Canadian Money Forum banner

Danger of brokerage account being hacked

17K views 156 replies 22 participants last post by  james4beach 
#1 ·
https://finance.yahoo.com/news/cybercrooks-targeting-retirement-accounts-theres-090008063.html

This is a US article that talks about dangers to investment accounts due to hacking crimes. If a criminal steals your identify (for example compromises the password or uses other stolen personal data to gain access to an account) they can draw money out of it. In the US, apparently it's very difficult to recover.

One thing I would add is that a "strong password" does not totally solve this problem. There are other methods an attacker can use to get into accounts by pretending to be you. So I wouldn't get overconfident just based on password strength.

I presume the only thing a person can really do is keep a close eye on brokerage accounts, log in and check every week or so that there aren't any strange transactions... what are your thoughts? I also spread my assets into two separate big bank brokerages, to "diversify" a bit.
 
#2 ·
I typically log on every day or two just to see what is 'happening'. What I have not done is see if brokerage accounts have some Alerts one can set up for an MMS text or email if there is a withdrawal (transfer out) of anything exceeding X or a change in an Alert or similar. Banks and credit card accounts have all kinds of alerts one can set up to be informed of activity.
 
#4 ·
I typically log on every day or two just to see what is 'happening'. What I have not done is see if brokerage accounts have some Alerts one can set up for an MMS text or email if there is a withdrawal (transfer out) of anything exceeding X or a change in an Alert or similar. Banks and credit card accounts have all kinds of alerts one can set up to be informed of activity.
... I'm no cybersecurity expert. Just taking a guess here ... couldn't Trojans be infused into these alerts? Working similarly along the lines of "I forgot my password" and then use your cell to reset and slip in?
 
#3 ·
^ I think what is scarier here in Canada is your investment accounts are linked to your bank accounts.

Since online banking is supposedly 100% guaranteed to be safe, then I would expect the same with the automatic linkage to our brokerage accounts. Moreover, many Canadian brokerages has a second security level where you are required to answer PVQs (personal verification questions).

As for the problem in the US, I think it is an inside job. Ie. the cybercrooks are working inside the banks to get such easy access given the lame response:

Asked about Bennett’s case, American Fund issued a statement: “Our mission is to help people save for a secure retirement. When one of our customers is the victim of identity theft, we hold ourselves accountable to immediately conduct a thorough examination of what happened and take appropriate action. We use instances like this to strengthen our practices and conduct additional staff training if needed. We have communicated to the customer that her savings, including any accrued dividends or appreciation, will be reinstated. We will work with law enforcement to aid in their investigation.”
 
#12 ·
Interactive Brokers provided a card with codes as a simple secondary form of authentication. Only recently have Canadian brokers started to implement SMS "2 step authentication" which is already known to be a poor version of 2FA

If you think about it your email account is the gateway to all accounts as you can reset most logins with your email account. I have 2FA setup on most accounts but I can't believe people who don't at least have true 2FA on their email
 
#18 ·
Questrade emails by default when a new device logs in and I get notifications from the Questrade app and windows. They show last login data at the top right next to logout along with browser, os and location. What Questrade lacks is true 2FA rather than sms 2 step

I've read accounts of email and sms getting hijacked to steal crypto. These are the gateways to all your accounts. The owners were notified of password changes but the damage is already done. Email and sms can be hijacked to access any account

On the plus side these people are going to target large crypto accounts before brokerage accounts because it's easier to transfer crypto out than to setup some elaborate trading scheme. It's advised to store crypto offline I'm not sure if anyone stores their stocks offline
 
#22 ·
You've figured out much more about Scotia's system than I have! I didn't realize Scotia had alerts available on chequing as well.

Time for me to go discover those and add some alerts. Any tips or guidance on what worked well for you? My priority here is watching for theft and fraud.

I can imagine that the chequing account could be used as a conduit for stealing money out of the brokerage.
 
#23 ·
There is a long list of them at "Scotia InfoAlerts" Tailor them for your lifestyle. I have all the Safeguard ones engaged...but few of the Transaction ones. No Balance ones are engaged. It is a question of how much text or email notifications you are prepared to put up with.
 
#24 ·
I don't think this is working properly. I set an alert for account balance on chequing falling below a threshold. Today (afternoon) I transferred some money out to test it and the balance is now below the threshold. There was no alert sent by email. Not in spam either. Maybe it will come at some point in the future, after a day?

However I do see it send email alerts when I change the settings, so emails are getting through. I just really expected an alert when the balance dropped.

If it arrives on a daily basis that would still be OK, I'll wait and report back.
 
#25 ·
I suspect certain actions may not be immediate, not like alerts on credit card, debit/ATM, or e-transfer transactions, all of which I get within minutes typically. It may take hours or overnight for a below minimum account balance to show because there could be deposits that erase that minimum that same business day (may work on end-of-day balances only). Worthy of a Secure Messsage to find out why though.
 
#26 ·
I did not end up getting any alert on this balance crossing below the threshold. At first glance it looks like a failure of their system to notify me as expected.

Today I phoned Scotia and the agent said that when the settings are changed online (including threshold amounts) they may not take effect until midnight. So maybe the timing was off.

