Hackers | Page 2 | General financial discussion | Discussion forum

AltaRed said

If someone has been careless enough to get malware or a key logger on to their PC and the hacker can get in and use login credentials from that IP address (spoofed or otherwise), how is that the bank's problem?

People have to take responsibility for their own device's security.  

'Amen' to that ⬆

It's Amazing how many people still only have very basic security on their computers ... it's like; They're Asking For It❗

Selkirk (a.k.a. Dean)

Norman1 said
Kids and house guests are just two of ways. They are not the only ways to have a keylogging software installed.

The statement suggesting UK banks are liable for all such losses is, at best, inaccurate. BBC News (28 May 2019): Scam victims to be refunded by banks explains how the recent UK changes work.

There's a new compensation fund, that banks can voluntarily join, that compensates victimized customers. There is still an investigation and the fund can refuse claims:

A victim who has been "grossly negligent" will not be reimbursed.

  

The fact remains that the British have taken action, and our government has not, so far.
According to the cbc article, this action has been effective. For this, they quote a researcher at the Munk Centre. Such a researcher is likely more objective and better informed than anyone else named in the article. I have no information to contradict hm.

Yes, I am aware that, theoretically, other people may have had access to someone's computer, but the scenario being painted here about this fellow's imaginary kids is over the top.

Realistically, if I were a fraudster, surely I would want to go after the bank's weaknesses more than the individual's. I can get a lot more money that way. And household visitors are a lot easier ot identify.

Over the last few years, 3 of the financial institutions that i deal with have had reported breaches. Only one of them affected me personally, and not significantly. I was lucky. I haven't had any problems with my PC. Odds are, therefore, that future issues will also be with the banks, not me.

None of the banks cited have given a clear explanation of what happened or why they blame the victim. Yet several have reimbursed the victim. This suggests they realize they could be found liable.

Norman1 said

Londonguy said
Good point about the scenario where family "friends" have been provided with the household wifi password. I've been guilty of that bit of hospitality myself.

Time to change the password LOL

It is a good to change the wifi password periodically, especially after a "friend" of the family is no longer welcome. For example, the daughter's ex-boyfriend who turned out to be a small time con artist.

However, it is a hassle because every wireless device in the household needs to be updated.  

Consider upgrading to WiFi router that has "guest network" option. Some internet providers have that feature in their hardware they give to users. Rogers cable modem/router does have it, for example.

My biggest concern from that article is an intercept of Interac transaction, and banks unwilling to roll it back. After all, one would assume that Interac transaction is fully and easily trackable. Yet, it appears if someone redirected it to their account, banks are unwilling to act on that.

Loonie said

The fact remains that the British have taken action, and our government has not, so far.
According to the cbc article, this action has been effective. For this, they quote a researcher at the Munk Centre. Such a researcher is likely more objective and better informed than anyone else named in the article. I have no information to contradict hm.

That's the same person who said the UK banks are liable and Canadian banks are not. Both statements are false. Canadian banks are liable under their online banking guarantees conditional on customer meeting his/her responsibilities.

UK banks are not more liable either. Just that when some UK bank refuses to compensate and the UK bank has signed up to the fund, the customer try to claim the loss from the fund.

…
Realistically, if I were a fraudster, surely I would want to go after the bank's weaknesses more than the individual's. I can get a lot more money that way. And household visitors are a lot easier ot identify.

Over the last few years, 3 of the financial institutions that i deal with have had reported breaches. Only one of them affected me personally, and not significantly. I was lucky. I haven't had any problems with my PC. Odds are, therefore, that future issues will also be with the banks, not me.

It's the other way around. The successful thieves try the easy route, not the hard one.

Very hard to break into a bank vault. Lot easier to follow the customers when they leave the branch after making their cash withdrawals and mug them on their way home.

Instead of trying to hack into a bank's network, lot easier to break into expensive homes, install keylogger software onto their home computer, and take a few valuables to make it look like an ordinary burglary.

Then, patiently harvest the e-mail account and banking passwords as the people log into their accounts, relieved that their home computer wasn't taken.

