# Interac e-Transfer



## newfoundlander61 (Feb 6, 2011)

Can you send a Interac e-Transfer from the CIBC to any other bank IE: RBC or is it between CIBC clients only?


----------



## leoc2 (Dec 28, 2010)

I think it is a person to person transfer via email address. You can try to email yourself the money and deposit it in your other bank. Just thinking out loud...not sure about any of this.


----------



## redsgomarching (Mar 6, 2016)

email address and they need to have an account with a canadian institution (can only be sent to certain canadian financial entities)


----------



## Eclectic12 (Oct 20, 2010)

newfoundlander61 said:


> Can you send a Interac e-Transfer from the CIBC to any other bank IE: RBC or is it between CIBC clients only?


Yes ... I have received from banks I don't bank with. 
I have also sent where I have no idea what participating bank was receiving the funds.

Bascially all that is needed is an email address and the receiver confirming their financial institution participates.
http://www.interac.ca/en/faq


Cheers


----------



## Ag Driver (Dec 13, 2012)

Deleted


----------



## kcowan (Jul 1, 2010)

And banks can make transfer at no cost. CIBC pays us our RIF proceeds each year into our TD accounts.


----------



## mars (Mar 11, 2014)

newfoundlander61 said:


> Can you send a Interac e-Transfer from the CIBC to any other bank IE: RBC or is it between CIBC clients only?


I do not have a CIBC account but I have friends who have sent me interac e-transfers from their CIBC accounts so yes it can be done.


----------



## AltaRed (Jun 8, 2009)

I Interac email transfer with a number of folks (vendors) and don't even know who their banking institution is (and don't need to know other than they say they accept Interac email transfers). Except between my spouse and I, I know she banks RBC while I bank Scotia.


----------



## OhGreatGuru (May 24, 2009)

FROM RBC

_You can now transfer funds immediately to your friends, family or associates who have accounts at
other Canadian financial institutions. An e-mail notice will be sent to them explaining how to collect the
funds through the Email Money Transfer secure payment system. This new service is available in
addition to your current payment options through our Online Banking service.

Simple, Fast, and Secure way to send money:
1. Click on "Pay bills and transfer funds" to send an Interac* Email Money Transfer
2. Simply enter the amount you would like to send and indicate from which account the money should
be withdrawn
3. Select your payment choice-in this case Email Money Transfer
4. Enter the security question and answer that is only shared with the recipient
5. Follow the screen prompts and within minutes your transfer will be completed

Important Facts about Interac Email Money Transfers:
* All you need to know is the recipient's name and e-mail address.
* You will need to provide a security question only the recipient will be able to answer.
* You will be able to review the status of the money transfer through the Payment History option.
* There is a fee of $1.50 to send an Interac Email Money Transfer that is withdrawn from the sender's
account immediately and is non-refundable. (Unless you have an account package that allows a number of free monthly transfers)
* There is no service fee to receive an Email Money Transfer using RBC Royal Bank Online Banking.

However, if the recipient does not bank online, they may be charged an additional service fee to
register and provide account information to receive the funds within 3-5 business days.
* There is no money sent through e-mail. The recipient's e-mail address is only used as a notification
of the transfer._


----------



## AltaRed (Jun 8, 2009)

OGG, what is your purpose for the cut and paste? The process is essentially the same for every institution.


----------



## gibor365 (Apr 1, 2011)

newfoundlander61 said:


> Can you send a Interac e-Transfer from the CIBC to any other bank IE: RBC or is it between CIBC clients only?


Yea, I send it very frequently to mine or my son email and it can be deposited in almost all institutions, but check with CIBC if you have to pay fees .... we don;t


----------



## sags (May 15, 2010)

Is there a delay in transfer of the email funds ?

I asked about email transfers online and was told there would be a 1 day delay.


----------



## ian (Jun 18, 2016)

When we have sent monies the recipient has been able to access the funds immediately upon receipt.

CIBC charges us $1.50 for an interac transaction. We have a no charge seniors account so only the very basics are free. We pay our rent this way.


----------



## AltaRed (Jun 8, 2009)

I've never seen delays in access to tunds. I've sent money to spouse a number of times and she gets credit for it in her account same day IF she accepts the transfer and completes the transaction. 

There are 3 steps to an Interac email transfer:
1. Originator sets up the online transfer in his/her account with amount, payee (email address) and security question/answer.
2. Recipient waits for email to show up in his/her email account
3. Recipient clicks on the link in the email, answers the security question, and completes the process of directing the transfer to his/her institution and the desired bank account in that institution.

Regardless, even if it is a business day, what difference does that make?

Whether institutions charge the originator for the email transfer depends on one's banking package and the institution. I have a cheap 'no fee' bank account package at Scotia and pay $1 for Interac email transfers (I have never paid account management fees for my bank accounts). They waive it occasionally for reasons I don't know.


----------



## rl1983 (Jun 17, 2015)

It's a $1.50 now? Ugh. I was using it to transfer money from RBC into Waterhouse. I set up a bill payment that goes directly into my TFSA from the Cheqing account at RBC. works great.


