Canadian Money Forum banner

101 - 120 of 156 Posts

·
Registered
Joined
·
1,593 Posts
Just had long talks with TDDI regarding this (multiple phone calls over the last 2 weeks), they are generally clueless and the reps give wrong/conflicting information’s.

Here what you can do as a customer:

1. Change your default username
2. Use strong password
3. Enable multifactor authentication (PIN by SMS)
4. Enable transaction PIN for buy

There two others measure that can be put in place, but they have major drawbacks:

- Disable the possibility to exchange information’s with TD Canada Trust (so the tellers don’t see your TDDI accounts). = This will break your access to tax slips so beware.
- Enforce a "Transaction lock" on the account. = This goes both way, lock for the money going OUT and the money going IN. You will need to phone them every time you want to make a contribution.

Anyone with access to one of your monthly slip would be able to answer the dummy questions they always ask and get "verified". They questions are always the same:

- who is the main owner of the account?
- name me one stock and the amount held?
- what is the account total value?

Adding a custom question/answer that get asked on top of those dummy questions would fix the issue but its "not supported"!

TDDI phone support are really the weakest link. They assure me that everything is covered but we all know that when **** hit the fan and lawyers get involved, things are not that simples...

I encourage everyone to call them and ask the question: "as a TDDI customer, how can i protect myself from cybersecurity risks".
 

·
Registered
Joined
·
4,579 Posts
TDDI phone support are really the weakest link. They assure me that everything is covered but we all know that when **** hit the fan and lawyers get involved, things are not that simples...

I encourage everyone to call them and ask the question: "as a TDDI customer, how can i protect myself from cybersecurity risks".
"Contract lawyer says terms overwhelmingly favour banks, calls for more consumer protections" Online banking agreements protect banks, hold customers liable for losses CBC

I agree phone support is a weak link. It's not hard to get hints out of them for the security questions or to find a workaround.

TD phone rep once told me I would have to verify ID in person when I didn't know a specific transaction value. I was able to unlock it with another rep and some convincing which in hindsight isn't good

Now once you are in you can just change the security settings online anyways
 

·
Registered
Joined
·
4,652 Posts
Sorry I just haven't gotten around to following through on these bank security weaknesses. But I encourage everyone else to also carefully document and inform the banks of ANY glitch or shortcoming in security they see.

Online banking agreements protect banks, hold customers liable for losses, expert says


The banks are trying to wiggle out of liability in case of theft. Hopefully by getting it on the record that they are being delinquent in their responsibilities to provide secure systems, we can reduce their ability to wash their hands when theft occurs.

After Scotia told me they would investigate the failings I found in their alerts system, I never heard any follow up. I have not yet filed the paperwork with their complaints division... obviously I should go through the correct procedure for all that. This is more about establishing a paper trail for liability purposes and lawsuits, than anything else.
... WOW, WOW, WOW!!!! to that article in the link.

I'm wondering what will it take for the banks to smarten up their practice on this? Lawsuits? Multi-million ones or a billion or 2?
 

·
Registered
Joined
·
870 Posts
I wonder (and suspect) that they are using other methods. Some simple, some sophisticated. If an incoming call to a bank is from a residential phone number that matches the number on file, that’s the first step. Checking if a phone number on file has recently changed is the next step. If a criminal is on your home phone impersonating you, then you probably have other concerns, beyond financial. The same goes for mobile incoming calls....although a risk with fraudulent number porting.

I may be naive, but I put quite a bit of faith in the banking sector. (Former banker, haha). These are multi-billion dollar companies with 100+ years of history. Safety and fraud prevention are continuously being improved and challenged. I was once involved with a project on the verification questions being asked. It’s a fine balance....make them too hard, and clients freak out, make them too easy, and there’s risk. I always found the questions that a client choose themselves the funniest. Clients would fight and argue with me about “what their favourite drink is”. They would accuse us of answering the question for them. Always made me laugh.

Clients get their money back in almost all the time....I would guess 99% of the time. In my experience of 20 years, we probably declined a refund less than 10 times.....and that’s with frauds happening almost daily in my branch. I don’t want to minimize the risk, but the media tends to exaggerate the problem. The risk has been and continues to be very, very small for a fraud to occur. And the risk of not being reimbursed is even smaller. Albeit probably with some pain and aggravation. If the banks (or any other company) are aware of the risk, then they are working to resolve it.

Finally, you probably don’t hear much about banks being sued or lawsuits.....because they will eventually settle before it gets that far.
 

·
Registered
Joined
·
10,520 Posts
Not sure the point of checking the calling number when the scam "CRA has a judgement against you - act now or the police will show up" calls I've received are displayed as legit CRA numbers for a long time now. Gone are the days of the malformed numbers that instantly show it's a bogus call. Or are you thinking the banks have access to some system that identifies spoofed number better than what the telcos do?


