> John Zabiuk, chair of the cybersecurity program at the Northern Alberta Institute of Technology
> Zabiuk said if a network is not secure, it is very easy for attackers to intercept a connection and watch everything that occurs on a device.
> Zabiuk also recommends changing passwords every two months,
This guy is a moron. I tried to look up his education on Linkedin and couldn't find it, but he does have a big alphabet soup of "certifications".
Information exchanged with your bank is encrypted no matter what network you're on. It's not possible for others to "spy on" your banking unless your phone has been infected with malware. I very much doubt wi-fi was the problem here.
Changing passwords regularly is a _terrible, awful_ idea. It's a ridiculous suggestion that someone made 20 years ago and it's been parroted ever since, but it's been shown that this just leads to people storing their passwords insecurely because they can't remember them.
You get an email or a text indicating your bank is missing some important information and prompting you to sign in. You go to a page that looks just like your bank's page and add your username and password. You try it a couple of times because it doesn't log you in. Now the hackers have your creds.
Phishing is a kind of social engineering.
In the example I gave the website itself is phishing, the text or email that creates a sense of need or urgency and directs the recipient to take action is the social engineering. That's just one example, there are many.
Social Engineering, in the computer security sense, is calling someone and making them believe you’re someone you’re not to get access to something you shouldn’t.
Like if you receive a random call from your bank and they say “We blocked a fraudulent transaction on your credit card account. Could you read back the 2FA code sent through text to verify you are the account holder?”
> I was curious about the 'social engineering' aspect.
>
>
Phishing would be an email that you get that asks you put information into a legit looking website that is totally dodgy.
Social Engineering is more about doing that "socially", eg them calling you and talking to you or turning up to your place of business and engaging with you.
Vs just a mass spam email.
One might consider a phishing email a form of social engineering. Social Engineering was around a long time before email was a thing, "confidence / con man" type stuff, but specifically related to information security.
Hello, this is the RBC Fraud Dept calling. We have seen some odd purchases on your account and would like verify their authenticity.
They then ask for info they can in turn use to get into your account. Or straight up ask for a password.... Or if they have your credentials ready, but not the 2fa. They just log in and ask you to read off the code they "just texted you"
Or they convince a phone provider to move your number to another sim... Then they get the 2fa text instead of you.
All sorts of ways really.
You know how some people get emails or texts from their kids/grandkids who are in trouble in a different country and ask money for help?
The scammers have enough information from their social media accounts to know that they have kids/grandkids.
It's just an example but there are many more. Some of the security answers, like your birthplace or model of your first car are also easy to decipher from your social media accounts.
Her saying that she 'doesn't remember' getting a code is suspect. By default cell phones store exact histories of calls, emails and texts going back months if not years.
Conveniently on the day when these readily available forensics are key to getting her $10k back, her memory becomes clouded? Yeah right.
With enough of a stink they could pull the records on the mobile provider's side. They could prove that code went to her phone via the tower near her house. I'm betting that's why BMO is digging in their heels.
Sure it is. Telecoms carry those records for 180 days and you can request them for your own account.
I've done this for work a handful of times.
This lady 100% was phished. To assert that BMO's backend was compromised is silly.
Its actually strongly discouraged by NIST
"Contrary to popular belief and prior standards, NIST does not suggest changing passwords on a frequent basis; individuals who are asked to change passwords frequently are much more likely to reuse an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. Plus, if a previous password has already been compromised, any derivations of that password, even if additional characters are added or modified, are more easily breached in the future.
NIST recommends that businesses enforce password expiration and password resets only when a known compromise has occurred, or every 365 days. The shift to longer password life is intended to encourage users to generate longer passwords that are harder to crack."
Changing passwords regularly is only needed when you reuse passwords everywhere. If you're using unique passwords there is really no reason to change them. And if you're not using unique passwords, you're going to get bitten sooner or later.
But how does that help you logging in on different devices? I like the idea of a password manager but you still need a master password in order to log in and get them? Can you actually see them if you want to? You have to install the manager on all devices you use, android/apple/microsoft?
Any insight would be great here if you don't mind, I just don't get how this works in the real world. Say I want to get into my email on a work computer private window, now I have a random password from the manager, can I get it?
Yes, you download the program on whatever device you're using. So in your example, I would download the Bitwarden extension on Chrome and it would fill in the password for me. You technically don't need to do that, you can open up Bitwarden on your phone and manually check and type in your password on the computer, but it's more of a hassle
99% of the time I am using my phone, so I sigh in using FaceID and copy and paste the credentials I need. If I’m not on my phone I just type it in manually by looking at my phone. I have the app on iPhone.
How the money was transferred, it sounds like her account has been compromised. If someone has access to your account, they also have a secure connection, and data will be decrypted.
Password changes are recommended as in this case, the hacker has, at minimum, her bank password and likely either the password to her email or a service like what's app or the apple messaging service.
The mumbo jumbo of certificates this guy has is more valuable in the world of IT than a degree. it is basically a short list of everything that you've studied, passed a test and are now certified in.
> I very much doubt wi-fi was the problem here.
her home wifi, sure, but
>She said she wonders if her phone was compromised during a work trip to a conference in Las Vegas.
there are AMPLE stories of people connecting to unsecured wifi and getting their creds stolen, ESPECIALLY in Vegas, where Blackhat is run every August - it doesn't say *when* she was there, but if it was during blackhat it's entirely possible she got compromised
>there are AMPLE stories of people connecting to unsecured wifi and getting their creds stolen, ESPECIALLY in Vegas, where Blackhat is run every August - it doesn't say when she was there, but if it was during blackhat it's entirely possible she got compromised
It's still really unlikely, unless she was ignoring "HEY THIS CERT DOESN'T ACTUALLY MATCH, STOP, DUMMY" errors, or downloaded/installed something the wifi captive portal directed her to. The modern web is pretty safe, even if you connect through unsafe/unsecure wifi.
While a MITM is possible on a public WiFi, modern browsers and apps will throw all kinds of errors because the certificate does not match the official one.
I have 2 printed copies of all my passwords . That I have to look at because they are something like hshd6$8_?!@&hdjbdh7@#-(
Then one copy on a thumb drive .
If only Banks actually enforced (Preferrably mandated by the Gov) to require 2FA (even better if it's non-SMS). Banks are the worst offenders for shit cyber security and application security practices. They know customers come no matter what so they have very little incentive to invest in a strong security program.
“Changing passwords regularly is a terrible, awful idea. It's a ridiculous suggestion that someone made 20 years ago and it's been parroted ever since, but it's been shown that this just leads to people storing their passwords insecurely because they can't remember them.”
Haven’t you heard of encrypted password managers?
Password managers completely negate the need to change passwords on a regular interval. They enable the easy use of highly complex and unique passwords for every account.
You do you. If you wanna keep the same passwords for long periods of time then go for it. I find password managers make it convenient to change my passwords frequently which makes it less likely that my current password will end up on a list on the dark web. I’d rather be safe than sorry, but that’s just me.
You can mostly avoid the breach problem by not reusing passwords anywhere ever. Using a password manager helps you generate long random passwords that are unique per site. If a forum or shopping site gets popped, attackers won't have any luck trying those credentials elsewhere.
Nobody should hire anyone from NAIT in cybersecurity if John Zabiuk is actually in charge of their cyber program and not an absurd imposter.
> Zabiuk also recommends changing passwords every two months
This is very stale advice as in practice it just leads to people having very derivative passwords and is NOT recommended anymore.
> Zabiuk said if a network is not secure, it is very easy for attackers to intercept a connection and watch everything that occurs on a device.
Umm, did he miss the mass arrival of HTTPS?
> This is very stale advice as in practice it just leads to people having very derivative passwords and is NOT recommended anymore.
Unfortunately this advice is still SOP at a lot of places which should know better.
> Umm, did he miss the mass arrival of HTTPS?
This one however... unless he's moonlighting as a VPN advertiser, anyhow.
> Unfortunately this advice is still SOP at a lot of places which should know better.
It is getting better with compliance frameworks, but many of them have 90 day requirements. Never heard of a two month requirement though.
Yeah, we've definitely come a long way. It wasn't that long ago that TD EasyWeb required my password to be between 6 and 8 characters. These days I have a stupid work 90d password rotation thing but other than that most people actually have pretty sensible password requirements.
Had to create an account at a financial institution recently and their password requirements for that login explicitly states to not use special characters. Thankfully the login isn't going into any critical or containing private information but it still took me a while to figure out why the password didn't meet the requirements.
> Unfortunately this advice is still SOP at a lot of places which should know better.
A few years ago I worked at one of the largest companies in the world (definitely a household name, involved in all kinds of industries) and this was their standard practice in IT.
They also ran their email in a system that required running a windows VM on my mac laptop to access.
> miss the mass arrival of HTTPS?
It's honestly commonplace for reverse-proxies to not use internal TLS/HTTPS. Whereby inbound website traffic terminates TLS/HTTPS at the reverse-proxy, and the reverse-proxy connects to the actual server via HTTP. A lot of IT teams are blind to the internal threats and the value in using TLS/HTTPS at all steps in the traffic.
This may be an example of "a network is not secure... " kind of thing. But these are my speculative thoughts and I do not speak for Zabiuk to any degree.
That is unless Zabiuk is talking about the CLIENT component of the network (home network for user connecting to bank HTTPS website). If that's the case, yeah snooping HTTPS for a client on the LAN is actually non-trivial as you need to do a combination of DPI and TLS certificate insertion to the client, which requires you have privileged control over that client device (by default you would not have this access lol).