----------



## AltaRed (Jun 8, 2009)

rl1983 said:


> It's a $1.50 now? Ugh. I was using it to transfer money from RBC into Waterhouse. I set up a bill payment that goes directly into my TFSA from the Cheqing account at RBC. works great.


Of course that works great between you and yourself. Everyone does that (or Bill Payment). How do you pay your gardner? cleaner? electrician? move money to a relative/friend? I use Interac email transfer rather than cheque where I can.


----------



## rl1983 (Jun 17, 2015)

I have used to it pay a friend ( concert tickets ) but other than investments, I don't use it. Generally use Credit Card or Add Payee from Chequing.


----------



## gibor365 (Apr 1, 2011)

ian said:


> When we have sent monies the recipient has been able to access the funds immediately upon receipt.
> 
> CIBC charges us $1.50 for an interac transaction. We have a no charge seniors account so only the very basics are free. We pay our rent this way.


Yes, it depends on account type you have, in some cases it's free


----------



## kcowan (Jul 1, 2010)

At TD the fee is $1 and the daily limit is $3000. The weekly limit is $7000. For our housekeeper, I just set up a payment to her credit card. If you have a contractor who wants cash, ask them if they would accept that or a payment to their electric or other utility account.


----------



## OhGreatGuru (May 24, 2009)

AltaRed said:


> OGG, what is your purpose for the cut and paste? The process is essentially the same for every institution.


The OP didn't seem to be aware of that though. And quoting RBC might lead the OP to check his own bank's site (CIBC) for info.


----------



## AltaRed (Jun 8, 2009)

OhGreatGuru said:


> The OP didn't seem to be aware of that though. And quoting RBC might lead the OP to check his own bank's site (CIBC) for info.


I would have thought the OP would have already done the homework on the CIBC online site as a prerequisite, but for what it is worth, CIBC has an excellent 8 part FAQ style explanation and a relevant response to one of those parts says


> Which financial institutions participate in the INTERAC e-Transfer service?
> 
> Rate this response
> The following financial institutions participate in the INTERAC e-TransferTM service:
> ...


----------



## james4beach (Nov 15, 2012)

Beware; here's an example where a criminal intercepted an Interac e-transfer. Neither the banks nor police seem to want to do anything about it, so it appears to be a total loss for the victim of the theft:
https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-e-transfer-fraud-1.5128114



> RBC's website suggests in large font that customers are protected against fraud. Buried deep in the fine print are exclusions that prevented Hoover from claiming compensation. (RBC)


The criminal hacked the person's email. Because email is pretty easy to compromise, these transfers by e-mail are actually pretty dangerous to do, as described by the security expert in the article.


----------



## agent99 (Sep 11, 2013)

james4beach said:


> Beware; here's an example where a criminal intercepted an Interac e-transfer. Neither the banks nor police seem to want to do anything about it, so it appears t*o be a total loss* for the victim of the theft:
> https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-e-transfer-fraud-1.5128114


CBC says that RBC are refunding 1/2 the amount as Goodwill gesture. 

Seems the answer to the question asked was easy to guess. We have to assume that our emails are hacked, so the security question answer needs to be hard to guess.


----------



## OptsyEagle (Nov 29, 2009)

Also, with TD bank, you can set up another TD bank customer account in "bill payments". Then just pay a bill. This avoids emailing anything and it avoids the fee. I can't say if other banks allow this but TD does. Again, only between TD customers. 

One note: The bill payee (other TD customer account) needs to be set up at a TD branch or perhaps on the phone. You cannot do it yourself. You only need the other persons account number but someone at the bank has to do it. Once it is set up you can use it over and over again, without any assistance. It is just the setting up that requires a bank employee.

This works well if you have a child at college or like me, a person you like that occasionally needs a little financial help.


----------



## Eclectic12 (Oct 20, 2010)

james4beach said:


> Beware; here's an example where a criminal intercepted an Interac e-transfer ... The criminal hacked the person's email. Because email is pretty easy to compromise, these transfers by e-mail are actually pretty dangerous to do, as described by the security expert in the article.


Sure ... but at the same time, as a security guy - is it really all that great a security question to ask "Who is your favourite Beatle?", giving the fraudster a one in four chance to get the answer right?

Actually, with RBC giving four chances - the fraudster had a much better chance of getting the money.

I purposely run words together with added or deleted parts to make it more difficult. I also phone the person or talk to them in advance to give them the password. In some cases, the answer bears no relationship to my family or the question. For example, the question might be "Mother's Maiden Name" and the answer I give the receiver is my uncle's first and last name as one big string.


Cheers


----------



## OptsyEagle (Nov 29, 2009)

Eclectic12 said:


> Sure ... but at the same time, as a security guy - is it really all that great a security question to ask "Who is your favourite Beatle?", giving the fraudster a one in four chance to get the answer right?
> 
> Actually, with RBC giving four chances - the fraudster had a much better chance of getting the money.
> 
> ...


I like it. It's like saying "who is the president of the United States" and the answer is "Elvis Presley". Not only do you protect against the hacker, but you also get to drive him crazy. lol.