... I may be naive, but I put quite a bit of faith in the banking sector. (Former banker, haha). These are multi-billion dollar companies with 100+ years of history ... Clients get their money back in almost all the time....I would guess 99% of the time. In my experience of 20 years, we probably declined a refund less than 10 times.....and that’s with frauds happening almost daily in my branch ...
Maybe ... I'm not filled with confidence when my PIN was cut from eight to ten digits down to four "because the system can only handle four". Strange that the system worked for years on the longer PIN and was able to change the PIN at the ATM but only the branch reset forced a four digit PIN.

Most I have talked to who have suffered fraud have typically had the bank assume it was the customer's fault or your spouse took money out without telling you so it's not our fault. In a couple of case, it took the police talking to the bank or a consumer advocate talking to the bank to get the reimbursement.


... Finally, you probably don’t hear much about banks being sued or lawsuits.....because they will eventually settle before it gets that far.
True.


Cheers
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #106 (Edited)
What bothers me is that we have some systemic security weaknesses, things that m3s has written about as well. This means that all of our accounts are inherently exposed to risk, so even someone with a great password really cannot consider themselves to be safe.

Examples would be the ability to reset passwords or takeover accounts by using a combination of security questions / email / phone authentication. None of these things are particularly strong. Email is often easily compromised, and phones can be hacked, intercepted, or taken over pretty easily too. Furthermore, many people now do email & phone on the same hardware (smart phone) which creates a central point of failure.

And it was the choice of the banks to design their security systems in this inherently flawed way. When there is account compromise or theft, they are trying to throw blame back on the customer, whereas in fact they have designed a fundamentally weak system.

Pretend that I built a bridge that has fundamental design weaknesses. People are using the bridge in harsh weather and the bridge collapses. They blame me for their injuries. And then I have the audacity to say that the silly people shouldn't have used the bridge in harsh weather, they should have been more careful. Nope... the bank has liability here. We need government action or a class action lawsuit to correct their behaviour.

Their patchwork of various "sophisticated" security measures posted above are helpful, certainly, but does not change the fact that their authentication and account access mechanisms are fundamentally insecure.
 

·
Registered
Joined
·
870 Posts
Not sure the point of checking the calling number when the scam "CRA has a judgement against you - act now or the police will show up" calls I've received are displayed as legit CRA numbers for a long time now. Gone are the days of the malformed numbers that instantly show it's a bogus call. Or are you thinking the banks have access to some system that identifies spoofed number better than what the telcos do?


Maybe ... I'm not filled with confidence when my PIN was cut from eight to ten digits down to four "because the system can only handle four". Strange that the system worked for years on the longer PIN and was able to change the PIN at the ATM but only the branch reset forced a four digit PIN.

Most I have talked to who have suffered fraud have typically had the bank assume it was the customer's fault or your spouse took money out without telling you so it's not our fault. In a couple of case, it took the police talking to the bank or a consumer advocate talking to the bank to get the reimbursement.



True.


Cheers
Mind me asking which institution made the change to 4 digit PINs? Have you checked with them lately on their current parameters? Years ago, we advised people to stick to 4 digits if they planned on travelling out of CANADA, as we couldn’t guarantee a longer PIN would work in international machines.

As for the police involvement.....perfectly normal above a certain threshold. A crime has been committed and the police work closely with corporate security departments.
 

·
Registered
Joined
·
870 Posts
What bothers me is that we have some systemic security weaknesses, things that m3s has written about as well. This means that all of our accounts are inherently exposed to risk, so even someone with a great password really cannot consider themselves to be safe.

Examples would be the ability to reset passwords or takeover accounts by using a combination of security questions / email / phone authentication. None of these things are particularly strong. Email is often easily compromised, and phones can be hacked, intercepted, or taken over pretty easily too. Furthermore, many people now do email & phone on the same hardware (smart phone) which creates a central point of failure.

And it was the choice of the banks to design their security systems in this inherently flawed way. When there is account compromise or theft, they are trying to throw blame back on the customer, whereas in fact they have designed a fundamentally weak system.

Pretend that I built a bridge that has fundamental design weaknesses. People are using the bridge in harsh weather and the bridge collapses. They blame me for their injuries. And then I have the audacity to say that the silly people shouldn't have used the bridge in harsh weather, they should have been more careful. Nope... the bank has liability here. We need government action or a class action lawsuit to correct their behaviour.

Their patchwork of various "sophisticated" security measures posted above are helpful, certainly, but does not change the fact that their authentication and account access mechanisms are fundamentally insecure.
Not disputing anything you or others have mentioned....just that the risk is very very small. Having worked in a retail branch (being the face of most customer issues/concerns) for 20+ years, tells me that the risk is very, very small.