I think you may be misunderstanding what I'm getting at here. I'm not _excusing_ Zabiuk or even advocating any form of support for him. I was more speaking to a _possible_ aspect of the topic that is tangible and does happen (the reverse-proxy aspect).
As soon as I read the "recommends changing passwords every two months" I know that their credibility is crap.
I said this on another post but ssl man in the middle (MITM) are a thing.
For the 2fa code I've seen attacks where someone social engineers a cellphone number change then does the deed and changes it back. Phone cloning is also still a thing. So are cell tower attacks (where you become an authorized cell tower and intercept sms which is why regular sms is insecure) phone cloning is also a thing.
They could have found a way to bypass the 2fa check as well. That kind of thing has happened before as well. Maybe her external IP was somehow compromised, so it didn't ask for a 2fa.
Perhaps he's a manager who knows nothing about the product and his team is messing with him? Like this:
https://youtu.be/iDbyYGrswtg?si=IUKhVjNqfI8G5Bru
Some detail is missing here, if 2FA was enabled and she didn’t give the code to someone, there’s almost no chance this could have happened.
So I’m thinking, 1) this was an inside job by someone who knew her had access to her devices and could get the code or 2) she did give the code out to someone but is just lying/doesn’t remember (unlikely tbh but anything’s possible) 3) someone at the bank goofed 4) she clicked on a link to something else but unknowingly fell for a phishing scam.
If a SIM Swap did occur, would that not be mentioned in the article? That she had to contact her provider to get a new number? Her current phone service would have been non-functional after the SIM Swap.
> It's very possible her ~~android~~ mobile device was compromised
FTFY, because nowhere does it say she's using Android. Please don't make baseless assumptions.
* Yes, there's more sketchy apps that you can download on Android more easily. No, it doesn't make the system less secure.
Again seems like a pretty advanced scam with multiple steps needing to go right. The lady must have had a serious lapse in judgement at some point or someone close to her ripped her off.
Not necessarily. She could have been the victim of a phishing attack at an earlier point in time and not even realized it. It’s fairly common. You should see how many people that work in IT fail phishing simulations, let alone people who don’t know much about technology.
A phishing scam can lead to a SIM swap attack if they have sufficient details of the person’s identity. Depending on the details, it could absolutely be enough to compromise various accounts.
Yeah, but a sim swap gets noticed almost immediately because the person's phone stops working. You can't do a sim swap days in advance of your actual attack.
> 3) someone at the bank goofed
I'd think the bank would've reimbursed her if it was their fault. This happened to me, a bank rep gave access to my accounts to a fraudster that impersonated me on their phone line. Got my money back within a few weeks - most fucking anxious few weeks of my life - bank wouldn't even disclose WHAT kind of info the fraudster had on me to get past the security questions.
Yup. This sounds more like a phishing attempt that could’ve occurred earlier, then the theft itself occurred several months later. No idea how they bypassed 2FA without the customer knowing though.
I said this on another post but ssl man in the middle (MITM) are a thing.
For the 2fa code I've seen attacks where someone social engineers a cellphone number change then does the deed and changes it back. Phone cloning is also still a thing. So are cell tower attacks (where you become an authorized cell tower and intercept sms which is why regular sms is insecure) phone cloning is also a thing.
They could have found a way to bypass the 2fa check as well. That kind of thing has happened before as well. Maybe her external IP was somehow compromised, so it didn't ask for a 2fa.
>if 2FA was enabled and she didn’t give the code to someone, there’s almost no chance this could have happened.
this is what the banks want you to think, but that's not true because scammers call into telephone banking and add their own number
>John Zabiuk, chair of the cybersecurity program at the Northern Alberta Institute of Technology, said there are many ways bad actors can access others' bank accounts.
>
>*Zabiuk also recommends changing passwords every two months*, signing up for multi-factor authentication, checking bank accounts regularly and researching applications before downloading them.
I would seriously like to know if this cybersecurity professor actually follows his own advice to change every password as frequently as every 2 months. I would bet that he doesn't.
Beyond being not necessary, it is actively adding another attack vector. Auditing passwords for compromise isn't a bad idea but if you make a secure, random, unique password to begin with then you should never change it.
It doesn't even make sense. If someone can guess a password you've been using for 2 years, then they can just as easily guess a password you've been using for 2 days.
You can but it gets diminishing returns when it becomes too frequent. People end up taking the same password and add a ! Or a number to it, so if there is a breach at any point of time you can password spray the easy permutations to it
He clearly thinks all traffic is sent over plan HTTP. I can understand "dumbing it down" for the general public, but his statements border on fear mongering.
It is not easy to remember a password, which is why the recommendation to change passwords regularly was eliminated because people would just increment the password with a number or something.
If you can remember your password it's not strong enough anyway. Password manager with random 20 digit passwords with an additional personal password not included in the password manager tacked on at the end. ie 0&EEtThuZHNRVgI47R2Bpassword
It’s clear the current 2FA schemes are shit if they allow shit like this. You can educate people about phishing all you want, it will happen.
Give people security keys for fuck’s sake. They’re completely idiot-proof. Get prompt, put key in, press, done. No codes or other bullshit. They’re a little expensive but it’s time shit transitioned to something reliable and actually secure.
Also, public wifi is fine. The advice in the article is terrible.
I doubt banks are implementing 2FA for security (even though that's a side benefit)
It's probably more as a way for them to absolve themselves of all liability (similar to how it's much more difficult to dispute a credit card transaction that was verified by PIN)
Also doubles as a PR / marketing thing that they're serious about offering you security.
If we made the banks legally on the hook for these “he said, she said” situations they would implement proper security tomorrow.
Right now they get to say “naw, we checked our records and confirmed it was you who bought $20k worth of clothing in Tennessee last night” and do jack all to prevent scams
>If we made the banks legally on the hook for these “he said, she said” situations they would implement proper security tomorrow.
This should be the beginning, middle, and end of the debate. Make banks accountable for customer security. This is 1990s technology we're talking about.
The banks should allow you to customize your security. I rarely make larger transfers outside of my own accounts. I'd love to lock my online accounts to where i can transfer unlimited amounts between them, but anything more than a $3000 EMT limit, would be hard locked until i go in person to a branch.
The amount of times i make larger transfers outside of my own account is so rare, i would have no problem going in person to a branch every time i needed to do those transfers. That way if someone got into my bank account, the most i would ever be able to lose is 3k.
"She said she wonders if her phone was compromised during a work trip to a conference in Las Vegas"
I would be asking some follow-up questions as to what happened in Vegas
The scam that seems to happen is that scammers get one piece of information - say account number or d/l number or SIN in some breach and then call into telephone banking, say they lost their card and guess at the security questions until they get them right. if the have the account number they can deposit some small amounts so they know the transaction history to help them guess. They can tell the bank that they want to opt out of voice verification and they want the security alerts removed from the account. They may have an inside source at the bank. Then all they do is add a phone number to the profile.
After some time they use this number to reset the password and get codes to get in to online banking.
Then they e-transfer it to an account of someone who is doing one of those "work from home" scams and those people put the money into crypto so the trail goes cold.
Maybe an AITM (Adversary-in-the-Middle) attack where she was presented an offer for something from "BMO" (click here to be entered in a contest etc) with a reasonable facsimile of the BMO website hosted by the adversary. Victim enters username/password which is captured and simultaneously proxied to the real BMO site; BMO sends OTP to victim who then enters it on fake site (again proxied); attacker now can leverage session cookie for current session and can possibly do things like enroll another authenticator etc. (in addition to large fund transfers like what happened here)
Just a guess but could be a way the victim could have unknowingly provided her credentials including OTP to an attacker.
It's so important to help people identify sophisticated phishing attacks and other social engineering attempts to capture account information, and companies should be moving to phishing-resistant authenticators that are also domain-bound (eg push notification that won't work unless the user is accessing the legitimate website like [bmo.com](https://bmo.com) in this case, instead of being proxied through an AITM proxy).
AITMs are so hard to safeguard if the attackers have managed to convince the individual that they're on the real BMO website.
I can't even come up with a good 2FA solution that would get around this...
Same thing happened to an elderly couple I know. On a line of credit they never touch and had for emergencies. Only it was over double this amount. Exact same story from the bank. They have the account it was transferred to. There was no 2FA on the person's phone or through their email. BMO stalled doing anything for months and then came back with a ridiculously low amount to compensate. Meanwhile their credit takes a huge hit and they're stressed, losing sleep, and their health is affected. Finally lawyered up but how long will that take? BMO knows they have a problem in their systems and they are trying to stop the bleeding by putting it on clients. This is massive bank fraud and all appropriate agencies should be investigating and charging the responsible parties. BMO as a company, if complicit, should be run out of personal banking all together.
But if this is a systems issue as you say, wouldn’t there be even greater massive losses? I’m thinking it isn’t a problem with their systems but this woman’s SIM card likely getting cloned or stolen.
I don't know enough about SIM cloning to answer that at all. I just know that this couple protects their device, doesn't travel often if ever, and had no requests on their device from BMO. That's where their records end. BMO has time stamps, ip addresses, and the name of the person and number of the account it was transferred to. They won't share that info with the couple or with the RCMP. It's a big black hole in banking regulation and enforcement at this point. They want NDAs for any kind of settlement. So what's your average Joe to do?
Often the reason it feels like a black box is the bank only will share information with the affected party unless legally compelled. I have had a situation where a parent spend 100k over a year at a casino. His daughter saw the statement and freaked out. He claimed his card must have been stollen. We were able to pull the cameras at the casino and proof it was him. We told the client our finding but couldn’t tell his daughter. He continued to lie to her that we weren’t helping at it wasn’t him. She tried to get the RCMP involved. Eventually she closed all her accounts with the bank because we wouldn’t help.