----------



## james4beach (Nov 15, 2012)

Eclectic12 said:


> Sure ... but at the same time, as a security guy - is it really all that great a security question to ask "Who is your favourite Beatle?", giving the fraudster a one in four chance to get the answer right?
> 
> Actually, with RBC giving four chances - the fraudster had a much better chance of getting the money.


Of course the selected question should have been stronger, but the big issue here (from a security design perspective) is that passwords of this form are typically very weak. If it wasn't a Beatles question, it would have been some other question that was relatively weak as well. Worse than that, email is the kind of place a hacker will usually find clues about passwords.

Here's where the banks and Interac failed in their duty to enforce strong security: _knowing_ that users will tend to choose poor passwords in this context, they should have done things like

- enforcing stronger passwords by running various checks
- making sure the passwords don't match dictionary / common words
- making sure passwords haven't been re-used from last transfers
- calculating strength by looking for combinations of letters and digits
- requiring something like legal name to match for the transfer to occur

Why isn't at least a name matched up?


----------



## agent99 (Sep 11, 2013)

james4beach said:


> Here's where the banks and Interac failed in their duty to enforce strong security: _knowing_ that users will tend to choose poor passwords in this context, they should have done things like....


Maybe the lady should have used Bitcoins and eliminated the banks as intermediary?


----------



## Eclectic12 (Oct 20, 2010)

OptsyEagle said:


> I like it. It's like saying "who is the president of the United States" and the answer is "Elvis Presley". Not only do you protect against the hacker, but you also get to drive him crazy. lol.


Not quite ... I'd more likely have an answer of "ElvisPresleyTN" or similar. The string is related so it should be relatively easy to remember but with no spaces and added or prefixed material, should not match a dictionary.




james4beach said:


> Of course the selected question should have been stronger ...


The questions are all crap so AFAICT, the only option available to those paying attention is to pick an unrelated stronger answer.

Or perhaps you know of a setup where one write one's own questions?




james4beach said:


> ... the big issue here (from a security design perspective) is that *passwords* of this form are typically very weak. If it wasn't a Beatles question, it would have been some other question that was relatively weak as well. Worse than that, email is the kind of place a hacker will usually find clues about passwords ...


Can you give me an example of a stronger question that would help for the problem of users picking weak passwords?
Given that most of the systems have canned questions, it seems more efficient to educate people to stay away from correct answers plus string phrases together in a way that can be remembers but that would not be in a dictionary.




james4beach said:


> ... Here's where the banks and Interac failed in their duty to enforce strong security: _knowing_ that users will tend to choose poor passwords in this context, they should have done things like
> 
> - enforcing stronger passwords by running various checks


What sort of checks? Equally easy to find information that mother's maiden surname and father's surname?




james4beach said:


> ... - making sure the passwords don't match dictionary / common words
> - making sure passwords haven't been re-used from last transfers
> - calculating strength by looking for combinations of letters and digits ...


Agreed ... though with the number of passwords on post it notes or sent through email - it may not be all that effective.






james4beach said:


> ... - requiring something like legal name to match for the transfer to occur
> Why isn't at least a name matched up?


Finding someone's legal name is all that difficult?
I'm not so sure.


Cheers


----------



## Spudd (Oct 11, 2011)

At TD you write your own question.


----------



## like_to_retire (Oct 9, 2016)

Eclectic12 said:


> Can you give me an example of a stronger question that would help for the problem of users picking weak passwords?
> Given that most of the systems have canned questions, it seems more efficient to educate people to stay away from correct answers plus string phrases together in a way that can be remembers but that would not be in a dictionary.


I bank with TD and in their case the security question is totally your input to a form-fill. You can ask any question you wish and supply any answer (password) you wish in another form fill.

I'm surprised that this is now a scam. I was lulled into thinking it was very secure, but it makes sense now that I think about it. I have been very lax about this, as I send my sons money off-times for various reasons if they buy us tickets for something or a meal and I reimburse them. They always seem to forget the complicated answer to the posed question and then I have to send the password via e-mail. Duh, I guess that's not smart. 

I suppose I should send it in a text - would that be more secure?

ltr


----------



## RBull (Jan 20, 2013)

Spudd said:


> At TD you write your own question.


Same at RBC where the Beatles question was asked by the account holder, whose email was hacked. I think all FIs have that.


----------



## AltaRed (Jun 8, 2009)

like_to_retire said:


> I suppose I should send it in a text - would that be more secure?


Most definitely...and IMO, the only way to send the password. And it should be unrelated to the question (which is irrelevant), and be some phrase. Example: What is my favourite beer? In an SMS text, the answer could be "pellerniagarachardonnay".


----------



## john.cray (Dec 7, 2016)

As far as I know ... you can setup automatic deposit of Interac transfers to your account upon receipt of transfer from someone else to your email.
In this case the sender doesn't need to enter any passwords and you don't get to chose the account to deposit for every transfer.

I reckon this eliminates the possibility to hijack the email part.


----------



## Eclectic12 (Oct 20, 2010)

like_to_retire said:


> ... I'm surprised that this is now a scam.


I'm not sure I'd call it a scam so much as a vulnerability ... kind of like using something like "password" as your debit card password.




like_to_retire said:


> ... I have been very lax about this, as I send my sons money off-times for various reasons if they buy us tickets for something or a meal and I reimburse them. They always seem to forget the complicated answer to the posed question and then I have to send the password via e-mail. Duh, I guess that's not smart ...


