Canadian Money Forum banner

121 - 140 of 156 Posts

·
Registered
Joined
·
870 Posts
The danger IS real. My iTrade account was hacked this week. Their fraud department phoned me to check on some attempted outgoing wire transfers, but that was only after 2 previous fraudulent incoming transfers from linked external accounts (putting those accounts into a negative balance). They said someone had successfully logged in to my account, so I can only assume my computer was infected, though a virus scanner didn't find anything. i.e. a strong 12 character password of gobbleygook is no guarantee of safety. Access card and passwords have all been changed, but it still scary.

I asked when iTrade will have a 2FA on login, similar to TD, which allows you to register 2 phone numbers, AND offers the option of receiving the verification code either by SMS OR by voice. The answer was "they're working on it".
Were the linked external accounts from major cdn institutions? I wonder why the crooks didn’t just transfer the funds to their accounts instead of transferring funds to your account. What allowed the external accounts to go into a negative balance? Was there an authorized overdraft limit?
 

·
Registered
Joined
·
53 Posts
Were the linked external accounts from major cdn institutions? I wonder why the crooks didn’t just transfer the funds to their accounts instead of transferring funds to your account. What allowed the external accounts to go into a negative balance? Was there an authorized overdraft limit?
Yes - TD & RBC. It seems the only breech was into the iTrade account, which is linked to the external accounts. Those links allow transfer of funds to or from only. There's no evidence they were able to log directly in to the external accounts. There is no authorized overdraft limit. The requested transfer is treated as a written cheque, though it didn't immediately bounce, thus the negative balance. Their systems corrected/reversed this within 24-48 hours, along with the "NSF charges"!
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #125 (Edited)
The danger IS real. My iTrade account was hacked this week.
Sorry to hear about this seh. Have you filed a police report? It's good to have as much paper trail as possible; this is a criminal act.

Thanks for sharing this. I'd like to check that I understood what happened in your case. Please correct me if I'm wrong:

It sounds like someone logged into your iTrade account, somehow (by this I assume you mean 'Scotia Online' which is their login portal for both banking & iTrade). Once they were in, they used an electronic fund transfer (EFT) to pull money from your externally linked TD & RBC accounts. I think they used this feature, copied & pasted below from what I see in my own Scotia account

The EFT service is designed to let you transfer funds between your Scotia iTRADE accounts and accounts that you hold with any Canadian banking institution.
. . .
You can request a cash transfer between your Scotia iTRADE accounts and personal bank accounts at any time.


Taking advantage of these externally linked accounts, they were able to only log into Scotia, then pull money from those external banks. After bringing the cash into iTrade, they attempted to send money out using wire transfers. They probably did the two things back to back, rather quickly.

Does that sound about right?
 

·
Registered
Joined
·
10,188 Posts
I would like to understand that sequence of events too. Is it as James suggests?

Was there any attempt to try and sell securities to raise cash? Most of us use a different trading password to try and thwart a hack as well. Nor do I have any appreciable cash sitting idle in iTrade accounts either, although a hack could get at some Scotiabank chequing account cash.
 

·
Registered
Joined
·
4,579 Posts
I asked when iTrade will have a 2FA on login, similar to TD, which allows you to register 2 phone numbers, AND offers the option of receiving the verification code either by SMS OR by voice. The answer was "they're working on it".
SMS is just a speedbump

2FA would require a physical card of codes like IB uses, or a time based code from an authenticator app like most serious online accounts offer today

Luckily they couldn't withdraw your funds but they could have traded with themselves on some obscure low volume stock or option
 

·
Registered
Joined
·
2,984 Posts
The EFT service is designed to let you transfer funds between your Scotia iTRADE accounts and accounts that you hold with any Canadian banking institution.
. . .
You can request a cash transfer between your Scotia iTRADE accounts and personal bank accounts at any time.

When I decided to stop using my Tangerine account and stick exclusively with TDDI, I tried online to delete my account at Tangerine for the very reason stated above. I was concerned that someone might break into the Tangerine account and transfer from my TDDI account.

It was impossible to delete the account online. I was surprised. So I had to phone them and convince them to delete the account.