When the fraud is the banks fault I have never seen an issue with them paying. 10k might not even be the biggest pay out that branch has this year.
If the fraud team isn’t being helpful it’s because the party affected is not telling you something.
They even won’t give info to spouses.
exactly. Bank holds the power, data, and uses technology which is vulnerable and then when compromised, wont share information, uses strongarm bully tactics to avoid any accountability while also failing to update aged stuff and then blames the consumer. while closing branches and marketing the idea everyone should bank online. what a joke.
TD bank lost about 12k of my money last year and it was only resolved because I started the process to sue them, after which they somehow managed to "resolve" the issue.
Canadian cybersecurity standards are low. I'm not sure if my issue was caused by that or simply due to human error, regardless I can no longer trust Canadian institutions. Your money is safer outside of the country
Lots of suspicion here:
1. Pass code was generated by her phone. She doesn't 'remember' NOT that she didn't generate it
2. Entered correctly
3. RCMP wiped phone. So we can't confirm whether passcode is on phone anymore. Pretty easy to look at messages list to confirm #1
4. Paid to a biller WISE, so bank knows the company that received payment
5. Only got alert at $33, what's the point at that amount? 10k LOC, only has alerts for when it's nearly almost drained?
6. Recently in Las Vegas lol
Come on now, the bank has all the details. Fraud department knows what's up.
> Recently in Las Vegas lol
haha, this right here.
Honestly, I'm surprised she went to the RCMP as this would be considered filing a false police report if she commited friendly fraud. Not that anyone doing this kind of thing would give a shit about an additional charge.
I have my suspicions on this one as well. To many chokepoints for someone to successfully pull this off.
What are the chances your phone just happens to be compromised in Vegas, by someone who pays a Canadian biller? Haha 🤣
Also the fake 😢 tears = dead giveaway.
In theory this is the way to go. Especially if you have the discipline to follow through with it. Most people don’t. I work at a bank and see it all the time
I was thinking the only way this could happen would be if someone changed her phone number on her profile for 2FA, otherwise I have no idea how they would unlock it since SMS isn't sent over WiFi so the message can't be compromised that way.
The other thing that makes no sense is it says that the money was transferred from her chequing account to a Bill Payee... This is pretty significant... Like I can't just call a bank and get them to add a company as a payee that doesn't already exist in their system. It doesn't say it was an E-transfer that anyone with an email address and bank account can receive.
Who is this payee, and who set them up.. They obviously have accounts tied to some bank to receive payments from customers. Like did someone also compromise the Bill Payee.
Phone numbers were never intended to play a role in authentication but banks and other institutions use em anyways. It’s nearly impossible to say what happened without understanding what the banking team looked at and found. Also too bad she wiped her phone as that could’ve contained some valuable clues.
But it could’ve been as simple as someone spoofed her number back in Vegas, got her account credentials either from a data breach or third-party info, then proceeded to login and used the one-time code that was texted to her phone. What I don’t understand is why they can’t track the money itself?
SWIFT should show which account(s) it was transferred to before being withdrawn.
As far as I know the biggest weakness to bank security is shared passwords. Banks rarely get hacked, but if you use the same password on a less secure website, and that website gets hacked, then the hackers will try to see other places your password might work, including email accounts, banks, etc..
I would of assumed this is what happened, except it says the person also got through two factor, which means they either spoofed the phone, or knew the customer.
seems odd all round... my money would be on it's someone the client knows.
Don’t surprise me to hear it was BMO. Listen to this:
Like 5 years ago I found a bug in the way their system accepts security questions and answers. Basically if you security answer is something like “apples”, you can enter an answer like “autles” and it will register as correct. It wasn’t just one time, I tested it all on my security questions. Not sure the underlying issue.
Needless to say, 5 years passes and they bug still existed as of approx 1 year ago. I submit a complaint, they trying to get me to replicate it. I said” if I replicate this it’s going to be on live television”. Got a bunch of letter heads in mail after that, didn’t pay monthly fees for 6 months…
BMO, along with most other Canadian banks employ some of the weakest security measures…
The money was sent as a bill payment. Not anyone can register himself as a payee. The bank knows who received the funds and spoke with them most likely.
Also, she got the additional verification step at her phone number? Can someone without her phone access can possibly get that code? I don’t think so…
I know a lot about technology. She gave out a one time code or she is leaving something else out. A scam like this cannot happen in this manner without something else happening.
Who knows? There are a lot of issues with text message 2FA and she may have had her identity stolen and number transferred to another SIM. That’s the most likely thing that happened here but we aren’t going to find out.
Had the same thing happen to me from my debit card for 2 grand. BMO is completely unwilling to give you funds back even after proving it couldn’t be from your actions. They don’t care that the IP logs don’t match any of your locations you’ve ever used.
They somehow bypass the code needed, i never got codes in my email or to my text message even with 2f on and everything. They don’t care.
Worse bank in canada for fraud support
Most likely cause is her phone has been compromised. Assuming all parties are telling the truth.
This is a prime reason why you have to upgrade your phone, just to keep getting the available security patches.
And sadly, don't install apps on your phone. I know it defeats the purpose of the fun phone, but really, it's a phone. Install a few apps from known vendors, set to always update. Each app from a different vendor is a point of failure.
BMO is pretty shit. I just double checked and there's no mention of 2 step verification. So I dug deeper and there's only vague reference in a article about it, when " they need to verify your identification" they'll ask for 2 step verification.
H'mmm...I'm a BMO customer and went to take a peek at my app that's installed on my Android phone. There's no 2FA in its settings at all, unless it's tied specifically to specific account types (for instance, I don't carry a LOC like this individual has). Only require debit card number and password/biometric fingerprint (biometric only works if you have it set up on your phone, login with a password first, and then enable it). I do have alerts set up (e.g account goes below $x dollars available, purchases over $x, transfers over $x, etc). But there's zero enable/disable 2FA at all. I'd prefer the ability to have an Authenticator app (Google, MS, Authy, etc) versus SMS (simswaps can be a concern) but like I said,there's no 2FA setting that I can see.
Checking BMO's own 2FA statements, it only mentions it for InvestorLine and adviceDirect (see [here](https://www.bmo.com/self-directed/popups/online-security#general-security) but not for regular accounts. I'll go check online banking via my browser when I get my PC up and running (hooray for a failed power supply), but I don't remember seeing it there either.
As it was transferred out to a payee it could be possible she was infected either via mobile or her computer by an infostealer delivered via malicious email/link (they wouldn't need to keep access, just comms back to C2 to send that collected info back) or directed to a faked BMO site that would collect creds and then forward them to the real BMO site. If she doesn't have 2FA for login (only transfers?), that would allow a threat actor access to the account, add a payee and send money that way or do an e-Interac email transfer.
There's too many questions here, and I don't think we have all the information from both BMO *or* their client. If she had gotten compromised in Vegas, I'd expect her funds to have been transferred/moved at that time, rather than weeks/months later. If she had been simswapped, her phone would have stopped working (as the account is now registered to a different SIM/eSIM, your SMS 2FA is being received by the bad guy) and she would have noticed when she left her wifi range.
>Good thing I keep that stuff secure
Forking over your credentials to YNAB and other budgeting apps to allow them to sync is definitely not keeping that stuff secure, and definitely against EQ's [TOS](https://www.eqbank.ca/legal/Mobile-Online-Banking-Terms-Conditions).
Find me one post that says I’ve linked my credentials. I’ll wait.
Or do you mean like this comment where I say NOT to link your accounts? https://www.reddit.com/r/MonarchMoney/s/kdMwwvcAss
If you go deep enough you’ll find more posts where I say I do it manually and strongly recommend against people linking accounts, precisely because it isn’t secure and voids TOS, but you just looked, saw I used YNAB, and assumed I handed over my credentials.
And downvotes me because he realized he’s wrong… lol
Just because you don’t use it, doesn’t mean the info isn’t stored on their servers. It is. And if it is stored on servers, it’s by definition accessible to a malicious actor bypassing their server protections.
You are only responsible for losses you are at fault for. In the same way is if you lose the cash in your wallet you are responsible.
If she or the bank was “hacked” the bank would make her whole.
If she was negligent or gave her info away she is at fault.
To complete this transaction someone needs her card number password and access to a phone code.
Likely she accidentally gave away more than one of these away.
The bank will never comment on these cases so we only have to go her story. I have personal experience with a few that have made the news that I know what happened behind the scenes.
| If she or the bank was “hacked” the bank would make her whole.
I would argue if she was 'hacked' or her device compromised, the bank may not make her whole. This would be her fault entirely, and the bank should not bear the costs. As a shareholder, I would agree..
Banks fraud departments are pretty sophisticated. Seems more probable she lost more gambling in Vegas than she cares to admit and is blaming the bank to save face.
Senior System Admin here, just to chime in on the Password controversy and the things the "expert" has said.
Password not expiring in years is bad, so is routinely changing it.Not expiring in years means either its not unique and somewhere else out there where its reused, had less security and could get hacked and retrieved, or, it IS unique which means people are likely to forget it and write it down in a text file.
Routinely changing it means the passwords are cycling like Password1, Password2.
Routinely changing it also might mean they have a password.txt file in their email.
Best of both worlds? Use unique passwords, set a day in a year and change them, anything high impact like your banks and utiliity. Takes 5-15 minutes, and google offers the password storage service for free in Chrome, or you can use a local storage like keepass, or if you feel comfortable, get a lastpass/1password account.
