Monday, 13 May 2019

RBC customer out of pocket after fraud: what you need to know if you e-transfer money

https://twitter.com/DavidRayAmos/with_replies





Replying to and 47 others
Methinks if the Crown won't prosecute the crook then the lady could sue them all N'esy Pas?


https://davidraymondamos3.blogspot.com/2019/05/rbc-customer-out-of-pocket-after-fraud.html

 


https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-e-transfer-fraud-1.5128114




RBC customer out of pocket after fraud: what you need to know if you e-transfer money



635 Comments



David R. Amos 
Methinks the cops should visit the crook and ask a few questions. If he does not wish to give he money back they should make a report and ask the Crown to decide as to whether or not to prosecute him. If the Crown goes forward I am certain it will cost the crook more than what he stole to pay a lawyer to defend him N'esy Pas?

"The women called RBC's fraud department and a bank employee provided the name of the fraudster, his email, and says he'd transferred the money to a TD Bank account."  



Alex Tomev
Reply to @David R. Amos: It’s an email transfer so there’s likely no point getting involved. The funds were sent to an email address unlike cheque fraud that is sent to a person. An email address often doesn’t have a verified owner unless it was provided by an ISP like Rogers/bell/corporate email. So if the cops confront the “theif/opportunist” what’s to stop him/her from saying that’s his email since he has the password, and what’s to stop him from saying the funds were intact meant for him since he knew the transfers password due to the senders stupidity of including it in the question. Plenty of plausible stores that will never hold up in court where guilt is determined beyond a reasonable doubt. For $1000 it’s just a huge waste of time for everyone involved.  


David R. Amos
Reply to @Alex Tomev: If the Crown won't prosecute the lady could sue them all.











Jim Redmond
First of all, it was only $1,734 --- who goes to the media over such a small amount. Secondly, I 100% support RBC on this matter. It's not the bank's fault someone had hacked her email account and it's not the bank's fault she used a weak security question. I wouldn't have paid her anything.


David R. Amos 
Reply to @Jim Redmond: "only $1,734" ???

Methinks if it was your $1,734 you would at least demand that the cops do their job N'esy Pas?

Jim Redmond
Reply to @David R. Amos: I don't consider $1,734 worth my time --- that's less than a half day's work. And the cops shouldn't bother with such small amounts.

David R. Amos  

Content disabled
Reply to @Jim Redmond: I strongly disagree.

I am a Senior and that amount is more than a month''s' income. However the point is a crook is a crook and a cop is a cop. Methinks if the cop won't do his job then he is assisting crooks N'esy Pas?


Al Zwikke 
Reply to @Jim Redmond: Then I say you are committing fraud on whoever pays you $1734 for 1/2 days "work"

David R. Amos   
Reply to @Al Zwikker: My reply was blocked

Andy Norbet
Reply to @Jim Redmond: Sounds like BS to me coming from someone who needs a walker to get into town for food and lives in a trailer park.








Stan Vincent
"the fraudster figured out the answer for the security question necessary to deposit the money, and then redirected it to a different bank account."

"Hoover filed a report with Peterborough police, but an officer told her that it's difficult to clamp down on online fraud and her fight to recoup the money could take ages and would likely be fruitless."

Given that they have the bank account #, it should probably have been easy for the police to track down and catch the culprit, and return the money to the victim, if the police had acted on the matter right away instead of making lame excuses. Why the police are not going after online scammers and thieves is beyond me. A lot of crime these days is via the internet in one way or another. The police need to be keeping up with this trend and should already have considerable resources focusing on going after online fraudsters. The fact that police departments are not doing this at this point is way out of wack with the current trends.





David Amos  
Reply to @Stan Vincent: I agree and made the same argument earlier




RBC customer out of pocket after fraud: what you need to know if you e-transfer money

'Transferring money by email is much more risky than people realize,' warns cybersecurity expert


Anne Hoover says misleading marketing made her think that Interac and RBC would protect her from fraud if something went wrong during an e-transfer, but they didn't. (John Badcock/CBC)

A system to transfer money online — used over a million times a day in Canada — is not as safe as it advertises, says a Royal Bank customer who had $1,734 stolen during an e-transfer.

The theft occurred after Anne Hoover of Peterborough, Ont., e-transferred money from her RBC account to her friend Fran Fearnley, only to have a fraudster intercept the transaction and divert the money to his own account at another bank.

"I always use e-transfer," says Hoover. "I thought it was a safe way to send money."



An RBC manager says an internal investigation indicated that Fearnley's email account had been hacked, and when Hoover sent the e-transfer, the fraudster figured out the answer for the security question necessary to deposit the money, and then redirected it to a different bank account.


Anne Hoover is angry RBC acknowledged a stranger redirected her e-transfer, but won't fully compensate her claiming her security question and password were too weak. (John Badcock/CBC)

An expert in online privacy protection and security says financial institutions have opted for convenience over security, which makes strong email passwords and equally strong e-transfer questions and passwords essential.

"How you manage those passwords is very important," says Claudiu Popa, author of The Canadian Cyberfraud Handbook and a cybersecurity expert who advises government and companies.

"Banks and financial institutions have made it very easy to transfer money via email. Unfortunately, with convenience, comes lack of security."

How it happened


Hoover and Fearnley had just returned from a trip to Mexico on March 18, when Hoover went online and used her bank's Interac e-transfer system to reimburse her pal for trip expenses.


It wasn't the sun on this Mexican holiday that burned Anne Hoover, centre, and Fran Fearnley, right, the women say, after a $1,734 e-transfer between them was intercepted by a fraudster. (Submitted by Anne Hoover)

But when Fearnley opened the email and tried to accept the payment, she got a message saying the e-transfer had already been deposited.