Let's restrict ourselves to the things Munk School researcher Christopher Parsons is ACTUALLY quoted as having said, all other statements being paraphrase and/or editorial:

"They (i.e. the banks) can't just provide us tools or push liability upon us and then walk away."
"One of the ways of correcting this would be to shift the liability structure. So rather than punishing customers … the banks themselves should be liable, so that they're encouraged to build way better security and protect their customers from this sort of fraud."
"And as soon as the banks had to take those losses (i.e. following new legislation in UK), all of a sudden … fraud plummeted because the banks invested massively in security," said Parsons.
"If banks themselves won't do it, then it's an area where legislation needs to be seriously considered. We can't rely on customers to know about every kind of security vulnerability, to track every website that has breached passwords," he said. "That's just absolutely absurd and not a feasible solution to the problem."

While there may be some errors in quotes, let's just stick to them and not the paraphrasing and editorialisms. If he'd been as clear as Norman thinks about other questions, I expect there would have been a direct quote to back it up.

The articles cited by Norman in British media have to do with the introduction of the new measures, not with the effects they have had on banks' behaviour or incidence of fraud since then.

And if the problem is burglars, visitors, or nefarious relatives installing devices to track keys, then in my opinion this is something the banks need to deal with. They are the ones who introduced online banking and told us how safe it was going to be. They bear a lot of responsibility in ensuring that it is. They have way more sophisticated tools and knowledge than the average person can ever have.And they have the arrogance to sit there and say "it's your fault" without ever disclosing how they came to this self-interested conclusion. Give me a break!

Many of the "security" questions they use are laughable. Everybody who attended my wedding knows where it took place; a ton of people know my eldest nephew's name; my father's middle name is easily obtainable; even the name of my first pet is known to a few people; and so on.
The banks chose to pretend that this was all easy and safe because they wanted us to use it and are capitalizing on our trust.

If they wanted it to be really secure, they would make it harder to log in. They are perfectly capable of doing this as they keep all their internal documents under tight control. However, if they did, customers would get frustrated, no doubt, and would complain that it was difficult to access their accounts and that online banking was too difficult. They would be constantly phoning in to re-set their passwords and would take up almost as much staff time as they used to when they went to physical branches The banks don't want people to get frustrated because then they won't use online banking. So, they have cut corners to make it "easy", "convenient", - and vulnerable. There is a cost to that, and we ought not to allow them to put it all on us.

The fact that they have compensated some people voluntarily and have apparently never revealed any details as to why they accuse the customer of being at fault shows that they recognize their role in the problem. But they will only take serious action when either the problem gets out of hand (i.e. too many complaints, lawsuits, bad publicity, and closed accounts) or they are forced by law to do better. No doubt they have actuaries and algorithmic odds-makers figuring out how much they think they can get away with on an ongoing basis.

In this regard, I doubt credit unions are any different. I don't find them to be any more secure. I remember when Hubert used to force members to change their password every few months They have dropped that, but it was a good start. Maybe people complained that it was "inconvenient".

BTW, the correct answer to "who is your favourite Beatle?" (this week) is "Clovis". Next week I think it might be "Minerva". Think of it like naming hurricanes. Perhaps "Boris" will be up next. Maybe my first pet's name really was "tractor", come to think of it, or was it "Nonsequitur"?
Poor puppy.

The views here represent the usual dichotomy between those who take personal responsibility for their security and those who regularly blame others such as big business or government for the same. I agree with you, Alexandre, that's where it starts, and so far I've never had a problem of any kind.

Loonie, it's not just burglars, nefarious relatives, etc, these types of frauds are very often committed, as those who have worked in the field fully know, by collusion, e.g. the victim or employee (inside person) and outside collaboration. You need to consider that possibility too.

I and my colleagues used to laugh at CBC and other media reports of a particular case. Invariably much was incorrect, even more was omitted. I don't expect those without my experience to be as aware of this, but I think all the kids have been taught for some time to be very skeptical consumers of all media.

Loonie said
Let's restrict ourselves to the things Munk School researcher Christopher Parsons is ACTUALLY quoted as having said, all other statements being paraphrase and/or editorial:

"They (i.e. the banks) can't just provide us tools or push liability upon us and then walk away."
"One of the ways of correcting this would be to shift the liability structure. So rather than punishing customers … the banks themselves should be liable, so that they're encouraged to build way better security and protect their customers from this sort of fraud."
"And as soon as the banks had to take those losses (i.e. following new legislation in UK), all of a sudden … fraud plummeted because the banks invested massively in security," said Parsons.
"If banks themselves won't do it, then it's an area where legislation needs to be seriously considered. We can't rely on customers to know about every kind of security vulnerability, to track every website that has breached passwords," he said. "That's just absolutely absurd and not a feasible solution to the problem."