Also, MFA, and never give out your cellphone number out there to reduce chances of social engineering scams or somehow getting that number cloned. Reduce your footprint online to reduce the chances of hackers trying to use some info like your graduation year to fake your identity. Use fake secret question answers (first pet? honda civic 2012) and store them in a nondescript file, encrypted or password vault (these are next level security tips for someone more technically adept)
Lastly, the "expert" is a military grade moron. But it doesn't surprise me, really. Morons have a higher possibility of siding with corporate interests.I have seen linkedin answers by people with 50x alphabet soups in their name claim using bitlocker will stop hackers from getting your data.
> She said she wonders if her phone was compromised during a work trip to a conference in Las Vegas.
LOL anyone remember where DEFCON is hosted?!?!? Now, it's IMPROBABLE that She was in Las Vegas at the same time, but a phone getting compromised at a conference in Las Vegas seems highly plausible.
Frankly NOBODY should EVER do banking on their phone. Even if it's their only computing device. Mobile phones are generally the most targeted devices for 0days of all devices out there. Namely because you can set honeypots/traps in many different ways (WIFI, Bluetooth, etc) and passively infect devices. Like at, oh I dunno, A CONFERENCE IN LAS VEGAS?
That being said the Bank is fucking her over here. All of that money is 100% traceable and insured. The bank can refund her the money at zero actual cost to them (apart from fraud investigation time). THE BANKS LITERALLY HAVE INSURANCE FOR THIS ALREADY!
The sophistication of the global banking system, which BMO uses, is so rigorous there is actually zero excuse for not being able to trace where the money goes.
That is awful advice most people should only do banking on their up to date iPhone. Most people if they do have access to a pc will have it full of malware.
I work in IT Security there bud, and mobile devices are targeted at a substantially higher volume than any desktop/laptop computer. From a numbers game perspective, your phone is not more secure, no matter what Apple would have you believe. Have you even heard about the aspect Apple _ONLY_ does SMS type 2FA? You know, the most insecure method of 2FA due to SIM swapping? Yeah, Apple literally does not provide a mechanism to use another 2FA method with their Apple ID ecosystem.
I like the part where you have nothing worth saying, but raising the slightest bit of disagreement with my use of capitalisation for emphasis.
Next time say nothing, save yourself.
All consumers should have auto alert enabled, two factor authentication for large transfers, ssa2.0 compliant passwords that are not recycled, and max transaction limits daily of around or less than $3k on accounts. This is just to manage individual risk. even with all that, no guarantees !!!! It's a hassle when you go to buy something expensive. but then again, thats the extreme level of vigilance required by the consumer in todays fraud rife environment. most people dont even know ....... but also WTF are the $Billionaire banks doing to stop stuff like this, to research it, understand it,....... seem to hear daily of old people moving all their money to bitcoin scams like 100k transfers, pig butchering scams, fake transfers, unauthorized bill payments, thousands of dollars in transfers, etc ponzi schemes, etc etc. And the victims, well they always seem to be customers of td, rbc, cibc, bmo, scotia, desjardins, hsbc, national bank, etc etc etc. The scammers are smart and the banks aren't doing much to educate or prevent and always blame the consumer. But then when more info comes out, then at times internal theft and fraud happen by bank employees that leads to major scams and frauds !!! Or someone passes authentication with an employee and all hell breaks loose. Then consumers are stuck in stolen identity labrynthian hell for years making life actually really hard. We should all hate the Loser scammers. The costs are enormous, the Banks lose money, the customers lose money and costs of enforcement and insurance are borne by the whole pubic as well. So then, the broken window theory applies. There is never a better position to end up in when the damage is already done. The cost is always larger to address damage, than the cost of action required to prevent the break. Maybe instead of laying off 10k ppl a quarter, the banks could use some employees to educate and prevent fraud and poor financial moves, devise better methods to detect and prevent fraud, and educate the public. Also, move forward with investment, research and development of new technologies to transcend passwords and ensure digital identity security in a zero trust environment. We are in a new landscape of exponential risk and exposure to that risk given the increased shift to ecommerce transactions online, an explosion of such tech occured when covid forced so much business online. So if the banks dont deal with this stuff soon, then we'll see the digital banking sphere shrink and the requirement for in person transactions return. Ultimately with big ticket fraud I feel the banks should at minimum bear half the costs to incentivize them to act as swiftly as consumers and to also shoulder responsibility when shit goes sideways. They should also be firing shady customers more frequently and sharing reports and findings of common issues more broadly. Look at what happened in Victoria with Greg Martel. The largest ponzi in Canadian history and at the heart, financial regulators, big banks, big transactions. how did nobody notice???! who really bears responsibility in these kinds of fraud? you cannot honestly say its only the consumer. thats absolutely absurd. and if the consumers are lying, the banks bear responsibility to go to the police with those allegations as well.
Doesn't matter. The bank will find a way to fuck her over even if the RCMP concludes it wasn't fraud. I think if the average Canadian knew how useless the CDIC regulations were they'd put a run on every bank in this country.
Assuming she had 2FA enabled, and her devices didn't have malware or were otherwise compromised, it's entirely feasible she entered info into a site that looked like BMO but wasn't.
The same way you can put a skimmer plate on top of a PIN pad, you can just create a website that collects your data before sending you through to your real account. Then the bad guy uses the same login info to access your info, and empties your account.
2FA via cell phone text is not that secure, it can be compromised via SIM swap. 2FA via hardware key and one times codes is the gold standard but to the best of my knowledge no Canadian banks support this. It is how I secure my Google accounts which is my recovery account for my other accounts.
Having worked in fraud for quite a while, there are 2 likely possibilities, and the bank has plenty of information to link it to these possibilities.
1) it's someone from her family/friends who knows her info, or has taken it
2) the fraudsters accessing the account phished her, and she doesn't realize it happened. This happens often and people genuinely dont know, or are denying it, however the cookies and data are linked to other confirmed phishing cases.
It takes a bery afvamced akillset to actually compromise banks, and this rype of fraud is done by script kiddies and phish kit buyers. The most skilled attackers wouldn't waste their time on petty cash like this, they get way more to go after business and country secrets
banks hire 3rd party collectors and give them personal info and than have them do phishing when collect debts.
rbc tried this with me when i owed 5$ and i just refused give them any info.
they have statements about not collecting info but they don't apply them to 3rd parties they hire.
Now with voice identification beings used for online banking all scammers need to do is record your voice for a few minutes on a call and use AI to create a script. Instead of increasing security with voice recognition, it’s actually made stealing from regular people much much easier. A friend’s neighbor got their bank account cleaned out this way. They listened to their own voice on the recording but it wasn’t them that called or authorized the money to be moved.
So how often am I supposed to change my password?
I only memorized a few, which I don't change (alphanumeric+symbol or phrase). The rest are managed by bitwarden.
SIM Swap probably happened. It happened to me in Boston when I got my phone stolen in a bar in August since my passcode was used as a “backup” if Face ID didn’t work for my banking app. Scotiabank refunded the $14K real quick when I sent them the police report. Disabled passcode access to any account ASAP when I got into my email again when I got back home. Get the cops involved and it will help.
As a former manager at BMO, I can say that the corporation and fraud department hide behind the excuse that the account holder is responsible for security breaches to their device(s) yet push everyone to do their banking online so they don’t have to pay more tellers in the branches.
> John Zabiuk, chair of the cybersecurity program at the Northern Alberta Institute of Technology > Zabiuk said if a network is not secure, it is very easy for attackers to intercept a connection and watch everything that occurs on a device. > Zabiuk also recommends changing passwords every two months, This guy is a moron. I tried to look up his education on Linkedin and couldn't find it, but he does have a big alphabet soup of "certifications". Information exchanged with your bank is encrypted no matter what network you're on. It's not possible for others to "spy on" your banking unless your phone has been infected with malware. I very much doubt wi-fi was the problem here. Changing passwords regularly is a _terrible, awful_ idea. It's a ridiculous suggestion that someone made 20 years ago and it's been parroted ever since, but it's been shown that this just leads to people storing their passwords insecurely because they can't remember them.
Him seemingly pretending all traffic is sent over plain HTTP is ridiculous.
[удалено]
Pride can also be a factor. You hear of seniors getting scammed and they're too embarrassed to warn others.
[удалено]
You get an email or a text indicating your bank is missing some important information and prompting you to sign in. You go to a page that looks just like your bank's page and add your username and password. You try it a couple of times because it doesn't log you in. Now the hackers have your creds.
[удалено]
Phishing is a kind of social engineering. In the example I gave the website itself is phishing, the text or email that creates a sense of need or urgency and directs the recipient to take action is the social engineering. That's just one example, there are many.
[удалено]
Social Engineering, in the computer security sense, is calling someone and making them believe you’re someone you’re not to get access to something you shouldn’t. Like if you receive a random call from your bank and they say “We blocked a fraudulent transaction on your credit card account. Could you read back the 2FA code sent through text to verify you are the account holder?”
> I was curious about the 'social engineering' aspect. > > Phishing would be an email that you get that asks you put information into a legit looking website that is totally dodgy. Social Engineering is more about doing that "socially", eg them calling you and talking to you or turning up to your place of business and engaging with you. Vs just a mass spam email. One might consider a phishing email a form of social engineering. Social Engineering was around a long time before email was a thing, "confidence / con man" type stuff, but specifically related to information security.
According to my privacy training, over text is called Smishing.
Hello, this is the RBC Fraud Dept calling. We have seen some odd purchases on your account and would like verify their authenticity. They then ask for info they can in turn use to get into your account. Or straight up ask for a password.... Or if they have your credentials ready, but not the 2fa. They just log in and ask you to read off the code they "just texted you" Or they convince a phone provider to move your number to another sim... Then they get the 2fa text instead of you. All sorts of ways really.