The women called RBC's fraud department and a bank employee provided the name of the fraudster, his email, and says he'd transferred the money to a TD Bank account.

"This is clearly a complete stranger," says Fearnley. "How could that possibly have happened?"

The two friends headed to their local RBC branch, where they are both customers — Hoover, for more than 30 years.

The bank blamed the theft on Fearnley's email security.

Hoover's security question to her friend was: "Who is my favourite Beatle?"

The fraudster would have had a one in four chance of getting it right — John, Paul, George or Ringo. In a test of RBC's Interac system, Go Public was given four chances to answer the security question correctly.


Hoover says she is disappointed by her local RBC branch in Peterborough, Ont., where she'd been a customer for 30 years. (John Badcock/CBC)

"The manager continued to insist ... that it wasn't really their problem. It was now our problem," Hoover says.

Eventually, the manager offered Hoover half the missing funds as a "gesture of goodwill."

Contacts police


Hoover filed a report with Peterborough police, but an officer told her that it's difficult to clamp down on online fraud and her fight to recoup the money could take ages and would likely be fruitless.

Hoover says she feels misled by the bank's website.

A webpage about RBC's digital security tells customers they're "fully protected" and will be reimbursed "for any unauthorized transactions."

But when Hoover pointed that out to bank officials, she was told customers aren't protected if they use weak passwords when transferring funds online.


RBC's website suggests in large font that customers are protected against fraud. Buried deep in the fine print are exclusions that prevented Hoover from claiming compensation. (RBC)

RBC declined an interview request from Go Public.

In a statement, AJ Goodman, RBC's director of external communications wrote: "As part of our electronic access agreement, clients commit to using passwords and security questions that are unique and cannot be easily guessed or obtained by others."

That information is on the bank's website, but only if a customer reading RBC's "Security Guarantee" clicks on a few different links to get to a clause in the fine print of a section called "Security."

Interac makes the same security promises online as RBC, telling customers in bold print that they are "protected from fraud losses."

No one from Interac would agree to an interview with Go Public, directing questions to RBC.

In a statement, the company's senior manager of external communications, Adrienne Vaughan, wrote that Canadians must "protect their email and passwords so they do not fall victim to cybercrime and they can safely transact online."

Woman loses $7,000 in e-transfer


In another, similar case, Dr. Sylvia Veith of Prince Albert, Sask., lost $7,000 when she used Interac to e-transfer money to her son's hockey league in June 2017.

That money was intercepted and her bank — RBC — blamed a weak password to a security question and told the physician there was nothing that could be done.
RBC would not comment on Veith's case, except to reiterate the importance of strong passwords. Police say an investigation is ongoing.

Security sacrificed for convenience


"This idea of transferring money by email is much more risky than people realize," says Popa.

"Companies don't report [incidents] because they don't want an investigation from the privacy commissioner, from other regulatory bodies."

Popa says people have been desensitized to the risk of email transfers "very quickly, almost too quickly" because they use email all the time, so they figure it's safe.


Cybersecurity expert Claudiu Popa says consumers need to demand better security features from their financial institutions, and switch if they won't provide them. (John Badcock/CBC)

What banks and other financial institutions have done, he says, is sacrifice security to get a high number of people using the system.

Last year in Canada, there were more than 371 million e-transfers worth more than $132 billion, according to Interac Corp., the biggest online funds transfer service in the country.

The Canadian Anti-Fraud Centre told Go Public that it received 163 reports in 2018 involving e-transfers that were compromised, resulting in money being transferred to fraudsters.

Popa did a quick search of Fearnley's email on www.haveibeenpwned.com, a website that tracks data breaches and reports almost eight billion occasions when personal accounts have been exposed. The same email address could be acquired from several different sources.

Popa found her email was compromised on two sites when hackers attacked LinkedIn and Verification.io

"That means people have found those e-mail lists. They have sold them to others," says Popa.

"Different people have taken what they've needed from those lists, and that's how they got compromised, very likely."

Financial institutions resist solutions


The cybersecurity expert says financial institutions and Interac need to require something called "two-factor authentication" to better protect people's accounts.

"Every time you log into an account you need to use a second factor," explains Popa. "A code that arrives as a text message or as a separate email to a different email address that is only valid for a few seconds or a few minutes after it's received."

He says the financial industry knows more security is needed, but is more concerned about getting customers to use the e-transfer system.

Some financial institutions offer two-factor authentication as an option, not a requirement.

Go Public asked RBC and Interac why they don't require two-factor authentication. Both declined to address the question.

Leaving RBC


Hoover says she's learned the hard way that strong security questions and passwords are crucial.

She's escalating her case to the RBC Ombudsman, hoping to prompt the bank to better warn customers they could be liable for losses even if they're victims of fraud.

She's also closing her business account at RBC, after decades of loyalty.

"How can I feel confident [in RBC] when, in fact, I've had money stolen from me — clearly stolen," says Hoover.

"This isn't secure, and people need to know."

(CBC)


Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories and hold the powers that be accountable.
We want to hear from people across the country with stories you want to make public.
Submit your story ideas to gopublic@cbc.ca.
Follow @CBCGoPublic on Twitter.

About the Author


Erica Johnson
Investigative reporter
Erica Johnson is an award-winning investigative journalist. She hosted CBC's consumer program Marketplace for 15 years, investigating everything from dirty hospitals to fraudulent financial advisors. As co-host of the CBC news segment Go Public, Erica continues to expose wrongdoing and hold corporations and governments to account.
With files from Enza Uda


CBC's Journalistic Standards and Practices

No comments:

Post a Comment