I am doing a new test and recording exact details and time log. Today I set a new threshold to alert me of balance dropping below a level. Currently my balance is above. I am going to give their system time over the weekend to absorb this new instructions. Next week, I will reduce the balance below the new threshold. This should hopefully send me an email alert.
 
#30 ·
Do you mean SMS codes? (2 step vs 2FA) SMS is not considered a true form of authentication. If you have ever ported a number to another provider you know how easy it is to hijack an SMS account

Given access to your email and sms one could also easily update your banking information. Even if they require some scribbles.. a signature is only useful long after the fact (who compares signatures during a transaction etc)

However given that financial transfers are traceable they wouldn't transfer to a bank. I've heard of sketchy trade manipulation to get the funds out. Using something with low volume I suppose
 
#28 ·
I did a careful experiment, logging the starting balance, the time I set the Scotia alert, and when the balance crossed below the threshold.

24 hours after that happening, I have not receive an alert. I got in touch with Scotia and the rep thinks this is a malfunction -- he says I should have received an alert by now. The rep is going to follow up with me after another 24 hours to see if an alert comes through with delay.

I'm curious to see what happens with the Scotia alerts but what I'm seeing so far is not very encouraging.
 
#34 · (Edited)
Does anyone know what the best avenue would be for providing written (paper documentation) notifications to Scotia and TD Direct Investing, keeping in mind I may reference this in case of a future legal dispute?

Ombudsman? Compliance department? I would be mailing paper documentation.

I am, of course, using their online tools and phone to report the problems but I want to send them solid written documentation that can be used in case of a legal dispute. Their phone reps don't really care about my bug reports at all and the Scotia 'secure message' system sends me back generic responses with no indication they will fix the problems.

After I mail my documents I will be share with people here the details in case you are also customers of Scotia and TD Direct Investing. I don't know if the bugs I'm experiencing affect everyone else and can't speak for others, but I will be reporting the malfunctions that I am seeing.
 
#41 ·
Thanks kcowan and Money172375. One reason I will be sending paper mail is that I am going to attach evidence and history. It's too much for email. And I also want tracking/evidence of delivery.

I am not trying to pick a fight with them. I'm just setting up a paper trail in the unlikely event that I ever suffer theft and need to fight the bank, if they claim that they did everything they could. I know for certain that they did NOT do everything they could.

I promise to share full details here as well but I'm still collecting evidence. Superficially these are not big bugs or glitches, but they are all part of the security story. In other words I don't lose any sleep over my BNS and TD accounts, but I'd rather they fix these shortcomings. I would still happily recommend either bank to others.
 
#42 ·
Thanks kcowan and Money172375
I promise to share full details here as well but I'm still collecting evidence. Superficially these are not big bugs or glitches, but they are all part of the security story. In other words I don't lose any sleep over my BNS and TD accounts, but I'd rather they fix these shortcomings. I would still happily recommend either bank to others.
Just remember that you must have a provable case of loss to get them to act immediately. Otherwise you will get pablum responses like they will make their best efforts to satisfy you. (Best efforts = no effort, please go away)

The final step will be the FI ombudsman and politicians. I would warm that path by copying a "responsible" politician at the outset. The government is concerned about people being scammed.

You might even point out the flaw in Interac payments that is easily fixed if the banks would push it.
 
#48 ·
"Porting fraud is something the entire wireless industry in Canada has seen an increase in in recent months and it's something that we're all dealing with"
CBC source

SMS "2 step" is not true 2FA. SMS was a known weakness to hack crypto accounts and now we have an example of Canadian banks as well.

At least get 2FA on your email and we should all be asking Cdn banks for real 2FA not SMS bs
 
#49 ·
I'm not familiar with this type of fraud. The link m3s posted was
Farming family warning others after bank accounts emptied in port-out scam

I can't make sense of what happened here. Porting out a number means taking over someone's phone account, so the criminal now has complete control of the phone number. How is that enough to empty out a bank account?

Controlling a phone number should not be enough on its own to compromise a bank account. What happened in this case?
 
#50 ·
james the Cdn banks are now trusting SMS for "2 step" verification. 1st step being the password that can be reset by email. Mobile numbers in Canada can be ported out to another sim card online with a few clicks and some very basic info. This was a known vulnerability in the crypto world long ago so I was always surprised when the Cdn banks recently adopted such a poor security measure.

Email can often be unlocked by answering 3 "security questions" of very basic info if you don't use 2FA like authenticator. In high school when emails were new and novel we used to hack each other by answering the security questions (usually public knowledge or easy enough to figure out) Security questions have always been a known vulnerability and even today used to unlock celebrity cloud accounts etc
 
#52 · (Edited)
Passwords are inherently weak because they can be hacked remotely (from anywhere online) whether by keylogger software or backdoor security questions

2 step or 2FA adds the second layer but 2 step is far far easier to hack than 2FA. 2 step is called 2 step because it is not a true form of authentication but rather just a second step

2FA should ideally be a physical token like the euro banks use (and government/military) The apps like authenticator provide a 30 second authentication.. that is the hacker has to be very fast

SMS 2 step is just a minor inconvenience. 2FA should require either physical theft of a token (in real life card not digital) or a timed digital code that requires access to a known device
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top