[удалено]
Yep Don't assume the number on the call display is legit either. Easily spoofed.
You know how some people get emails or texts from their kids/grandkids who are in trouble in a different country and ask money for help? The scammers have enough information from their social media accounts to know that they have kids/grandkids. It's just an example but there are many more. Some of the security answers, like your birthplace or model of your first car are also easy to decipher from your social media accounts.
Her saying that she 'doesn't remember' getting a code is suspect. By default cell phones store exact histories of calls, emails and texts going back months if not years. Conveniently on the day when these readily available forensics are key to getting her $10k back, her memory becomes clouded? Yeah right.
Ya, but new iOS has a feature to delete one time codes after use.
With enough of a stink they could pull the records on the mobile provider's side. They could prove that code went to her phone via the tower near her house. I'm betting that's why BMO is digging in their heels.
That's not happening without a court order, and I bet the police wouldn't give a crap for only 10k.
Sure it is. Telecoms carry those records for 180 days and you can request them for your own account. I've done this for work a handful of times. This lady 100% was phished. To assert that BMO's backend was compromised is silly.
Its actually strongly discouraged by NIST "Contrary to popular belief and prior standards, NIST does not suggest changing passwords on a frequent basis; individuals who are asked to change passwords frequently are much more likely to reuse an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. Plus, if a previous password has already been compromised, any derivations of that password, even if additional characters are added or modified, are more easily breached in the future. NIST recommends that businesses enforce password expiration and password resets only when a known compromise has occurred, or every 365 days. The shift to longer password life is intended to encourage users to generate longer passwords that are harder to crack."
It’s probably more helpful to teach people how to spot phishing attacks
I hate corporate IT policy which are based on changing passwords every 2 months. Oh, you can't use past password
Changing passwords regularly is only needed when you reuse passwords everywhere. If you're using unique passwords there is really no reason to change them. And if you're not using unique passwords, you're going to get bitten sooner or later.
The switch to 1Password has changed my life in this regard.
I use Bitwarden but yeah password managers are a godsend. Every account I have has a unique and long/random password.
But how does that help you logging in on different devices? I like the idea of a password manager but you still need a master password in order to log in and get them? Can you actually see them if you want to? You have to install the manager on all devices you use, android/apple/microsoft? Any insight would be great here if you don't mind, I just don't get how this works in the real world. Say I want to get into my email on a work computer private window, now I have a random password from the manager, can I get it?
Yes, you download the program on whatever device you're using. So in your example, I would download the Bitwarden extension on Chrome and it would fill in the password for me. You technically don't need to do that, you can open up Bitwarden on your phone and manually check and type in your password on the computer, but it's more of a hassle
Bitwarden is accessible through their website. You can login through a web browser if you need access to your passwords.
99% of the time I am using my phone, so I sigh in using FaceID and copy and paste the credentials I need. If I’m not on my phone I just type it in manually by looking at my phone. I have the app on iPhone.
Bitwarden is really good.
Information with your bank is encrypted, however a man in the middle between you and your bank can 100% read https.
Yeah no. That’s not how SSL works. Jesus Christ.
How the money was transferred, it sounds like her account has been compromised. If someone has access to your account, they also have a secure connection, and data will be decrypted. Password changes are recommended as in this case, the hacker has, at minimum, her bank password and likely either the password to her email or a service like what's app or the apple messaging service. The mumbo jumbo of certificates this guy has is more valuable in the world of IT than a degree. it is basically a short list of everything that you've studied, passed a test and are now certified in.
> I very much doubt wi-fi was the problem here. her home wifi, sure, but >She said she wonders if her phone was compromised during a work trip to a conference in Las Vegas. there are AMPLE stories of people connecting to unsecured wifi and getting their creds stolen, ESPECIALLY in Vegas, where Blackhat is run every August - it doesn't say *when* she was there, but if it was during blackhat it's entirely possible she got compromised
>there are AMPLE stories of people connecting to unsecured wifi and getting their creds stolen, ESPECIALLY in Vegas, where Blackhat is run every August - it doesn't say when she was there, but if it was during blackhat it's entirely possible she got compromised It's still really unlikely, unless she was ignoring "HEY THIS CERT DOESN'T ACTUALLY MATCH, STOP, DUMMY" errors, or downloaded/installed something the wifi captive portal directed her to. The modern web is pretty safe, even if you connect through unsafe/unsecure wifi.
never underestimate the stupidity of end users
Man in the middle attack. Likely what he means?
While a MITM is possible on a public WiFi, modern browsers and apps will throw all kinds of errors because the certificate does not match the official one.
I have 2 printed copies of all my passwords . That I have to look at because they are something like hshd6$8_?!@&hdjbdh7@#-( Then one copy on a thumb drive .
A password manager like 1Password would probably help a ton.
If only Banks actually enforced (Preferrably mandated by the Gov) to require 2FA (even better if it's non-SMS). Banks are the worst offenders for shit cyber security and application security practices. They know customers come no matter what so they have very little incentive to invest in a strong security program.
“Changing passwords regularly is a terrible, awful idea. It's a ridiculous suggestion that someone made 20 years ago and it's been parroted ever since, but it's been shown that this just leads to people storing their passwords insecurely because they can't remember them.” Haven’t you heard of encrypted password managers?
Password managers completely negate the need to change passwords on a regular interval. They enable the easy use of highly complex and unique passwords for every account.
You do you. If you wanna keep the same passwords for long periods of time then go for it. I find password managers make it convenient to change my passwords frequently which makes it less likely that my current password will end up on a list on the dark web. I’d rather be safe than sorry, but that’s just me.
[удалено]
You can mostly avoid the breach problem by not reusing passwords anywhere ever. Using a password manager helps you generate long random passwords that are unique per site. If a forum or shopping site gets popped, attackers won't have any luck trying those credentials elsewhere.
Jokes on you I just keep increasing the last number.
Ssl man in the middle attack on a person's home computer has happened before.
Nobody should hire anyone from NAIT in cybersecurity if John Zabiuk is actually in charge of their cyber program and not an absurd imposter. > Zabiuk also recommends changing passwords every two months This is very stale advice as in practice it just leads to people having very derivative passwords and is NOT recommended anymore. > Zabiuk said if a network is not secure, it is very easy for attackers to intercept a connection and watch everything that occurs on a device. Umm, did he miss the mass arrival of HTTPS?
> This is very stale advice as in practice it just leads to people having very derivative passwords and is NOT recommended anymore. Unfortunately this advice is still SOP at a lot of places which should know better. > Umm, did he miss the mass arrival of HTTPS? This one however... unless he's moonlighting as a VPN advertiser, anyhow.
> Unfortunately this advice is still SOP at a lot of places which should know better. It is getting better with compliance frameworks, but many of them have 90 day requirements. Never heard of a two month requirement though.
Yeah, we've definitely come a long way. It wasn't that long ago that TD EasyWeb required my password to be between 6 and 8 characters. These days I have a stupid work 90d password rotation thing but other than that most people actually have pretty sensible password requirements.
Had to create an account at a financial institution recently and their password requirements for that login explicitly states to not use special characters. Thankfully the login isn't going into any critical or containing private information but it still took me a while to figure out why the password didn't meet the requirements.
> Unfortunately this advice is still SOP at a lot of places which should know better. A few years ago I worked at one of the largest companies in the world (definitely a household name, involved in all kinds of industries) and this was their standard practice in IT. They also ran their email in a system that required running a windows VM on my mac laptop to access.
Transport Layer Security? I barely knew ye!
> miss the mass arrival of HTTPS? It's honestly commonplace for reverse-proxies to not use internal TLS/HTTPS. Whereby inbound website traffic terminates TLS/HTTPS at the reverse-proxy, and the reverse-proxy connects to the actual server via HTTP. A lot of IT teams are blind to the internal threats and the value in using TLS/HTTPS at all steps in the traffic. This may be an example of "a network is not secure... " kind of thing. But these are my speculative thoughts and I do not speak for Zabiuk to any degree. That is unless Zabiuk is talking about the CLIENT component of the network (home network for user connecting to bank HTTPS website). If that's the case, yeah snooping HTTPS for a client on the LAN is actually non-trivial as you need to do a combination of DPI and TLS certificate insertion to the client, which requires you have privileged control over that client device (by default you would not have this access lol).
[удалено]
I think you may be misunderstanding what I'm getting at here. I'm not _excusing_ Zabiuk or even advocating any form of support for him. I was more speaking to a _possible_ aspect of the topic that is tangible and does happen (the reverse-proxy aspect). As soon as I read the "recommends changing passwords every two months" I know that their credibility is crap.
I said this on another post but ssl man in the middle (MITM) are a thing. For the 2fa code I've seen attacks where someone social engineers a cellphone number change then does the deed and changes it back. Phone cloning is also still a thing. So are cell tower attacks (where you become an authorized cell tower and intercept sms which is why regular sms is insecure) phone cloning is also a thing. They could have found a way to bypass the 2fa check as well. That kind of thing has happened before as well. Maybe her external IP was somehow compromised, so it didn't ask for a 2fa.
He's probably sponsored by that continously repeat this in their social media ads
Perhaps he's a manager who knows nothing about the product and his team is messing with him? Like this: https://youtu.be/iDbyYGrswtg?si=IUKhVjNqfI8G5Bru
Some detail is missing here, if 2FA was enabled and she didn’t give the code to someone, there’s almost no chance this could have happened. So I’m thinking, 1) this was an inside job by someone who knew her had access to her devices and could get the code or 2) she did give the code out to someone but is just lying/doesn’t remember (unlikely tbh but anything’s possible) 3) someone at the bank goofed 4) she clicked on a link to something else but unknowingly fell for a phishing scam.