That's where I prefer a different channel to provide the complicated answer. For example, talk to call to the person to give the password.

It also is vulnerable but having to get info from multiple sources makes it less likely to be compromised.




like_to_retire said:


> ...I suppose I should send it in a text - would that be more secure?


More secure than emailing the answer and less secure than other methods. :biggrin:


Cheers


----------



## Eclectic12 (Oct 20, 2010)

john.cray said:


> As far as I know ... you can setup automatic deposit of Interac transfers to your account upon receipt of transfer from someone else to your email.
> In this case the sender doesn't need to enter any passwords and you don't get to chose the account to deposit for every transfer ...


According to a couple of my bank's auto setup process - the "no need for passwords" is *if* the sender did not override it.



> Once Autodeposit is setup for each email address you entered, when someone uses Interac e-Transfer to send money using that email address, the money will be automatically deposited to the chosen account, *if:*
> - the sender sent the money from a FI that supports Autodeposit
> *and*
> - the sender does not otherwise require you to answer a security question


It also identifies that anyone attempting to send money via Interac e-transfer to your email address will see one's name or business name or trade name.




john.cray said:


> ... I reckon this eliminates the possibility to hijack the email part.


For those sending funds with no security question/answer, it would seem so.


Cheers


----------



## agent99 (Sep 11, 2013)

AltaRed said:


> Example: What is my favourite beer? In an SMS text, the answer could be "pellerniagarachardonnay".


Heck, I would have got that wrong. I would have guessed at bottled or canned


----------



## AltaRed (Jun 8, 2009)

agent99 said:


> Heck, I would have got that wrong. I would have guessed at bottled or canned


The key is to have: 1) a password unrelated to the question, 2) a lengthy password like my example, and 3) don't also send it by email.

Per John Cray, I agree autodeposit is safer because the receiving email address is tied to a specific bank account (probably via Interac itself). Per Eclectic12, I don't know if the sender can override it but I know when I have sent an e-transfer with a password, and the receiver has autodeposit set up, the e-transfer happened automatically anyway. I will have to look more closely next time I send money if a sender can override an autodeposit with a forced password, but I think this would be highly improper.


----------



## Eclectic12 (Oct 20, 2010)

Interesting that a couple of banks would be using the similar wording in their note, if the sender's Q&A setup can be ignored. 
I don't use Autodeposit and may have received all of five Interact e-transfers and have sent two so I don't have a lot of experience. :biggrin:


Cheers


----------



## john.cray (Dec 7, 2016)

When I enter an email address of a recipient who has enabled auto deposit ScotiaBank removes the
password field and informs me that the recipient has autodeposit enabled and I don't need (cannot enter)
a password. But I guess other institutions might have different rules.


----------



## AltaRed (Jun 8, 2009)

Thanks. Your post jogged my memory to remember that is what I get when I send to someone with auto deposit set up. Few people, or businesses, I send too have auto deposit set up but they should if they can do so.


----------



## Retiredguy (Jul 24, 2013)

I transfer funds from my VanCity Credit Union account to my TD account (or my daughters account) as a bill payment (no charge and set up like a credit card pmt). Not sure if its possible with the other of the big 5/6 banks.

TD back to VanCity doesn't work.


----------



## AltaRed (Jun 8, 2009)

Generally, Bill Payment does not work (that I know of) to other bank accounts, at least within the big 5. Bill Payment works to other kinds of accounts, e.g. brokerage accounts. IF I want to move money from Scotia banking to BMO banking: 
1) I can use a me2me Interac e-transfer, or 
2) I can Bill Pay to my BMO IL brokerage account and then transfer to BMO banking. Same thing if I want to move money from BMO banking to Scotia banking (first a Bill Pay to my iTrade brokerage account, then a transfer to Scotia banking), or
3) I can pull from Scotia banking to EQ Bank and then push to BMO banking.

There are various ways to facilitate things like this.... Depends on what accounts one has where. Clearly me2me Interac e-transfer works as along as the amount is not too large (there are daily and weekly limits).


----------



## james4beach (Nov 15, 2012)

There are now more cases of theft, and it seems that banks are telling customers that e-transfer thefts are the customer's own fault.

https://www.cbc.ca/news/business/etransfer-fraud-banks-blame-customers-1.5286926

In one example from this article, the security question chosen was "What is your wife's name?"

The money was intercepted and stolen. TD says it was the sender's fault, because apparently the wife's name is visible on Facebook.

As I said earlier, the structure of these e-transfers are very weak. Email is inherently insecure (can be easy to hack), and the kinds of security questions the banks are getting people to enter are inherently weak. I think that a motivated bank will be able to wash their hands of responsibility in many instances.

With the way the banks have setup these e-transfers, I think the customer has to really go out of their way to try making the transfer secure. It's not easy.