Flying and driving can be dangerous. We know the risks. We can lower speed limits and have 20km/hr governors to make it safer, and it still wouldn’t be safe.

I’m no IT expert....yes the banks built the system.....probably decades ago when computing began. As things became more complex, the banks and all companies “bolted” on solutions, creating a patchwork that I suspect would be difficult to undo. I suspect, with no actual knowledge, that small and newer companies have an advantage here. Like thinking an older, massive home can not compete on an efficiency basis, with a brand new smaller home. It would be cost prohibitive to knock the old bigger house completely down to compete with the newer home.

The statement that the banks “are trying to throw blame back on the customer” is media driven. Talk to a banker you trust.....there is never any mention of “let’s deny clams”. For larger claims..yes, a min interview or questionnaire is done to determine what happened and where the breach occurred. Asking “is you bank card on you now, do you ever share or write down the PIN, when was the last time you used it, where?” are used to determine what happened......not look for ways to get out from making a claim. As a branch manager, I had no incentive, no compensation and no budget for electronic frauds. I’d much rather get your claim paid off quickly, so you’d get out of my hair. Lol.
I did have responsibility for frauds that occurred face to face in my branch, but that was a different sort of fraud then were talking about here.

And I’ll finally reiterate, the banks are gonna reimburse you anyway. There’s tens, if not hundreds of thousands of frauds each year and a handful make the news every now and then.

If you are that concerned, vote with your wallet. Take your business elsewhere and change your banking habits. Disconnect all electronic banking. You know that’s the only way to get a corps attention. Legislation will take forever.

And consider..if you’re into worst-case scenarios............creating a massive paper trail to one day present in a court of law outlining all your concerns and issues.........will be quickly turned around back to you........”Mr. James, as a customer you seemed to be very concerned and, in fact, knew the system was broken....yet you continued to use that system which you have stated is fundamentally broken. Isn’t it a fact then, that YOU are at fault for KNOWINGLY using a broken system? Bankers and lawyers are beauties! (Tongue in cheek)

I’m kidding of course and having a little fun..........the government and corporations told us weed killer, baby powder and cigarettes were all “safe”, but I’ve chosen not to use them. If your concern is that real, then I would sincerely look to de-risk how you conduct your banking. You don’t have to trade online, you don’t have to use an ATM. There are options.

Do I think email money transfers are safe? Not sure........for years we were told that email is unsecure. Customers would freak out when we wouldn’t accept email instructions. Would I send a $100 email transfer today....probably.....would I do it more than a few rimes a year.....no. Too many “external” players.....Interac, the email companies.....it’s inherently different. If I send a $100 from a td account via my yahoo email to your gmail account and bank at RBC......we’ve now got 5 entities involved. Not the same as writing a good old cheque that gets processed through a clearing centre owned by the banks. I digress.
 

·
Registered
Joined
·
10,520 Posts
Mind me asking which institution made the change to 4 digit PINs? Have you checked with them lately on their current parameters?
TD and I've since upgraded back to what I originally had.

The point is that the same card worked fine for years with a longer PIN so why did I need to dumb it down when it was reset in a branch?


... Years ago, we advised people to stick to 4 digits if they planned on travelling out of CANADA, as we couldn’t guarantee a longer PIN would work in international machines.
It was for use in Canada where the hardware in the branch rejected anything over a four digit pin. FWIW, there was no mention of travel where it was years later before there was travel.


... As for the police involvement.....perfectly normal above a certain threshold. A crime has been committed and the police work closely with corporate security departments.
Trouble was the bank's review had already determined it wasn't a crime where the conclusion was the spouse taking money from the joint account without admitting it. No fraud meant no compensation and no need for the police.

The police involvement was from their initiative, not the bank. They'd arrested some of the skimming ring where the police had found the couple's card/PIN info on the ring's equipment. The police notification of the bank was the only thing that moved the bank away from "what fraud?".


Cheers
 

·
Registered
Joined
·
4,652 Posts
^^ Post #108 - what is its purpose? Divert, deflect, or justify the issues otherwise what a bunch of ramblings ... :rolleyes2:
 

·
Registered
Joined
·
10,188 Posts
I had no problem with the reply. I really do hope the banks usually make people whole.
Obviously it is going to depend on how careless customers are with their passwords and PIN information, and how diligent people are on regular monitoring of their online accounts (except on public wifi). Customers have to take some responsibility on protecting their accounts and logon credentials.
 

