires were to 2 different banks in the U.S.). They claim their fraud detection is what caught the attempted outgoing wire transfers. Those wires may/should have failed anyway, as the funds from the incoming externally linked accounts were "on hold", and there was not enough other cash in the account to cover it (which presumably is the reason the thief initiated the incoming transfers in the first place). I don't know if there was any attempt to sell securities to raise cash - hopefully the different trading password would have thwarted that.

As an aside, I've seen that some of the Scotia iTrade alerts have stopped working. e.g. I was set up to receive an email the moment an out of country authorization occurred on my Scotia Visa card, and it always worked perfectly until recently. No response yet to my inquiry on this.


----------



## humble_pie (Jun 7, 2009)

like_to_retire said:


> When I decided to stop using my Tangerine account and stick exclusively with TDDI, I tried online to delete my account at Tangerine for the very reason stated above. I was concerned that someone might break into the Tangerine account and transfer from my TDDI account.
> 
> It was impossible to delete the account online. I was surprised. So I had to phone them and convince them to delete the account.




the 1st thing a client who is planning to ex tangerine should do is delete the bank account links from his tangerine profile. This is easy to do.

tangerine is unusual in that it is possible to close one's account(s) but the profile remains online for at least a couple of years. Former clients can log in & - i presume - view former accounts, although these will have been/should have been closed.

other financial institutions remove a former client's profile from the internet with lightning speed - sometimes to a client's chagrin because he loses important information for which he has no other record - but tangerine for some reason leaves client profiles in the internet for a period of time.


----------



## AltaRed (Jun 8, 2009)

Your Scotia Visa card and its alerts has nothing to do with iTrade. It is associated with Scotia banking. It is troublesome if some of the alerts have stopped working.


----------



## seh (Nov 10, 2014)

AltaRed said:


> Your Scotia Visa card and its alerts has nothing to do with iTrade. It is associated with Scotia banking.


I thought this as well, so was wondering why, when I login to Scotia iTrade, the Scotia Visa card also shows up on the list of accounts, with full access to all statements, etc.?


----------



## AltaRed (Jun 8, 2009)

You are actually logging into Scotia online banking, even if you are doing it with a Scotia iTrade access card. I do it the same way.....with an iTrade access card. 

When you log on, the login page has all your links. When you click on your iTrade link, it takes you to your iTrade page. When you click on your Scotia Visa link it takes you to your credit card page which is owned and managed by Scotia banking. 

The Scotia iTrade access card and the Scotia banking card are interchangeable for access to Scotia companies. You and I have Scotia iTrade access cards because our first experience with Scotia was with iTrade, not Scotia banking.

Alerts you set up on your iTrade page are associated with iTrade. The alerts you set up with your Visa card are set up in Scotia banking system.


----------



## james4beach (Nov 15, 2012)

seh said:


> As an aside, I've seen that some of the Scotia iTrade alerts have stopped working. e.g. I was set up to receive an email the moment an out of country authorization occurred on my Scotia Visa card, and it always worked perfectly until recently. No response yet to my inquiry on this.


Many of their alerts don't work for me either. There is in fact an iTrade alert specifically meant for transfers out of the account... _and I never get those at all_.

I also don't see other Scotia Alerts. I recently did some tests by trying different conditions. Some worked and some didn't; that applies both to regular Scotia banking alerts and iTrade alerts.

To clarify the alerts I'm talking about, after logging into Scotia, there's a link at the side: Scotia InfoAlerts

After clicking that, I see two categories and I've been seeing flaky (unreliable) behaviour with both of these:

 Scotia InfoAlerts
 Wealth & Brokerage Email Alerts

seh, under that second link (Wealth & Brokerage), do you currently have an alert for: *A deposit or transfer has occurred in my Scotia iTRADE account*

If that is checked, did you see an email alert when all these transfers happened? I know that in my account, transfer to/from my Scotia chequing account do not cause an alert. I think they should. And in your case, an external transfer definitely should trigger that alert.


----------



## seh (Nov 10, 2014)

james4beach said:


> Many of their alerts don't work for me either. There is in fact an iTrade alert specifically meant for transfers out of the account... _and I never get those at all_.
> 
> I also don't see other Scotia Alerts. I recently did some tests by trying different conditions. Some worked and some didn't; that applies both to regular Scotia banking alerts and iTrade alerts.
> 
> ...



Yes, it is checked off and no, I did not receive an alert, but I am still receiving "notifications" (e.g. new statements ready), so I agree - the behaviour, which used to be reliable, is now flaky. I just now tried to add a new Scotia InfoAlert, but it would not accept my click (could possibly be a browser issue).