While there may be some errors in quotes, let's just stick to them and not the paraphrasing and editorialisms. If he'd been as clear as Norman thinks about other questions, I expect there would have been a direct quote to back it up.

But, there is no sign of any new legislation in the UK shifting the liability to the banks in these kinds of situations.

In contrast, there are lots of articles about the new compensation fund for these kind of situations. Talk of a 2.9 pense levy on each fund transfer over £30 to fund the compensation fund. Proposals for some kind of payee verification system that one could use to verify the identity of the account one is about to send funds to.

The articles cited by Norman in British media have to do with the introduction of the new measures, not with the effects they have had on banks' behaviour or incidence of fraud since then.
…

The change is just a new compensation fund. It just means that when the bank won't compensate and the bank is among the ones signed up to the fund, the customer can file a claim against the fund.

According to Guardian (Sept. 26, 2019): Number of bank transfer scams in UK rises by 40% in a year, funds transfer fraud has been up substantially this year to June. But, the latest statistics only includes about a month of the new compensation fund available for claims.

Norman, according to the articles you have referenced from the BBC and from "moneysavingexpert", whoever that may be:

the compensation fund is funded by the committed banks;
the banks themselves drew up the codes;
Most of the major British banks have committed to it;
banks who have not committed to it have indicated they likely will in the future, with the exception of one that promises to refund all innocent customers;;
vulnerable people are fully protected;
there is provision for appeal to an ombudsman service if the decision is not accepted;
and, in the first instance, where banks are fully responsible for what happened, they will compensate directly, not from the fund. The fund is to be used only when there is joint responsibility.

This is not an exhaustive list.

People who are "grossly negligent" will be responsible for their own errors, but this is within reason; customers are not expected to be computer experts. Education will be provided on what is reasonable. That is to be expected, and nobody here has suggested otherwise. Everyone who is not shown to be "grossly negligent" will be compensated.

However, if as Parsons says, significant improvements have already been seen, then either there can't be so many "grossly negligent" people as are sometimes assumed or the new educational expectations that the banks must implement have been rapidly effected and transformed into new habits (very unlikely in my view, given human nature).

Certainly, if I were a bank and knew I would be held responsible or would have to contribute more to a compensatory fund, I would be in a hurry to make security improvements. I would abandon the laziness of which our banks are typically guilty in their so-called "security" questions. But if it's up to my total discretion, as is the case in Canada, then I would simply be weighing the costs of lawsuits, bad publicity and occasional payouts to make me look good and take off the pressure to regulate.
The British banks seem to have seen the light, the need to regulate, and have agreed to it. Perhaps they had a bigger problem in the first place, which was leading to more bad publicity. Let's hope ours become equally enlightened.

Here, on the other hand, we have no protection at all and everyone must beg individually and hope for the best, or go to the media. It's time we caught up.

In your last post, you added the notion that in future the compensation fund might be funded from a transaction tax charged by the banks.
Yes, they might. That would be just like them, wouldn't it, to charge the customer for the fund that is supposed to compensate them for errors which are partly their own responsibility, and not take it from profits. That is what is so sick about this industry - and many others - that they transfer their own mistakes to the public, whether it's through whining to the government that they need more tax breaks or "incentives" or by taxing the customer. Talk about people not taking responsibility! I can't think of better examples.
But when it comes to individuals messing up, some people are eager to point the finger - even when they have no evidence.

Loonie, you're right, the wealth I've made as a bank stock owner has made me biased for the banks, good observation.

The rest of your unfounded speculations aren't worth comment.

skibum said
I receive e-transfers a lot and was looking for a safer, more convenient way. My solution was to set up a bank account with "e-transfer auto-deposit", easily done from the bank's web site and free ... Hacking my email account doesn't come into play. Also no constantly checking incoming email for e-transfers. I can later re-direct the funds. Has anyone heard of a problem with this method?  

You did the right thing, but this method is still not hacker-proof.

A hacker that has access to victim's email account could submit victim's email address for autodeposit to hacker's bank account and complete the transfer of autodeposit registration by intercepting emails coming from Interac to victim's inbox.

Autodeposit transfer process does not require victim's banking credentials, just victim's email address.

If victim receives recurring autodeposit payments, hacker could intercept such payment by redirecting autodeposit to hacker's account just before next payment is made.