Canadian Money Forum banner

141 - 157 of 157 Posts

·
Registered
Joined
·
4,762 Posts
^ Sounds like these banking/brokerage "problems" are isolated to "smart"phones and public computer terminals.

Quote Originally Posted by AltaRed
Got to keep hammering via Secure Messaging to the extent of getting aggressive about it.

I sometimes say in such messages that I am taking a screen shot before pushing Send so that I have written record should my concern not be addressed and/or I am damaged by lack of action.
... they're "working on it" :rolleyes2: ... maybe they're hoping the problems (and I don't mean the security ones) go away. :rolleyes2: :rolleyes2:



Btw, is that iScotia iTrade access card in addition to the (Scotia) bank cards used for debit, the banking stuffs?
 

·
Registered
Joined
·
17,637 Posts
Discussion Starter #143
And I share m3s's concern that the problems go deeper. These banks provide methods to "reset" the password... that process alone could be a path to compromising accounts.

The accounts can probably be hacked into even if you never get a virus on your computer. Combination of security questions, email, telephone.
 

·
Registered
Joined
·
10,366 Posts
Btw, is that iScotia iTrade access card in addition to the (Scotia) bank cards used for debit, the banking stuffs?
Either card works for all of banking and brokerage. I use my iTrade access card for banking including ATM. I have the iTrade card only because I had an iTrade account (successor to E*Trade) long before I ever had Scotia banking accounts. For whatever reason, Scotia issued iTrade cards to non-Scotia clients when they re-branded E*Trade.

Short answer. Interchangeable.
 

·
Registered
Joined
·
17,637 Posts
Discussion Starter #145
There are several ways to log in. I've never had the card that AltaRed mentions, but one can also use their Scotia VISA card number, debit card number, or a username they create.
 

·
Registered
Joined
·
10,366 Posts
There are several ways to log in. I've never had the card that AltaRed mentions, but one can also use their Scotia VISA card number, debit card number, or a username they create.
And that debit card can be a Scotiabank card or an iTrade card.

The few times I have ever gone to a Scotiabank teller, they are amused at my card. About 3 years ago, one of them asked me if they could see it, having never seen one before.
 

·
Registered
Joined
·
57 Posts
SMS is just a speedbump

2FA would require a physical card of codes like IB uses, or a time based code from an authenticator app like most serious online accounts offer today

Luckily they couldn't withdraw your funds but they could have traded with themselves on some obscure low volume stock or option
Agree that SMS is just a speed bump in the case of a lost mobile phone, but while I agree it's nowhere near as good as the time based authenticator app, wouldn't the SMS authentication have been a pretty significant speed bump in the event of the breech being due to a hacked computer?
 

·
Registered
Joined
·
4,647 Posts
It's better than nothing but it's not a physical key because you can port the sms remotely from anywhere with some basic info

You can hijack a mobile account from anywhere whereas a time based code requires physical access to the device/app within 30 seconds

Time based codes have still been hacked but not nearly as common as sms
 

·
Registered
Joined
·
17,637 Posts
Discussion Starter #149
I've contacted iTrade and asked if they can disable the wire transfer (out) capability of my account. I will never use this feature.
 

·
Registered
Joined
·
57 Posts
Anyone know which (if any) of the online brokers offer/require a true 2FA with physical key for logging in?
 

·
Registered
Joined
·
17,637 Posts
Discussion Starter #153
Many of their alerts don't work for me either. There is in fact an iTrade alert specifically meant for transfers out of the account... and I never get those at all.

I also don't see other Scotia Alerts. I recently did some tests by trying different conditions. Some worked and some didn't; that applies both to regular Scotia banking alerts and iTrade alerts.
Recently (within the last month) I've found that the Scotia alerts are working more properly. For example I set a notification when the balance on my chequing account drops below $X, and I recently did get an email when the balance dropped below that amount.

So maybe Scotia is fixing this
 

·
Registered
Joined
·
989 Posts
I once asked a safe cracker about how he got into a safe and he said .....

Whatever man makes, man can get into.
 

·
Registered
Joined
·
474 Posts
I have 2FA everywhere. I have activated all of the e-mail notifications and app notifications everywhere. I get at least 5 e-mails and 5 app notifications every single day about the status of my accounts. I use a password manager to generate and manage my passwords so I can change them every month if I wish with a password generator of the desired complexity. The password manager has auto-logoff after 1 minute of inactivity. All of my cards including my credit cards are on my cellphone, so basically my cellphone is my identity because I can do everything with it. My identity has already been stolen a few years ago, so now it's even harder to steal my identity because I'm now flagged for 7 years of high-level identification requirements.

The weakest point is not the technology, it's the person using the technology. Stealing data only needs to convince a human to click somewhere that he shouldn't, no matter how much security you have, it's the human the weak link.

At my job we already paid a hacking firm to test our organisation. It took only a few days. You know, now Word and Excel documents always have that "Allow Editing" notification which is pretty similar to "Allow Macros". The hacking firm did a bit of research about our organisation, sent emails to some C-level executives about pretty convincing opportunities with lots of documents and at some point some C-level executive, working a bit too late at night, a bit too busy and in a rush, clicked somewhere that he shouldn't have when looking at all that convincing documentation that seemed legitimate. And then since that C-level executive had access to too many networks, the hacker managed to gain access to everything... everything!
 

·
Registered
Joined
·
94 Posts
If you're trying to isolate things, why not look into Windows 10's sandboxing features?

How to use Windows Sandbox in the Windows 10 May 2019 Update
Have to run an untrusted app? You can run it in Windows Sandbox. Here's how

For those more technical:
Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.
https://techcommunity.microsoft.com/t5/windows-kernel-internals/windows-sandbox/ba-p/301849

NOTE: You may need hardware virtualization features on your PC to do these things.



Thanks, that's good advice. I will keep hammering away at it. I'm about to start hammering at TDDI too.

Quick tip: I've set up my dad's computer to use a totally separate Windows user account that's dedicated to banking. The idea here is to insulate the browsing environment (a bit) from the rest of the computer. This way, this account and its web browser are only ever used to log into banks & brokerages -- nothing else.
 

·
Registered
Joined
·
17,637 Posts
Discussion Starter #157
I'm pleased to say that Scotia's alerts are still working as expected. I recently triggered an "account balance" alert (under threshold) and was pleased to see the alert being sent out.

I must give Scotia some credit here. I've reported a couple system glitches to them over the last few months, and both have been fixed.
 
141 - 157 of 157 Posts
Top