----------



## james4beach (Nov 15, 2012)

seh said:


> *Yes, it is checked off and no, I did not receive an alert*, but I am still receiving "notifications" (e.g. new statements ready), so I agree - the behaviour, which used to be reliable, is now flaky.


Could you please inform Scotia about this fact? You were supposed to get alerts of transfers into/out of iTrade, but their system failed to work properly. Therefore, you were not alerted to fraudulent activity.

When I last asked my branch about this problem, they said that the Scotia back office is not aware of any issues with alerts, so it seems they are either clueless about their problem, or ignoring the bugs in their system. If you report it as well, it will help Scotia eventually recognize that they have a problem.

By the way, I don't mean to pick on Scotia. There's also been a security bug at TD Direct Investing for many months (ever since their user interface redesign) that I've told their agents about repeatedly. The phone agents can even replicate and see the bug themselves. And yet, TD doesn't fix it.

If anyone is curious about that TDDI one, it's pretty simple: their last login time stamp is broken. It should show the date & time that you last logged into your account, so you can check whether anyone else has gotten in. It doesn't work.


----------



## cainvest (May 1, 2013)

Definitely concerning that Scotia still doesn't have all their alerts fixed.


----------



## AltaRed (Jun 8, 2009)

Got to keep hammering via Secure Messaging to the extent of getting aggressive about it. 

I sometimes say in such messages that I am taking a screen shot before pushing Send so that I have written record should my concern not be addressed and/or I am damaged by lack of action.


----------



## james4beach (Nov 15, 2012)

AltaRed said:


> Got to keep hammering via Secure Messaging to the extent of getting aggressive about it.
> 
> I sometimes say in such messages that I am taking a screen shot before pushing Send so that I have written record should my concern not be addressed and/or *I am damaged by lack of action*.


Thanks, that's good advice. I will keep hammering away at it. I'm about to start hammering at TDDI too.

Quick tip: I've set up my dad's computer to use a totally separate Windows user account that's dedicated to banking. The idea here is to insulate the browsing environment (a bit) from the rest of the computer. This way, this account and its web browser are only ever used to log into banks & brokerages -- nothing else.


----------



## Beaver101 (Nov 14, 2011)

^ Sounds like these banking/brokerage "problems" are isolated to "smart"phones and public computer terminals.



> *Quote Originally Posted by AltaRed *
> Got to keep hammering via Secure Messaging to the extent of getting aggressive about it.
> 
> I sometimes say in such messages that I am taking a screen shot before pushing Send so that I have written record should my concern not be addressed and/or I am damaged by lack of action.


 ... they're "working on it" :rolleyes2: ... maybe they're hoping the problems (and I don't mean the security ones) go away. :rolleyes2: :rolleyes2:



Btw, is that iScotia iTrade access card in addition to the (Scotia) bank cards used for debit, the banking stuffs?


----------



## m3s (Apr 3, 2010)

Beaver101 said:


> ^ Sounds like these banking/brokerage "problems" are isolated to "smart"phones and public computer terminals.


They're not

You can use either improperly


----------



## james4beach (Nov 15, 2012)

And I share m3s's concern that the problems go deeper. These banks provide methods to "reset" the password... that process alone could be a path to compromising accounts.

The accounts can probably be hacked into even if you never get a virus on your computer. Combination of security questions, email, telephone.


----------



## AltaRed (Jun 8, 2009)

Beaver101 said:


> Btw, is that iScotia iTrade access card in addition to the (Scotia) bank cards used for debit, the banking stuffs?


Either card works for all of banking and brokerage. I use my iTrade access card for banking including ATM. I have the iTrade card only because I had an iTrade account (successor to E*Trade) long before I ever had Scotia banking accounts. For whatever reason, Scotia issued iTrade cards to non-Scotia clients when they re-branded E*Trade.

Short answer. Interchangeable.


----------



## james4beach (Nov 15, 2012)

There are several ways to log in. I've never had the card that AltaRed mentions, but one can also use their Scotia VISA card number, debit card number, or a username they create.


----------



## AltaRed (Jun 8, 2009)

james4beach said:


> There are several ways to log in. I've never had the card that AltaRed mentions, but one can also use their Scotia VISA card number, debit card number, or a username they create.


And that debit card can be a Scotiabank card or an iTrade card.

The few times I have ever gone to a Scotiabank teller, they are amused at my card. About 3 years ago, one of them asked me if they could see it, having never seen one before.