> All told, Go Public has learned about fraudsters using e-transfer to steal almost $64,000 from 56 people with accounts at TD, CIBC, Royal Bank, Scotiabank, Tangerine, Simplii, HSBC, Assiniboine Credit Union and Kawartha Credit Union.
> 
> Customers did not get their money back in almost three-quarters of the cases


----------



## nobleea (Oct 11, 2013)

james4beach said:


> There are now more cases of theft, and it seems that banks are telling customers that e-transfer thefts are the customer's own fault.
> 
> https://www.cbc.ca/news/business/etransfer-fraud-banks-blame-customers-1.5286926
> 
> ...


Just set up the autodeposit. Then no question/answer is required.
https://www.interac.ca/en/faq/cat/69-autodeposit.html


----------



## Userkare (Nov 17, 2014)

james4beach said:


> There are now more cases of theft, and it seems that banks are telling customers that e-transfer thefts are the customer's own fault.
> In one example from this article, the security question chosen was "What is your wife's name?"


I haven't used e-transfer much, but IINM the sender creates the security code and should communicate it to the receiver not by e-mail.

Those questions like "who was best man at your wedding", I believe were for signing on to on-line banking.


----------



## OnlyMyOpinion (Sep 1, 2013)

I thought most of the people showed low understanding of e-trsfr. More education definately needed.

I read a guy's reddit post recently. Clever. He wanted to rent a place seen on kijij. Ll wanted 2mos equiv to hold it till they met next day to view it (Ll wouldn't give exact address until he had the money either).
Guy sent e-trsfr but said he'd provide pw next day when they met to walk through. Ll kept insisting he needed pw.
Finally Ll gave address and agreed to meet. Never showed up. Complete scam. But e-trsfr expired and fraudster Ll got nothing from him.


----------



## AltaRed (Jun 8, 2009)

Interac e-transfer is clearly secure enough if the sender and receiver use an appropriate secure password. Userkare is correct (James is incorrect) in that FI's don't recommend any security questions at all. That is strictly up to sender and receiver.

The weak link is contractors (service providers) who have latched on to e-transfer as a convenient means to receive payment, which is a good concept, BUT: 1) want an easy password from their customers, and worse 2) have a easily hacked password for their receiving email. The weak link is the receiver's email, which if easily hacked results in the re-direct. Interac and financial institutions should emphasize in their promotional materials of the need for essentially hack proof email addresses. If I was a service provider receiving many of my payments by e-transfer, I'd have a dedicated email addy for it and a highly complicated 20 alphanumeric type password for that email addy.


----------



## james4beach (Nov 15, 2012)

Emails are relatively easy to hack, in most cases. Of course one can go out of their way to set a strong password and 2 factor auth, but most people don't. Email is generally insecure and easy to compromise.

Because of that, it never was well-suited to money transfers.


----------



## like_to_retire (Oct 9, 2016)

james4beach said:


> Emails are relatively easy to hack, in most cases. Of course one can go out of their way to set a strong password and 2 factor auth, but most people don't. Email is generally insecure and easy to compromise.
> 
> Because of that, it never was well-suited to money transfers.


But if the thieves don't have the password, they can't steal the money.

If people don't make the effort to secure the password (by sending it through phone or text), then I think you could say that no method of transferring money is well-suited.

ltr


----------



## AltaRed (Jun 8, 2009)

To repeat, a strong email password to thwart hacking, and a strong password for the e-transfer makes the system as secure as anything the consumer should ever need for the size of transactions currently offered/limited by the system. I use it regularly for certain transactions with service providers. 

P.S. I use auto deposit to avoid the need for a password altogether, trusting my email addy is secure and not compromised.


----------



## james4beach (Nov 15, 2012)

Using a very strong password for the transfer itself is a great idea, but most people will never use it like that.

What *would* make the system more secure is if the banks adopted a measure I described much earlier in this thread, which is to screen any password for transfers, to ensure it is a long, alphanumeric, random-ish thing. Password strength can be tested and enforced. Then, passwords such as my wife's name: Martha would be unacceptable, and rejected. *And money would never be put at risk to begin with.*

The problem AltaRed is that most people will never use strong passwords, unless they are enforced by the infrastructure. Yes you can, and should, go out of your way to set a very strong password.

But most people won't. These contractors, and students receiving money from their parents, will unfortunately continue to have money stolen with no ability to recover it from the banks.

The banks have designed an insecure system. They *could* make it secure by enforcing very strong passwords. They additionally should be running all passwords through a database to check against lists of known dictionary words and known compromised passwords.

All of this could be done, but the banks aren't doing it. It's a bad system. There, I just told you for free what I normally get paid $400/hr to analyze.



AltaRed said:


> P.S. I use auto deposit to avoid the need for a password altogether, trusting my email addy is secure and not compromised.


That's not a great idea. Despite your best efforts to secure the account, email is generally insecure. Hackers use very sophisticated methods these days. I can't describe the details as I don't want to reveal the methods of the bad guys -- but strong passwords and two factor auth don't solve everything.

In my professional opinion, if you're doing a transfer of any significant amount (more than what you have in your pocket), you should set a strong password for the e-transfer. Something you don't reuse, and which is long, randomish letters and numbers.

The reason is that email itself is inherently insecure, so you need multiple layers of security.