The people that play the HISA transfer game and have a boatload of accounts all linked to their brokerage are probably more at risk than someone that uses a single brokerage that employs 2FA security. I also use a separate password for trading at TDDI along with the 2FA security. I don't use any mobile apps since I could lose my phone fairly easily.

ltr
 

·
Registered
Joined
·
4,579 Posts
The people that play the HISA transfer game and have a boatload of accounts all linked to their brokerage are probably more at risk than someone that uses a single brokerage that employs 2FA security. I also use a separate password for trading at TDDI along with the 2FA security. I don't use any mobile apps since I could lose my phone fairly easily.
SMS is not considered 2FA. If you watch whenever SMS is employed they call it "2 step" which is considered watered down 2FA. SMS accounts can be ported online and SMS can be monitored very easily

The purpose of 2FA is to have a second physical key. Ideally this would be a physical smart card token or USB key but the mobile app is far better than SMS. SMS was never intended for security codes. The mobile apps/USB keys use offline time based codes not codes transmitted in the clear like SMS

The weakness is always the recovery method. Pay attention to what happens when you reset/recover an account. 2FA generally uses recovery codes - this is the weak link imo as people will fail to properly store them.
 

·
Registered
Joined
·
53 Posts
The sequence of events appears to be as James suggested.

iTrade fraud department said that in addition to their investigation, they will involve the police. It remains to be seen how much of what they find they are willing to share with me (they've already told me the attempted wires were to 2 different banks in the U.S.). They claim their fraud detection is what caught the attempted outgoing wire transfers. Those wires may/should have failed anyway, as the funds from the incoming externally linked accounts were "on hold", and there was not enough other cash in the account to cover it (which presumably is the reason the thief initiated the incoming transfers in the first place). I don't know if there was any attempt to sell securities to raise cash - hopefully the different trading password would have thwarted that.

As an aside, I've seen that some of the Scotia iTrade alerts have stopped working. e.g. I was set up to receive an email the moment an out of country authorization occurred on my Scotia Visa card, and it always worked perfectly until recently. No response yet to my inquiry on this.
 

·
Registered
Joined
·
15,839 Posts
When I decided to stop using my Tangerine account and stick exclusively with TDDI, I tried online to delete my account at Tangerine for the very reason stated above. I was concerned that someone might break into the Tangerine account and transfer from my TDDI account.

It was impossible to delete the account online. I was surprised. So I had to phone them and convince them to delete the account.


the 1st thing a client who is planning to ex tangerine should do is delete the bank account links from his tangerine profile. This is easy to do.

tangerine is unusual in that it is possible to close one's account(s) but the profile remains online for at least a couple of years. Former clients can log in & - i presume - view former accounts, although these will have been/should have been closed.

other financial institutions remove a former client's profile from the internet with lightning speed - sometimes to a client's chagrin because he loses important information for which he has no other record - but tangerine for some reason leaves client profiles in the internet for a period of time.
 

·
Registered
Joined
·
10,188 Posts
Your Scotia Visa card and its alerts has nothing to do with iTrade. It is associated with Scotia banking. It is troublesome if some of the alerts have stopped working.
 

·
Registered
Joined
·
53 Posts
Your Scotia Visa card and its alerts has nothing to do with iTrade. It is associated with Scotia banking.
I thought this as well, so was wondering why, when I login to Scotia iTrade, the Scotia Visa card also shows up on the list of accounts, with full access to all statements, etc.?
 

·
Registered
Joined
·
10,188 Posts
You are actually logging into Scotia online banking, even if you are doing it with a Scotia iTrade access card. I do it the same way.....with an iTrade access card.

When you log on, the login page has all your links. When you click on your iTrade link, it takes you to your iTrade page. When you click on your Scotia Visa link it takes you to your credit card page which is owned and managed by Scotia banking.

The Scotia iTrade access card and the Scotia banking card are interchangeable for access to Scotia companies. You and I have Scotia iTrade access cards because our first experience with Scotia was with iTrade, not Scotia banking.

Alerts you set up on your iTrade page are associated with iTrade. The alerts you set up with your Visa card are set up in Scotia banking system.
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #135 (Edited)
As an aside, I've seen that some of the Scotia iTrade alerts have stopped working. e.g. I was set up to receive an email the moment an out of country authorization occurred on my Scotia Visa card, and it always worked perfectly until recently. No response yet to my inquiry on this.
Many of their alerts don't work for me either. There is in fact an iTrade alert specifically meant for transfers out of the account... and I never get those at all.