----------



## seh (Nov 10, 2014)

m3s said:


> SMS is just a speedbump
> 
> 2FA would require a physical card of codes like IB uses, or a time based code from an authenticator app like most serious online accounts offer today
> 
> Luckily they couldn't withdraw your funds but they could have traded with themselves on some obscure low volume stock or option


Agree that SMS is just a speed bump in the case of a lost mobile phone, but while I agree it's nowhere near as good as the time based authenticator app, wouldn't the SMS authentication have been a pretty significant speed bump in the event of the breech being due to a hacked computer?


----------



## m3s (Apr 3, 2010)

It's better than nothing but it's not a physical key because you can port the sms remotely from anywhere with some basic info

You can hijack a mobile account from anywhere whereas a time based code requires physical access to the device/app within 30 seconds

Time based codes have still been hacked but not nearly as common as sms


----------



## james4beach (Nov 15, 2012)

I've contacted iTrade and asked if they can disable the wire transfer (out) capability of my account. I will never use this feature.


----------



## seh (Nov 10, 2014)

Anyone know which (if any) of the online brokers offer/require a true 2FA with physical key for logging in?


----------



## seh (Nov 10, 2014)

Good idea! Wasn't clear if they agreed to and have implemented your request?


----------



## seh (Nov 10, 2014)

james4beach said:


> I've contacted iTrade and asked if they can disable the wire transfer (out) capability of my account. I will never use this feature.


Good idea! Wasn't clear if they agreed to and have implemented your request?


----------



## james4beach (Nov 15, 2012)

james4beach said:


> Many of their alerts don't work for me either. There is in fact an iTrade alert specifically meant for transfers out of the account... _and I never get those at all_.
> 
> I also don't see other Scotia Alerts. I recently did some tests by trying different conditions. Some worked and some didn't; that applies both to regular Scotia banking alerts and iTrade alerts.


Recently (within the last month) I've found that the Scotia alerts are working more properly. For example I set a notification when the balance on my chequing account drops below $X, and I recently did get an email when the balance dropped below that amount.

So maybe Scotia is fixing this


----------



## calm (May 26, 2020)

I once asked a safe cracker about how he got into a safe and he said .....

Whatever man makes, man can get into.


----------



## MrBlackhill (Jun 10, 2020)

I have 2FA everywhere. I have activated all of the e-mail notifications and app notifications everywhere. I get at least 5 e-mails and 5 app notifications every single day about the status of my accounts. I use a password manager to generate and manage my passwords so I can change them every month if I wish with a password generator of the desired complexity. The password manager has auto-logoff after 1 minute of inactivity. All of my cards including my credit cards are on my cellphone, so basically my cellphone is my identity because I can do everything with it. My identity has already been stolen a few years ago, so now it's even harder to steal my identity because I'm now flagged for 7 years of high-level identification requirements.

The weakest point is not the technology, it's the person using the technology. Stealing data only needs to convince a human to click somewhere that he shouldn't, no matter how much security you have, it's the human the weak link.

At my job we already paid a hacking firm to test our organisation. It took only a few days. You know, now Word and Excel documents always have that "Allow Editing" notification which is pretty similar to "Allow Macros". The hacking firm did a bit of research about our organisation, sent emails to some C-level executives about pretty convincing opportunities with lots of documents and at some point some C-level executive, working a bit too late at night, a bit too busy and in a rush, clicked somewhere that he shouldn't have when looking at all that convincing documentation that seemed legitimate. And then since that C-level executive had access to too many networks, the hacker managed to gain access to everything... everything!


----------



## Brainer (Oct 8, 2015)

If you're trying to isolate things, why not look into Windows 10's sandboxing features?

*How to use Windows Sandbox in the Windows 10 May 2019 Update*
Have to run an untrusted app? You can run it in Windows Sandbox. Here's how

For those more technical:
*Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.*
https://techcommunity.microsoft.com/t5/windows-kernel-internals/windows-sandbox/ba-p/301849

NOTE: You may need hardware virtualization features on your PC to do these things.





james4beach said:


> Thanks, that's good advice. I will keep hammering away at it. I'm about to start hammering at TDDI too.
> 
> Quick tip: I've set up my dad's computer to use a totally separate Windows user account that's dedicated to banking. The idea here is to insulate the browsing environment (a bit) from the rest of the computer. This way, this account and its web browser are only ever used to log into banks & brokerages -- nothing else.


----------



## james4beach (Nov 15, 2012)

I'm pleased to say that Scotia's alerts are still working as expected. I recently triggered an "account balance" alert (under threshold) and was pleased to see the alert being sent out.

I must give Scotia some credit here. I've reported a couple system glitches to them over the last few months, and both have been fixed.


----------