----------



## nobleea (Oct 11, 2013)

Sign up for autodeposit and it's not an issue. Doesn't matter if they break in to your email account, it's completely bypassed with the autodeposit. Some banks even allow the use of mobile numbers as well as email accounts for identifiers, which is all they really are. The details are added inside the banks security.

I've had hundreds of etranfers sent and received. I can't think of one time that the password was sent through email.
Some banks use the same password for a recipient (you can't change it by default), which doesn't seem safe (a friend sent me some money 5 years after she had sent me a separate payment. Neither of us could remember what the password was).
I have used the tactic above of sending the e-transfer, but not releasing the password until product is picked up. People have used it with me, no issues.


----------



## AltaRed (Jun 8, 2009)

nobleea said:


> Sign up for autodeposit and it's not an issue. Doesn't matter if they break in to your email account, it's completely bypassed with the autodeposit.


That is the point James doesn't get. When someone sends me an e-transfer, they are surprised when they get a message that a transfer password is not required. They get that message before they even push the Send button. I've had the same experience sending money to select recipients as well. It is all part of the Interac system, rather than the banks themselves.


----------



## like_to_retire (Oct 9, 2016)

james4beach said:


> Emails are relatively easy to hack, in most cases.


Yeah, but the auto-deposit system doesn't send the transfer by e-mail. They use their internal banking transfer system that is very secure. The e-mail when using auto-deposit is only to notify the recipient that the funds were already transferred to them

Note that sometimes the auto-deposit deosn't work and you are still asked for the password. This is because not all financial institutions have the ability to send funds to registered contacts / recipients who have the auto-deposit feature turned on. But the big 5 banks all have it.

ltr


----------



## agent99 (Sep 11, 2013)

I don't know how it worked, but I recently made an e-transfer that did not require a password. All I had to do is enter the recipient's email address, The bank recognized it as a registered user and the transfer went through. Very slick and quick.


----------



## james4beach (Nov 15, 2012)

Thanks everyone for pointing out autodeposit. I am not familiar with that mechanism, sounds interesting. Account numbers would be the ideal way to identify the recipient.

Curious, if not using account numbers, how is the recipient specified for the autodeposit method? For example if using a phone number, how is that matched up to the recipient?


----------



## nobleea (Oct 11, 2013)

james4beach said:


> Thanks everyone for pointing out autodeposit. I am not familiar with that mechanism, sounds interesting. Account numbers would be the ideal way to identify the recipient.
> 
> Curious, if not using account numbers, how is the recipient specified for the autodeposit method? For example if using a phone number, how is that matched up to the recipient?


You enter your preferred method in your banking system. James enters his mobile number 123-456-7890 (or email address)
I owe you $150. I go in to my bank and start an etransfer to my contact James, mobile numer 123-456-7890 (or email address). Interac knows that mobile number is associated with say RBC, your bank. My bank gives it to interac who gives it to RBC with the instructions. RBC then moves it to your bank account.
The system won't let you enter the same email address twice, so a scammer couldn't enter james' email address on the scammers bank account if james has already set it up on his account. A scammer gaining access to james' email account will be able to do nothing, other than seeing a notification from interac that james had $150 autodeposited.


----------



## bgc_fan (Apr 5, 2009)

To be clear, the auto-deposit only protects you when you are receiving the funds. It doesn't do anything for those sending the funds, which is the problem.


----------



## AltaRed (Jun 8, 2009)

bgc_fan said:


> To be clear, the auto-deposit only protects you when you are receiving the funds. It doesn't do anything for those sending the funds, which is the problem.


Why? The sender should know already if their own email account has been hacked, under someone else's control, and being used nefariously.


----------



## like_to_retire (Oct 9, 2016)

bgc_fan said:


> To be clear, the auto-deposit only protects you when you are receiving the funds. It doesn't do anything for those sending the funds, which is the problem.


I don't understand. 

If I send someone money, who has auto-deposit enabled, then the money is transferred internally through the bank-to-bank iron clad system. Not a chance of interception. 

Then an email is sent to the recipient telling them the money is already deposited.

How is the sender compromised?

ltr


----------



## nobleea (Oct 11, 2013)

If that's a problem, then the issue is the bank is compromised, not the email or email password.
If someone hacks my email account, it is impossible for them to etransfer money out of my bank account to some account/person of their choosing. Is that what is being suggested?


----------



## bgc_fan (Apr 5, 2009)

AltaRed said:


> Why? The sender should know already if their own email account has been hacked, under someone else's control, and being used nefariously.


If you recall, the whole point of the CBC article is the fact that the company email got hacked, i.e. the receiver. Having autodeposit on the sender side doesn't make a difference. So the sender is out of the $3000 that they sent because the receiver got hacked.


----------



## AltaRed (Jun 8, 2009)

Yes, but that has not been the discussion. The receiver should always have auto deposit on to avoid those exact issues.

Added: Unfortunately, the sender should likely insist that the receiver either gave auto deposit on, or insist on a solid password.


----------



## bgc_fan (Apr 5, 2009)

AltaRed said:


> You missed the point that auto deposit does not go through the receiver's email addy. I, as receiver, only get an, after the fact, email that the money was deposited. I, nor anyone else, can stop that process so it matters not if my email is hacked.