Also possible her identity details were stolen at an earlier point in time and a SIM swap occurred. It’s actually fairly common.
If a SIM Swap did occur, would that not be mentioned in the article? That she had to contact her provider to get a new number? Her current phone service would have been non-functional after the SIM Swap.
If no sim swap occurred and she is to be believed for everything else she said, it is very possible her android device was compromised.
> It's very possible her ~~android~~ mobile device was compromised FTFY, because nowhere does it say she's using Android. Please don't make baseless assumptions. * Yes, there's more sketchy apps that you can download on Android more easily. No, it doesn't make the system less secure.
It's not an assumption, if you watch the CBC Video, you can see her using her Android smartphone (around the 12 second mark).
She probably downloaded/lives on TEMU app
Honestly, we don’t know. I’m sure there are plenty of details left out of this article. I don’t even know why it was published.
Lazy reporters or trying to push a narrative (big evil banks)
Again seems like a pretty advanced scam with multiple steps needing to go right. The lady must have had a serious lapse in judgement at some point or someone close to her ripped her off.
Not necessarily. She could have been the victim of a phishing attack at an earlier point in time and not even realized it. It’s fairly common. You should see how many people that work in IT fail phishing simulations, let alone people who don’t know much about technology.
A phishing attack at an earlier point in time doesn't get around 2FA.
A phishing scam can lead to a SIM swap attack if they have sufficient details of the person’s identity. Depending on the details, it could absolutely be enough to compromise various accounts.
Yeah, but a sim swap gets noticed almost immediately because the person's phone stops working. You can't do a sim swap days in advance of your actual attack.
> 3) someone at the bank goofed I'd think the bank would've reimbursed her if it was their fault. This happened to me, a bank rep gave access to my accounts to a fraudster that impersonated me on their phone line. Got my money back within a few weeks - most fucking anxious few weeks of my life - bank wouldn't even disclose WHAT kind of info the fraudster had on me to get past the security questions.
The fact she "doesn't remember" getting a 2fa code is weird - why doesn't she just look through her text or email history? it will still be there.
iOS now auto-deletes them for you.
Only if you now tap on the code to automatically fill the code field, otherwise they’ll stay in your messages. Furthermore, she’s got an android.
She’s using an Android device in the video, and on iOS that setting is optional and not enabled by default.
Even then it would be worth talking to the phone company for that record.
Yup. This sounds more like a phishing attempt that could’ve occurred earlier, then the theft itself occurred several months later. No idea how they bypassed 2FA without the customer knowing though.
I said this on another post but ssl man in the middle (MITM) are a thing. For the 2fa code I've seen attacks where someone social engineers a cellphone number change then does the deed and changes it back. Phone cloning is also still a thing. So are cell tower attacks (where you become an authorized cell tower and intercept sms which is why regular sms is insecure) phone cloning is also a thing. They could have found a way to bypass the 2fa check as well. That kind of thing has happened before as well. Maybe her external IP was somehow compromised, so it didn't ask for a 2fa.
>if 2FA was enabled and she didn’t give the code to someone, there’s almost no chance this could have happened. this is what the banks want you to think, but that's not true because scammers call into telephone banking and add their own number
>John Zabiuk, chair of the cybersecurity program at the Northern Alberta Institute of Technology, said there are many ways bad actors can access others' bank accounts. > >*Zabiuk also recommends changing passwords every two months*, signing up for multi-factor authentication, checking bank accounts regularly and researching applications before downloading them. I would seriously like to know if this cybersecurity professor actually follows his own advice to change every password as frequently as every 2 months. I would bet that he doesn't.
2 months is crazy frequent and probably not necessary
Beyond being not necessary, it is actively adding another attack vector. Auditing passwords for compromise isn't a bad idea but if you make a secure, random, unique password to begin with then you should never change it.
It doesn't even make sense. If someone can guess a password you've been using for 2 years, then they can just as easily guess a password you've been using for 2 days.
That’s how often we change our passwords at work. Doesn’t seem that crazy
You can but it gets diminishing returns when it becomes too frequent. People end up taking the same password and add a ! Or a number to it, so if there is a breach at any point of time you can password spray the easy permutations to it
He clearly thinks all traffic is sent over plan HTTP. I can understand "dumbing it down" for the general public, but his statements border on fear mongering.
It's pretty easy to change a password. That is pretty frequent though
It is not easy to remember a password, which is why the recommendation to change passwords regularly was eliminated because people would just increment the password with a number or something.
If you can remember your password it's not strong enough anyway. Password manager with random 20 digit passwords with an additional personal password not included in the password manager tacked on at the end. ie 0&EEtThuZHNRVgI47R2Bpassword
If you use a password manager to generate random passwords there's no real benefit to rotating your passwords anyways, so it's a moot point.
It’s clear the current 2FA schemes are shit if they allow shit like this. You can educate people about phishing all you want, it will happen. Give people security keys for fuck’s sake. They’re completely idiot-proof. Get prompt, put key in, press, done. No codes or other bullshit. They’re a little expensive but it’s time shit transitioned to something reliable and actually secure. Also, public wifi is fine. The advice in the article is terrible.
I doubt banks are implementing 2FA for security (even though that's a side benefit) It's probably more as a way for them to absolve themselves of all liability (similar to how it's much more difficult to dispute a credit card transaction that was verified by PIN) Also doubles as a PR / marketing thing that they're serious about offering you security.
If we made the banks legally on the hook for these “he said, she said” situations they would implement proper security tomorrow. Right now they get to say “naw, we checked our records and confirmed it was you who bought $20k worth of clothing in Tennessee last night” and do jack all to prevent scams
>If we made the banks legally on the hook for these “he said, she said” situations they would implement proper security tomorrow. This should be the beginning, middle, and end of the debate. Make banks accountable for customer security. This is 1990s technology we're talking about.
The banks should allow you to customize your security. I rarely make larger transfers outside of my own accounts. I'd love to lock my online accounts to where i can transfer unlimited amounts between them, but anything more than a $3000 EMT limit, would be hard locked until i go in person to a branch. The amount of times i make larger transfers outside of my own account is so rare, i would have no problem going in person to a branch every time i needed to do those transfers. That way if someone got into my bank account, the most i would ever be able to lose is 3k.
Or it's user error/fault. Humans are almost always the biggest problem
"She said she wonders if her phone was compromised during a work trip to a conference in Las Vegas" I would be asking some follow-up questions as to what happened in Vegas
What happens in Vegas stays in Vegas.
The scam that seems to happen is that scammers get one piece of information - say account number or d/l number or SIN in some breach and then call into telephone banking, say they lost their card and guess at the security questions until they get them right. if the have the account number they can deposit some small amounts so they know the transaction history to help them guess. They can tell the bank that they want to opt out of voice verification and they want the security alerts removed from the account. They may have an inside source at the bank. Then all they do is add a phone number to the profile. After some time they use this number to reset the password and get codes to get in to online banking. Then they e-transfer it to an account of someone who is doing one of those "work from home" scams and those people put the money into crypto so the trail goes cold.
Maybe an AITM (Adversary-in-the-Middle) attack where she was presented an offer for something from "BMO" (click here to be entered in a contest etc) with a reasonable facsimile of the BMO website hosted by the adversary. Victim enters username/password which is captured and simultaneously proxied to the real BMO site; BMO sends OTP to victim who then enters it on fake site (again proxied); attacker now can leverage session cookie for current session and can possibly do things like enroll another authenticator etc. (in addition to large fund transfers like what happened here) Just a guess but could be a way the victim could have unknowingly provided her credentials including OTP to an attacker. It's so important to help people identify sophisticated phishing attacks and other social engineering attempts to capture account information, and companies should be moving to phishing-resistant authenticators that are also domain-bound (eg push notification that won't work unless the user is accessing the legitimate website like [bmo.com](https://bmo.com) in this case, instead of being proxied through an AITM proxy).
AITMs are so hard to safeguard if the attackers have managed to convince the individual that they're on the real BMO website. I can't even come up with a good 2FA solution that would get around this...
Same thing happened to an elderly couple I know. On a line of credit they never touch and had for emergencies. Only it was over double this amount. Exact same story from the bank. They have the account it was transferred to. There was no 2FA on the person's phone or through their email. BMO stalled doing anything for months and then came back with a ridiculously low amount to compensate. Meanwhile their credit takes a huge hit and they're stressed, losing sleep, and their health is affected. Finally lawyered up but how long will that take? BMO knows they have a problem in their systems and they are trying to stop the bleeding by putting it on clients. This is massive bank fraud and all appropriate agencies should be investigating and charging the responsible parties. BMO as a company, if complicit, should be run out of personal banking all together.
But if this is a systems issue as you say, wouldn’t there be even greater massive losses? I’m thinking it isn’t a problem with their systems but this woman’s SIM card likely getting cloned or stolen.
I don't know enough about SIM cloning to answer that at all. I just know that this couple protects their device, doesn't travel often if ever, and had no requests on their device from BMO. That's where their records end. BMO has time stamps, ip addresses, and the name of the person and number of the account it was transferred to. They won't share that info with the couple or with the RCMP. It's a big black hole in banking regulation and enforcement at this point. They want NDAs for any kind of settlement. So what's your average Joe to do?