·
Registered
Joined
·
4,579 Posts
I would rather the minor inconvenience of 2FA (already do for major online accounts) than the stress of recovering an account and just hoping the institution decides I was subjectively 'diligent'

Equifax.. 150 million user data stored in plain text compromised by the Chinese military. Europe didn't have incompetent private companies profiting off everyone's credit data so why do we?

At least make 2FA an option for those who do want to be 'diligent' and let the boomers stick with the basic security questions and plain text archaic system if they must.

NA is in the dark ages of banking and financial security especially if one compares to Europe or even leading crypto brokerages today. The threat is evolving and the banks are staffed by dodos
 

·
Registered
Joined
·
4,652 Posts
I found it interesting and topical, actually. Some people aren't capable of reading more than a sentence.
... and these same people prefer not to be sucked into reading paragraphs after paragraphs of BS narratives. And I like people who're capable of posting a sentence or two only.
 

·
Registered
Joined
·
10,520 Posts
... I’m no IT expert....yes the banks built the system.....probably decades ago when computing began. As things became more complex, the banks and all companies “bolted” on solutions, creating a patchwork that I suspect would be difficult to undo. I suspect, with no actual knowledge, that small and newer companies have an advantage here ... It would be cost prohibitive to knock the old bigger house completely down to compete with the newer home ...
Sure ... and as an IT guy, I've seen the small/newer company's new house rot away, because like the company with the big, creaky house - the "all or the least that can prevent the biggest issues" approach adds to the issues.

From what I've seen, the "it's too expensive to do in one shot" is a red herring as lots of other areas faced the same issue where making smaller steps with a plan to eventually get there was used. It reminded me of the insurance company I worked at leading into Y2K. The "all or nothing" mentality meant the fixes were done with mixed results, with a much higher toll (ex. OT, staff burnout, more consultants). For some other insurance companies, they did the build a new home approach as management was sold on "spend $X to fix the Y2K issues or spend $X plus a bit to do that plus offer new features". Had it been a priority, there was lots of lead time to build a plan of smaller chunks to get there.


... The statement that the banks “are trying to throw blame back on the customer” is media driven ... As a branch manager, I had no incentive, no compensation and no budget for electronic frauds. I’d much rather get your claim paid off quickly, so you’d get out of my hair. Lol.
Sure, that may have been your experience. Others, not so much.


... If you are that concerned, vote with your wallet. Take your business elsewhere and change your banking habits. Disconnect all electronic banking.
The last time was offered by a bank to be kept off the main stream electronic banking was in the '90s.

With you past work history and potential contacts, can you tell me which banks will let me disconnect?
It seems doubtful the bank would let me connect considering the branches in my area no longer have tellers. Nice couches with staff that are advertised to help with all the electronic options available.

Basically anything but putting cash under a mattress is likely a pipe dream from what I can tell.


... You know that’s the only way to get a corps attention. Legislation will take forever.
I suspect getting the attention of the gov't is easier.


... If your concern is that real, then I would sincerely look to de-risk how you conduct your banking. You don’t have to trade online, you don’t have to use an ATM. There are options.
The bank branch explicitly says I *have* to use an ATM. I'm not sure how far I'd have to drive to find one that hasn't been converted yet.

The other bank with tellers still requires an electronic card, when talking to a teller ... which I suspect will move to the "ATM only" model in the future.


As for trading through other than online options, the electronic access is still there - whether I choose to wait on the phone to make a trade or not.


... Do I think email money transfers are safe?
It seems to largely depend on:
1) whether the receiver automatically deposits the money so that the email address is an identifier for back end transfers instead of a conduit.
or
2) whether the receiver's email account has been kept secure and the security question is reasonably secure.


... Not the same as writing a good old cheque that gets processed through a clearing centre owned by the banks.
Not that cheques were/are secure either ... having had the date ignored on the cheque and being told I could spend the funds when there was no where near enough time for the cheque to be verified/cleared.


Cheers
 

·
Registered
Joined
·
4,652 Posts
I had no problem with the reply. I really do hope the banks usually make people whole.
... impossible when the "hack" is an inside job which doesn't even require signing onto or into your account.
 

·
Registered
Joined
·
53 Posts
The danger IS real. My iTrade account was hacked this week. Their fraud department phoned me to check on some attempted outgoing wire transfers, but that was only after 2 previous fraudulent incoming transfers from linked external accounts (putting those accounts into a negative balance). They said someone had successfully logged in to my account, so I can only assume my computer was infected, though a virus scanner didn't find anything. i.e. a strong 12 character password of gobbleygook is no guarantee of safety. Access card and passwords have all been changed, but it still scary.

I asked when iTrade will have a 2FA on login, similar to TD, which allows you to register 2 phone numbers, AND offers the option of receiving the verification code either by SMS OR by voice. The answer was "they're working on it".
 
101 - 120 of 156 Posts
Top