You missed the point. My point is that because the receiver (in the story it is the contractor) doesn't use auto deposit, it doesn't matter whether or not the sender (the customer who is out of $3000) has auto deposit.

So if the sender has auto deposit, he would not be protected by this sort of scam.


----------



## AltaRed (Jun 8, 2009)

Our posts crossed. My edit to correct post #64 occurred after you quoted it. I agree with your response to my original text.

Added: FWIW, I have asked recipients why they don't have auto deposit on, and they say, well, we may want to direct it to a different bank account. Okay, fair enough. Have a different email address associated with auto deposit to that different account (email addresses are a dime a dozen these days). Problem solved. It is not rocket science but obviously the system has not been explained that well to users. The CBC story exposed 2 dumb things: 1) easy to guess password, and 2) obviously the recipient had a poor password for their email to be hacked. Sloppy.....sloppy......sloppy.


----------



## gardner (Feb 13, 2014)

AltaRed said:


> the sender should likely insist that the receiver either gave auto deposit on, or insist on a solid password.


Yep. I have asked businesses I send money to to set up auto-deposit. For small amounts, the risk is not super big, but I paid a couple grand for a water heater and I am very glad they had auto-deposit set up.

When I have to come up with a password, I am generally flummoxed what to use that can't be misinterpreted but that is not obvious from the rest of the email chain. I think it is a good policy to insist that the recipient specify the question and password. That puts the entire onus for both email security and password security on the recipient.


----------



## bgc_fan (Apr 5, 2009)

Just to throw something else as a consideration, and why I'm always a bit leery of using e-transfers is that I'm pretty susceptible to typos. 
I could see a scammer duplicating a business' e-mail address, but change something slightly and hope that someone falls for it. For example, using *.com instead of *.ca, or TheCompany.com vs The_Company.com.
Little things like that and you wouldn't pick up on if you aren't paying attention.


----------



## AltaRed (Jun 8, 2009)

One can always find reasons to not do something.


----------



## bgc_fan (Apr 5, 2009)

AltaRed said:


> One can always find reasons to not do something.


Of course, but I am just pointing out some considerations. There was a recent Planet Money episode when they talked about Venmo which is pretty much analogous to e-transfer. The guest had paid her landlord using Venmo, but misspelled the email address and the payment went to the wrong person.


----------



## AltaRed (Jun 8, 2009)

bgc_fan said:


> Of course, but I am just pointing out some considerations. There was a recent Planet Money episode when they talked about Venmo which is pretty much analogous to e-transfer. The guest had paid her landlord using Venmo, but misspelled the email address and the payment went to the wrong person.


Sure, I agree anything is possible.


----------



## kcowan (Jul 1, 2010)

bgc_fan said:


> I could see a scammer duplicating a business' e-mail address, but change something slightly and hope that someone falls for it. For example, using *.com instead of *.ca, or TheCompany.com vs The_Company.com.
> Little things like that and you wouldn't pick up on if you aren't paying attention.


I think you are missing the point. Recipients are already in email communication with the sender and likely in the senders email address book (through auto-collect). If it is a new recipient, I always ask them to send me an email prior to any transfer to ensure it is already collected. I also instruct them to set up auto-deposit prior to the etransfer.


----------



## like_to_retire (Oct 9, 2016)

I suppose one small drawback to auto-deposit might come if you are purchasing or selling items on Kijiji.

A very common method is do an e-transfer to the seller before you arrive to pick up your item(s).

Then when you arrive and have the merchandise in hand you give the seller the password and they then complete the transaction. No one gets ripped off.

The reason to initiate the e-transfer before arriving is because it takes up to 30 minutes for a transfer. Standing around at someone's home waiting would be a bit annoying?

If the seller had auto-deposit, you'd be giving them money before you had the items.

ltr


----------



## nobleea (Oct 11, 2013)

kcowan said:


> I think you are missing the point. Recipients are already in email communication with the sender and likely in the senders email address book (through auto-collect). If it is a new recipient, I always ask them to send me an email prior to any transfer to ensure it is already collected. I also instruct them to set up auto-deposit prior to the etransfer.


I've done a lot of emailing since it first came to be. I've certainly made typos. But I can't think of one instance where the typo led to an actual email address of someone else. It was always a bounceback. And if magically it was a real email address, the risk is that they are in Canada and have autodeposit set up with that particular account (I have 6 email accounts, only one set up as auto-deposit). Changing .ca for .com on a big company isn't going to snare anyone as no one sends an interac e transfer to Apple or Air Canada. So then the scammer is going to have to try and replicate the email addresses of small businesses (bob's lawncare, XYZ Renovations). Some banks will allow multiple email addresses for autodeposit, but you'd have to have thousands of them to get the chance of snaring a few incorrectly typed email addresses for small businesses. Logic says it's just not a risk.

It's really basic:

When sending money, make sure the recipient has autodeposit and triple check the email address.
IF they don't have autodeposit, then create a random password and call them or text them with the details.

Sign up for autodeposit yourself.

Get a second email account if you want the ability to withhold the password, or give others the opportunity to do so. I have 6 email addresses. Only one is registered with autodeposit.


