Author Topic: CBC News: RBC customer out of pocket after fraud  (Read 792 times)

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1956
  • Karma: +5/-0
    • View Profile
CBC News: RBC customer out of pocket after fraud
« on: May 13, 2019, 06:41:21 pm »
I don't necessarily blame RBC for this fraud and I think you might agree when you read the article. As you'll read it's less about e-Transfer and more about properly securing your email accounts but the article does talk about two-factor authentication and how banks don't seem to use it here so I thought it was relevant. Having 2FA authentication for the recipient's email account or on the transfer would have stopped this fraud in its tracks.

Quote
Financial institutions resist solutions

The cybersecurity expert says financial institutions and Interac need to require something called "two-factor authentication" to better protect people's accounts.

"Every time you log into an account you need to use a second factor," explains Popa. "A code that arrives as a text message or as a separate email to a different email address that is only valid for a few seconds or a few minutes after it's received."

He says the financial industry knows more security is needed, but is more concerned about getting customers to use the e-transfer system.

Some financial institutions offer two-factor authentication as an option, not a requirement.

Go Public asked RBC and Interac why they don't require two-factor authentication. Both declined to address the question.
Primary: Desktop w/ Win 10 Pro / Kubuntu 19.04  on i5@3.2 GHz w/ 12 GB RAM, 480 GB SSD main + 2x2 TB RAID 10 array for add. storage

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Win10/Kali Linux  (i3@1.4 GHz, 4GB RAM, 128GB SDD)

Phone: Sony Xperia XA1 Ultra w/ Android Oreo 8.0

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 966
  • Karma: +0/-0
    • View Profile
Re: CBC News: RBC customer out of pocket after fraud
« Reply #1 on: May 13, 2019, 11:03:50 pm »
Thanks very much for posting this info, Jason!  It is an eye opener for me.

RBC is in the wrong and needs to make good the fraud cost.
The article mentions that the etransfer system allows 4 attempts at guessing the password but the article does not state that the etransfer terms mentions this guessing of password is allowed up to 4 times.

I also can't believe the cops feel it is basically useless to go after the fraudster, when they know who he is and what bank ( the TD Bank ) he used to complete the fraud.
« Last Edit: May 13, 2019, 11:05:32 pm by ssfc72 »
Mint 18.3 on an HP Pavilion X360, 11" k120ca notebook
Tried Mint 19, but too many bugs. Went back to Mint 18.3
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1956
  • Karma: +5/-0
    • View Profile
Re: CBC News: RBC customer out of pocket after fraud
« Reply #2 on: May 14, 2019, 12:19:13 am »
That's a good point about giving the recipient four tries at the password.
But I think the big problem here is that somebody took over their email account probably because the recipient used the same password with linkedin or verification.io that they use with their email address. Even if the bank had given them only one try at the security question, the "hacker" could have simply emailed the sender to ask her to remind her again of the answer.

It is weird that the Police say they likely won't be able to do anything when the fraudster used a TD account to get the money but this could be a lack of understanding how e-Transfer works.

Honestly, I think mistakes were made on the bank side to not have 2FA or allow 4 guesses at answering an security question. But I also think the recipient should have taken greater care over protecting her email account. If she was using a email service with 2FA, she could have also stopped the hacker.  The bank's offer to reimburse half seems fair under the circumstances. It's kind of like using a password service to share a password directly to somebody else's email and then blaming them when the recipient's email is hacked.

I know we like to blame the banks for everything but they're not the only one that dropped the ball on this.

Honestly, I'd never use e-Transfer for large amounts of money like that. It's pretty obvious to me after having used it a few times, there is no identify verification on the other end. You click on a link, choose the bank and the funds go there. There's no identity verification. But one other thing you can do is setup e-transfer to it automatically deposits funds you get. I do that. So even if somebody got my email, they couldn't get my money, though my email is also protected with 2FA using YubiKey.
« Last Edit: May 14, 2019, 12:25:54 am by Jason Wallwork »
Primary: Desktop w/ Win 10 Pro / Kubuntu 19.04  on i5@3.2 GHz w/ 12 GB RAM, 480 GB SSD main + 2x2 TB RAID 10 array for add. storage

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Win10/Kali Linux  (i3@1.4 GHz, 4GB RAM, 128GB SDD)

Phone: Sony Xperia XA1 Ultra w/ Android Oreo 8.0