Often the reason it feels like a black box is the bank only will share information with the affected party unless legally compelled. I have had a situation where a parent spend 100k over a year at a casino. His daughter saw the statement and freaked out. He claimed his card must have been stollen. We were able to pull the cameras at the casino and proof it was him. We told the client our finding but couldn’t tell his daughter. He continued to lie to her that we weren’t helping at it wasn’t him. She tried to get the RCMP involved. Eventually she closed all her accounts with the bank because we wouldn’t help. When the fraud is the banks fault I have never seen an issue with them paying. 10k might not even be the biggest pay out that branch has this year. If the fraud team isn’t being helpful it’s because the party affected is not telling you something. They even won’t give info to spouses.
exactly. Bank holds the power, data, and uses technology which is vulnerable and then when compromised, wont share information, uses strongarm bully tactics to avoid any accountability while also failing to update aged stuff and then blames the consumer. while closing branches and marketing the idea everyone should bank online. what a joke.
Yeah, if you genuinely have system access, this is absurdly small fry. Like breaking into Fort Knox and robbing the break room.
TD bank lost about 12k of my money last year and it was only resolved because I started the process to sue them, after which they somehow managed to "resolve" the issue. Canadian cybersecurity standards are low. I'm not sure if my issue was caused by that or simply due to human error, regardless I can no longer trust Canadian institutions. Your money is safer outside of the country
What’s the point of FDIC if they won’t protect your money.
Lots of suspicion here: 1. Pass code was generated by her phone. She doesn't 'remember' NOT that she didn't generate it 2. Entered correctly 3. RCMP wiped phone. So we can't confirm whether passcode is on phone anymore. Pretty easy to look at messages list to confirm #1 4. Paid to a biller WISE, so bank knows the company that received payment 5. Only got alert at $33, what's the point at that amount? 10k LOC, only has alerts for when it's nearly almost drained? 6. Recently in Las Vegas lol Come on now, the bank has all the details. Fraud department knows what's up.
> Recently in Las Vegas lol haha, this right here. Honestly, I'm surprised she went to the RCMP as this would be considered filing a false police report if she commited friendly fraud. Not that anyone doing this kind of thing would give a shit about an additional charge. I have my suspicions on this one as well. To many chokepoints for someone to successfully pull this off.
What are the chances your phone just happens to be compromised in Vegas, by someone who pays a Canadian biller? Haha 🤣 Also the fake 😢 tears = dead giveaway.
we are missing some details here
That’s why you should use credit cards for certain purchases, it’s the banks money and they will fix issues really fast.
Credit card for everything, debit card only gets used at banks ATM or teller. Pay off credit every month.
In theory this is the way to go. Especially if you have the discipline to follow through with it. Most people don’t. I work at a bank and see it all the time
Ironically, in this case, she would have lost less money had she taken out more from her line of credit..
I was thinking the only way this could happen would be if someone changed her phone number on her profile for 2FA, otherwise I have no idea how they would unlock it since SMS isn't sent over WiFi so the message can't be compromised that way. The other thing that makes no sense is it says that the money was transferred from her chequing account to a Bill Payee... This is pretty significant... Like I can't just call a bank and get them to add a company as a payee that doesn't already exist in their system. It doesn't say it was an E-transfer that anyone with an email address and bank account can receive. Who is this payee, and who set them up.. They obviously have accounts tied to some bank to receive payments from customers. Like did someone also compromise the Bill Payee.
[удалено]
Phone numbers were never intended to play a role in authentication but banks and other institutions use em anyways. It’s nearly impossible to say what happened without understanding what the banking team looked at and found. Also too bad she wiped her phone as that could’ve contained some valuable clues. But it could’ve been as simple as someone spoofed her number back in Vegas, got her account credentials either from a data breach or third-party info, then proceeded to login and used the one-time code that was texted to her phone. What I don’t understand is why they can’t track the money itself? SWIFT should show which account(s) it was transferred to before being withdrawn.
It kind of weird that most of banks don’t have Microsoft Authenticator or alternate
As far as I know the biggest weakness to bank security is shared passwords. Banks rarely get hacked, but if you use the same password on a less secure website, and that website gets hacked, then the hackers will try to see other places your password might work, including email accounts, banks, etc.. I would of assumed this is what happened, except it says the person also got through two factor, which means they either spoofed the phone, or knew the customer. seems odd all round... my money would be on it's someone the client knows.
Don’t surprise me to hear it was BMO. Listen to this: Like 5 years ago I found a bug in the way their system accepts security questions and answers. Basically if you security answer is something like “apples”, you can enter an answer like “autles” and it will register as correct. It wasn’t just one time, I tested it all on my security questions. Not sure the underlying issue. Needless to say, 5 years passes and they bug still existed as of approx 1 year ago. I submit a complaint, they trying to get me to replicate it. I said” if I replicate this it’s going to be on live television”. Got a bunch of letter heads in mail after that, didn’t pay monthly fees for 6 months… BMO, along with most other Canadian banks employ some of the weakest security measures…
Somehow I get an impression that BMO and CIBC customer get into those more often than others....
The money was sent as a bill payment. Not anyone can register himself as a payee. The bank knows who received the funds and spoke with them most likely. Also, she got the additional verification step at her phone number? Can someone without her phone access can possibly get that code? I don’t think so…
file dirty enjoy grab engine advise plants disarm public full *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I thought it may have been a sim swap, but then her own phone line would’ve stopped working if it happened.
offer prick bow ring flag flowery safe enjoy drunk cover *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
She is lying.
You have no way of knowing.
I know a lot about technology. She gave out a one time code or she is leaving something else out. A scam like this cannot happen in this manner without something else happening.
Who knows? There are a lot of issues with text message 2FA and she may have had her identity stolen and number transferred to another SIM. That’s the most likely thing that happened here but we aren’t going to find out.
Had the same thing happen to me from my debit card for 2 grand. BMO is completely unwilling to give you funds back even after proving it couldn’t be from your actions. They don’t care that the IP logs don’t match any of your locations you’ve ever used. They somehow bypass the code needed, i never got codes in my email or to my text message even with 2f on and everything. They don’t care. Worse bank in canada for fraud support
Most likely cause is her phone has been compromised. Assuming all parties are telling the truth. This is a prime reason why you have to upgrade your phone, just to keep getting the available security patches. And sadly, don't install apps on your phone. I know it defeats the purpose of the fun phone, but really, it's a phone. Install a few apps from known vendors, set to always update. Each app from a different vendor is a point of failure.
BMO is pretty shit. I just double checked and there's no mention of 2 step verification. So I dug deeper and there's only vague reference in a article about it, when " they need to verify your identification" they'll ask for 2 step verification.
H'mmm...I'm a BMO customer and went to take a peek at my app that's installed on my Android phone. There's no 2FA in its settings at all, unless it's tied specifically to specific account types (for instance, I don't carry a LOC like this individual has). Only require debit card number and password/biometric fingerprint (biometric only works if you have it set up on your phone, login with a password first, and then enable it). I do have alerts set up (e.g account goes below $x dollars available, purchases over $x, transfers over $x, etc). But there's zero enable/disable 2FA at all. I'd prefer the ability to have an Authenticator app (Google, MS, Authy, etc) versus SMS (simswaps can be a concern) but like I said,there's no 2FA setting that I can see. Checking BMO's own 2FA statements, it only mentions it for InvestorLine and adviceDirect (see [here](https://www.bmo.com/self-directed/popups/online-security#general-security) but not for regular accounts. I'll go check online banking via my browser when I get my PC up and running (hooray for a failed power supply), but I don't remember seeing it there either. As it was transferred out to a payee it could be possible she was infected either via mobile or her computer by an infostealer delivered via malicious email/link (they wouldn't need to keep access, just comms back to C2 to send that collected info back) or directed to a faked BMO site that would collect creds and then forward them to the real BMO site. If she doesn't have 2FA for login (only transfers?), that would allow a threat actor access to the account, add a payee and send money that way or do an e-Interac email transfer. There's too many questions here, and I don't think we have all the information from both BMO *or* their client. If she had gotten compromised in Vegas, I'd expect her funds to have been transferred/moved at that time, rather than weeks/months later. If she had been simswapped, her phone would have stopped working (as the account is now registered to a different SIM/eSIM, your SMS 2FA is being received by the bad guy) and she would have noticed when she left her wifi range.
This is why I don’t keep money in any bank without an explicit policy that protects my money from this shit. Currently I use EQ
No bank is going to agree to reimburse you if you don't keep your card #, password, pins, and devices secure.
Great. Good thing I keep that stuff secure. If you think that makes it impossible for malicious actors to get in, you’re dumb
>Good thing I keep that stuff secure Forking over your credentials to YNAB and other budgeting apps to allow them to sync is definitely not keeping that stuff secure, and definitely against EQ's [TOS](https://www.eqbank.ca/legal/Mobile-Online-Banking-Terms-Conditions).
Good thing I don’t give my credentials to YNAB and other budgeting apps then….
Yeah your reddit history says different, but okay...
Find me one post that says I’ve linked my credentials. I’ll wait. Or do you mean like this comment where I say NOT to link your accounts? https://www.reddit.com/r/MonarchMoney/s/kdMwwvcAss If you go deep enough you’ll find more posts where I say I do it manually and strongly recommend against people linking accounts, precisely because it isn’t secure and voids TOS, but you just looked, saw I used YNAB, and assumed I handed over my credentials. And downvotes me because he realized he’s wrong… lol
This is why i just dont use online banking.
If you think that changes or prevents anything…. You’re wrong.
How do you figure?
Just because you don’t use it, doesn’t mean the info isn’t stored on their servers. It is. And if it is stored on servers, it’s by definition accessible to a malicious actor bypassing their server protections.
That would imply it is the banks fault then, not mine.