----------



## AltaRed (Jun 8, 2009)

like_to_retire said:


> I suppose one small drawback to auto-deposit might come if you are purchasing or selling items on Kijiji.
> 
> A very common method is do an e-transfer to the seller before you arrive to pick up your item(s).
> 
> ...


I can see where that is a way to be ripped off, but for the record, I have never seen any delay in auto deposit. I had an item listed on a local buy/sell 2 months ago, the woman showed up, and she did an e-transfer to me on the spot. (auto deposit on my part). I got the confirming email the money was deposited literally within seconds of her pushing Send. I don't do Kijiji type transactions except on location.


----------



## like_to_retire (Oct 9, 2016)

AltaRed said:


> I can see where that is a way to be ripped off, but for the record, I have never seen any delay in auto deposit. I had an item listed on a local buy/sell 2 months ago, the woman showed up, and she did an e-transfer to me on the spot. (auto deposit on my part). I got the confirming email the money was deposited literally within seconds of her pushing Send. I don't do Kijiji type transactions except on location.


So maybe this is another reason to use auto-deposit. I use my secondary yahoo email address if I sell something on Kijiji and it doesn't have auto-deposit enabled. Perhaps auto-deposit is instant, since it uses the banks internal system for transferring the funds, where non auto-deposit uses the email system which can be slow.

I know if you look on line and ask "how long does an interac e-transfer take", it will say up to 30 minutes. I know when I sold something recently and I was talking to the buyer on the phone, he said he just sent the transfer and he would be at my home in about an hour with the password. I checked several times and it took 20 minutes to get the email. Once he came by and gave me the password it was instantaneous to get the funds. So perhaps that's how fast it is with auto-deposit.

ltr


----------



## Userkare (Nov 17, 2014)

Talking about interac transfer passwords... I just got an invoice from a local company that did some work for me. The invoice actually specifies the password to use for the e-transfer. It most definitely is very easy to guess, and also anyone who has ever received an invoice from this company would know it.

I mentioned to them about the story of the hacked e-transfer email. They hadn't heard about it, so I hope they will change this for future invoices and not depend on the old "security through obscurity" system.


----------



## AltaRed (Jun 8, 2009)

I sent a link to that article to a service I use monthly...that has an easy password as well. They acknowledged it and said because their domain email system also contains other sensitive matters, they have an extra long and complicated email password to deter hackers. 

Ultimately a recipient just needs to have 1 of the two things highly robust, i.e. either the Interac password, or their email password. Better to have both, but one ought to be sufficient. I am satisfied the service I mentioned has it under control. Worst case, we are talking low 3 digit sums anyway.


----------



## like_to_retire (Oct 9, 2016)

Userkare said:


> Talking about interac transfer passwords... I just got an invoice from a local company that did some work for me. The invoice actually specifies the password to use for the e-transfer. It most definitely is very easy to guess, and also anyone who has ever received an invoice from this company would know it.
> 
> I mentioned to them about the story of the hacked e-transfer email. They hadn't heard about it, so I hope they will change this for future invoices and not depend on the old "security through obscurity" system.


Yeah, this happened to me recently too.

I had a bunch of work done by a company around my yard and they sent the invoice with the password that was my address. i.e. 123MainAve

It seemed so obvious, and especially given the fact that the company likely uses the same method with every customer.

I was a bit squeamish, but I sent the e-transfer and all was good, but I don't see why these companies don't just use an auto-deposit. 

In fact, if auto-deposit is so darn fast and secure, why don't they abandon the password system? It seems open to exploitation.

ltr


----------



## james4beach (Nov 15, 2012)

Userkare said:


> Talking about interac transfer passwords... I just got an invoice from a local company that did some work for me. The invoice actually specifies the password to use for the e-transfer. It most definitely is very easy to guess, and also anyone who has ever received an invoice from this company would know it.
> 
> I mentioned to them about the story of the hacked e-transfer email. They hadn't heard about it, so I hope they will change this for future invoices and not depend on the old "security through obscurity" system.


Right. They probably re-use the password, and all it's going to take is one crooked ex employee (who might sit on the info for a while) to steal money.

This is what I mean when I wrote earlier that the system is badly designed, because it has so many weak points. Robust systems are designed knowing that humans will tend to make some mistakes or be lazy, and should be invulnerable to _expected_ mistakes -- like this one the company is doing.

Great example. This kind of human behaviour is predictable and should be expected from the outset.

What makes the interac e-transfers weak is that it hasn't been designed robustly. Humans will choose bad passwords, re-use passwords, etc, and yet the system does not prevent this. Email is also quite insecure, easy to hack and intercept, and yet so much of the system rests on email security.

It's a bad system. Again I see no problem sending small payments (what you have in your pocket) but I would never send a large amount using these.


----------



## AltaRed (Jun 8, 2009)

Easily solved with auto deposit which doesn't use the email system at all (uses Interac only). Some of the recipients I send e-transfers to use auto deposit. Those that do not should. 

James, you seem to forget the 'system' doesn't control any passwords at all and shouldn't. It is between the sender and recipient. Please get that fact straight and quit blaming the system. Also, please recognize auto deposit as being robust.


----------