I also don't see other Scotia Alerts. I recently did some tests by trying different conditions. Some worked and some didn't; that applies both to regular Scotia banking alerts and iTrade alerts.

To clarify the alerts I'm talking about, after logging into Scotia, there's a link at the side: Scotia InfoAlerts

After clicking that, I see two categories and I've been seeing flaky (unreliable) behaviour with both of these:
  • Scotia InfoAlerts
  • Wealth & Brokerage Email Alerts
seh, under that second link (Wealth & Brokerage), do you currently have an alert for: A deposit or transfer has occurred in my Scotia iTRADE account

If that is checked, did you see an email alert when all these transfers happened? I know that in my account, transfer to/from my Scotia chequing account do not cause an alert. I think they should. And in your case, an external transfer definitely should trigger that alert.
 

·
Registered
Joined
·
53 Posts
Many of their alerts don't work for me either. There is in fact an iTrade alert specifically meant for transfers out of the account... and I never get those at all.

I also don't see other Scotia Alerts. I recently did some tests by trying different conditions. Some worked and some didn't; that applies both to regular Scotia banking alerts and iTrade alerts.

To clarify the alerts I'm talking about, after logging into Scotia, there's a link at the side: Scotia InfoAlerts

After clicking that, I see two categories and I've been seeing flaky (unreliable) behaviour with both of these:
  • Scotia InfoAlerts
  • Wealth & Brokerage Email Alerts
seh, under that second link (Wealth & Brokerage), do you currently have an alert for: A deposit or transfer has occurred in my Scotia iTRADE account

If that is checked, did you see an email alert when all these transfers happened? I know that in my account, transfer to/from my Scotia chequing account do not cause an alert. I think they should. And in your case, an external transfer definitely should trigger that alert.

Yes, it is checked off and no, I did not receive an alert, but I am still receiving "notifications" (e.g. new statements ready), so I agree - the behaviour, which used to be reliable, is now flaky. I just now tried to add a new Scotia InfoAlert, but it would not accept my click (could possibly be a browser issue).
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #137 (Edited)
Yes, it is checked off and no, I did not receive an alert, but I am still receiving "notifications" (e.g. new statements ready), so I agree - the behaviour, which used to be reliable, is now flaky.
Could you please inform Scotia about this fact? You were supposed to get alerts of transfers into/out of iTrade, but their system failed to work properly. Therefore, you were not alerted to fraudulent activity.

When I last asked my branch about this problem, they said that the Scotia back office is not aware of any issues with alerts, so it seems they are either clueless about their problem, or ignoring the bugs in their system. If you report it as well, it will help Scotia eventually recognize that they have a problem.

By the way, I don't mean to pick on Scotia. There's also been a security bug at TD Direct Investing for many months (ever since their user interface redesign) that I've told their agents about repeatedly. The phone agents can even replicate and see the bug themselves. And yet, TD doesn't fix it.

If anyone is curious about that TDDI one, it's pretty simple: their last login time stamp is broken. It should show the date & time that you last logged into your account, so you can check whether anyone else has gotten in. It doesn't work.
 

·
Registered
Joined
·
10,188 Posts
Got to keep hammering via Secure Messaging to the extent of getting aggressive about it.

I sometimes say in such messages that I am taking a screen shot before pushing Send so that I have written record should my concern not be addressed and/or I am damaged by lack of action.
 

·
Registered
Joined
·
17,032 Posts
Discussion Starter #140
Got to keep hammering via Secure Messaging to the extent of getting aggressive about it.

I sometimes say in such messages that I am taking a screen shot before pushing Send so that I have written record should my concern not be addressed and/or I am damaged by lack of action.
Thanks, that's good advice. I will keep hammering away at it. I'm about to start hammering at TDDI too.

Quick tip: I've set up my dad's computer to use a totally separate Windows user account that's dedicated to banking. The idea here is to insulate the browsing environment (a bit) from the rest of the computer. This way, this account and its web browser are only ever used to log into banks & brokerages -- nothing else.
 
121 - 140 of 156 Posts
Top