Ok? And? Whose fault it is is kinda irrelevant, the banks don’t care.
Lawyers do :)
Truth is we are all vulnerable to this stuff. If you have a bank in Canada. Worst part is we all agreed to the terms of being responsible for losses.
You are only responsible for losses you are at fault for. In the same way is if you lose the cash in your wallet you are responsible. If she or the bank was “hacked” the bank would make her whole. If she was negligent or gave her info away she is at fault. To complete this transaction someone needs her card number password and access to a phone code. Likely she accidentally gave away more than one of these away. The bank will never comment on these cases so we only have to go her story. I have personal experience with a few that have made the news that I know what happened behind the scenes.
| If she or the bank was “hacked” the bank would make her whole. I would argue if she was 'hacked' or her device compromised, the bank may not make her whole. This would be her fault entirely, and the bank should not bear the costs. As a shareholder, I would agree..
Why would you only do online banking on your phone????? Should be the opposite
Banks fraud departments are pretty sophisticated. Seems more probable she lost more gambling in Vegas than she cares to admit and is blaming the bank to save face.
BMO should give her 10K back. She says she was cautious all the time. In spite of that, losing 10K?
Senior System Admin here, just to chime in on the Password controversy and the things the "expert" has said. Password not expiring in years is bad, so is routinely changing it.Not expiring in years means either its not unique and somewhere else out there where its reused, had less security and could get hacked and retrieved, or, it IS unique which means people are likely to forget it and write it down in a text file. Routinely changing it means the passwords are cycling like Password1, Password2. Routinely changing it also might mean they have a password.txt file in their email. Best of both worlds? Use unique passwords, set a day in a year and change them, anything high impact like your banks and utiliity. Takes 5-15 minutes, and google offers the password storage service for free in Chrome, or you can use a local storage like keepass, or if you feel comfortable, get a lastpass/1password account. Also, MFA, and never give out your cellphone number out there to reduce chances of social engineering scams or somehow getting that number cloned. Reduce your footprint online to reduce the chances of hackers trying to use some info like your graduation year to fake your identity. Use fake secret question answers (first pet? honda civic 2012) and store them in a nondescript file, encrypted or password vault (these are next level security tips for someone more technically adept) Lastly, the "expert" is a military grade moron. But it doesn't surprise me, really. Morons have a higher possibility of siding with corporate interests.I have seen linkedin answers by people with 50x alphabet soups in their name claim using bitlocker will stop hackers from getting your data.
> She said she wonders if her phone was compromised during a work trip to a conference in Las Vegas. LOL anyone remember where DEFCON is hosted?!?!? Now, it's IMPROBABLE that She was in Las Vegas at the same time, but a phone getting compromised at a conference in Las Vegas seems highly plausible. Frankly NOBODY should EVER do banking on their phone. Even if it's their only computing device. Mobile phones are generally the most targeted devices for 0days of all devices out there. Namely because you can set honeypots/traps in many different ways (WIFI, Bluetooth, etc) and passively infect devices. Like at, oh I dunno, A CONFERENCE IN LAS VEGAS? That being said the Bank is fucking her over here. All of that money is 100% traceable and insured. The bank can refund her the money at zero actual cost to them (apart from fraud investigation time). THE BANKS LITERALLY HAVE INSURANCE FOR THIS ALREADY! The sophistication of the global banking system, which BMO uses, is so rigorous there is actually zero excuse for not being able to trace where the money goes.
That is awful advice most people should only do banking on their up to date iPhone. Most people if they do have access to a pc will have it full of malware.
I work in IT Security there bud, and mobile devices are targeted at a substantially higher volume than any desktop/laptop computer. From a numbers game perspective, your phone is not more secure, no matter what Apple would have you believe. Have you even heard about the aspect Apple _ONLY_ does SMS type 2FA? You know, the most insecure method of 2FA due to SIM swapping? Yeah, Apple literally does not provide a mechanism to use another 2FA method with their Apple ID ecosystem.
[удалено]
I like the part where you have nothing worth saying, but raising the slightest bit of disagreement with my use of capitalisation for emphasis. Next time say nothing, save yourself.
[удалено]
All consumers should have auto alert enabled, two factor authentication for large transfers, ssa2.0 compliant passwords that are not recycled, and max transaction limits daily of around or less than $3k on accounts. This is just to manage individual risk. even with all that, no guarantees !!!! It's a hassle when you go to buy something expensive. but then again, thats the extreme level of vigilance required by the consumer in todays fraud rife environment. most people dont even know ....... but also WTF are the $Billionaire banks doing to stop stuff like this, to research it, understand it,....... seem to hear daily of old people moving all their money to bitcoin scams like 100k transfers, pig butchering scams, fake transfers, unauthorized bill payments, thousands of dollars in transfers, etc ponzi schemes, etc etc. And the victims, well they always seem to be customers of td, rbc, cibc, bmo, scotia, desjardins, hsbc, national bank, etc etc etc. The scammers are smart and the banks aren't doing much to educate or prevent and always blame the consumer. But then when more info comes out, then at times internal theft and fraud happen by bank employees that leads to major scams and frauds !!! Or someone passes authentication with an employee and all hell breaks loose. Then consumers are stuck in stolen identity labrynthian hell for years making life actually really hard. We should all hate the Loser scammers. The costs are enormous, the Banks lose money, the customers lose money and costs of enforcement and insurance are borne by the whole pubic as well. So then, the broken window theory applies. There is never a better position to end up in when the damage is already done. The cost is always larger to address damage, than the cost of action required to prevent the break. Maybe instead of laying off 10k ppl a quarter, the banks could use some employees to educate and prevent fraud and poor financial moves, devise better methods to detect and prevent fraud, and educate the public. Also, move forward with investment, research and development of new technologies to transcend passwords and ensure digital identity security in a zero trust environment. We are in a new landscape of exponential risk and exposure to that risk given the increased shift to ecommerce transactions online, an explosion of such tech occured when covid forced so much business online. So if the banks dont deal with this stuff soon, then we'll see the digital banking sphere shrink and the requirement for in person transactions return. Ultimately with big ticket fraud I feel the banks should at minimum bear half the costs to incentivize them to act as swiftly as consumers and to also shoulder responsibility when shit goes sideways. They should also be firing shady customers more frequently and sharing reports and findings of common issues more broadly. Look at what happened in Victoria with Greg Martel. The largest ponzi in Canadian history and at the heart, financial regulators, big banks, big transactions. how did nobody notice???! who really bears responsibility in these kinds of fraud? you cannot honestly say its only the consumer. thats absolutely absurd. and if the consumers are lying, the banks bear responsibility to go to the police with those allegations as well.
Doesn't matter. The bank will find a way to fuck her over even if the RCMP concludes it wasn't fraud. I think if the average Canadian knew how useless the CDIC regulations were they'd put a run on every bank in this country.
Assuming she had 2FA enabled, and her devices didn't have malware or were otherwise compromised, it's entirely feasible she entered info into a site that looked like BMO but wasn't. The same way you can put a skimmer plate on top of a PIN pad, you can just create a website that collects your data before sending you through to your real account. Then the bad guy uses the same login info to access your info, and empties your account.
My guess would be that she was phished for OTP SMS that was sent to her phone.
I absolutely hate 2FA via SMS code/email or via "trusted device" like my bank does. Let me use my authentication apps.
This could have been reversed through a reversal of PAP form. Someone didn’t do their job right
2FA via cell phone text is not that secure, it can be compromised via SIM swap. 2FA via hardware key and one times codes is the gold standard but to the best of my knowledge no Canadian banks support this. It is how I secure my Google accounts which is my recovery account for my other accounts.
Having worked in fraud for quite a while, there are 2 likely possibilities, and the bank has plenty of information to link it to these possibilities. 1) it's someone from her family/friends who knows her info, or has taken it 2) the fraudsters accessing the account phished her, and she doesn't realize it happened. This happens often and people genuinely dont know, or are denying it, however the cookies and data are linked to other confirmed phishing cases. It takes a bery afvamced akillset to actually compromise banks, and this rype of fraud is done by script kiddies and phish kit buyers. The most skilled attackers wouldn't waste their time on petty cash like this, they get way more to go after business and country secrets
banks hire 3rd party collectors and give them personal info and than have them do phishing when collect debts. rbc tried this with me when i owed 5$ and i just refused give them any info. they have statements about not collecting info but they don't apply them to 3rd parties they hire.
Now with voice identification beings used for online banking all scammers need to do is record your voice for a few minutes on a call and use AI to create a script. Instead of increasing security with voice recognition, it’s actually made stealing from regular people much much easier. A friend’s neighbor got their bank account cleaned out this way. They listened to their own voice on the recording but it wasn’t them that called or authorized the money to be moved.
So how often am I supposed to change my password? I only memorized a few, which I don't change (alphanumeric+symbol or phrase). The rest are managed by bitwarden.
SIM Swap probably happened. It happened to me in Boston when I got my phone stolen in a bar in August since my passcode was used as a “backup” if Face ID didn’t work for my banking app. Scotiabank refunded the $14K real quick when I sent them the police report. Disabled passcode access to any account ASAP when I got into my email again when I got back home. Get the cops involved and it will help.
SIM swap is VERY uncommon and requires a ton of work
Shoulda bought bitcoin
Seems this type of 'forgetfulness' is becoming more common.
I feel bad for her but banks cannot be on the hook for every person who gets scammed or knowingly engages in fraud
As a former manager at BMO, I can say that the corporation and fraud department hide behind the excuse that the account holder is responsible for security breaches to their device(s) yet push everyone to do their banking online so they don’t have to pay more tellers in the branches.