Log In
Register
Home
Topic RSS
Facebook
Twitter
Email this1:57 pm
September 20, 2016
Offline
Alexandre said
You did the right thing, but this method is still not hacker-proof.
A hacker that has access to victim's email account could submit victim's email address for autodeposit to hacker's bank account and complete the transfer of autodeposit registration by intercepting emails coming from Interac to victim's inbox.
Autodeposit transfer process does not require victim's banking credentials, just victim's email address.
.
I need a bit more clarification please. Below is a cut from RBC autodeposit registration -
An email address or mobile number can only be registered to one account, either at Royal Bank or at another financial institution. If you try to register an email address or mobile number that's already been registered to another account, Interac will send you an email or text message asking if you'd like to replace the original registration with a new one at Royal Bank. Re-registration can only be accessed via online banking.
So if your email address is registered, a hacker cannot hijack it to their account. Interac does not send notification to your email Inbox when you receive funds, just your bank does and in my case, to my profile address (not the e-transfer address)
Do you see a loophole?
8:09 pm
April 6, 2013
Offline
skibum said
I need a bit more clarification please. Below is a cut from RBC autodeposit registration -
An email address or mobile number can only be registered to one account, either at Royal Bank or at another financial institution. If you try to register an email address or mobile number that's already been registered to another account, Interac will send you an email or text message asking if you'd like to replace the original registration with a new one at Royal Bank. Re-registration can only be accessed via online banking.
So if your email address is registered, a hacker cannot hijack it to their account. Interac does not send notification to your email Inbox when you receive funds, just your bank does and in my case, to my profile address (not the e-transfer address)
Do you see a loophole?
Yes. The loophole is that Interac will change the autodeposit bank account of your e-mail address to any account after the change is confirmed by responding to an e-mail Interac sends to your e-mail address.
After hacker has access to your e-mailbox, the hacker will sign into his online banking and sign up for autodeposit using your e-mail address. Interac will send an e-mail to your e-mail address asking to confirm you'd like to replace your original registration with the hacker's bank account.
Hacker has access to your e-mailbox and is able to access that Interac confirmation e-mail message. Hacker follows the directions in that message to confirm the registration change. Interac now autodeposits e-transfers sent to your e-mail address to the hacker's bank account! 
8:32 pm
April 6, 2013
Offline
Alexandre said
I do not expect bank necessarily return money that was misdirected, smart criminal will withdraw it from their account right away. Yet, banks not acting promptly where they have access to all information about the thief is what allows these criminal actions to continue.
The banks can't do anything. Once a wire transfer, direct deposit, or Interac e-transfer is deposited into the correct account, the sending bank can't retrieve the money from the recipient's bank, without the consent of the recipient. It is part of the rules the bank agrees to when the bank joins the wire transfer network or the clearing system.
That's called finality. That's what makes wire transfers, direct deposits, and Interac e-transfers very useful forms of payment. To retrieve the funds, one will need to pursue the recipient outside the banking system.
7:07 am
November 8, 2018
Offline
Norman1 said
Alexandre said
I do not expect bank necessarily return money that was misdirected, smart criminal will withdraw it from their account right away. Yet, banks not acting promptly where they have access to all information about the thief is what allows these criminal actions to continue.
The banks can't do anything. Once a wire transfer, direct deposit, or Interac e-transfer is deposited into the correct account, the sending bank can't retrieve the money from the recipient's bank, without the consent of the recipient. It is part of the rules the bank agrees to when the bank joins the wire transfer network or the clearing system.
That's called finality. That's what makes wire transfers, direct deposits, and Interac e-transfers very useful forms of payment. To retrieve the funds, one will need to pursue the recipient outside the banking system.
Perhaps, I was not clear. I am not talking about funds retrieval.
I am concerned that banks seem to brush off escalations about Interac transfer intercepts. Police also does not appear to do much.
Perhaps, this is just bad optics from lack of communication between bank and its client, while on background bank swiftly deals with people stealing money through email transfers. By notifying police and freezing suspicious accounts, for example.
Yet, the way it is handled publicly, it undermines trust in Interac.
I, personally, actively used and trusted e-mail money transfers after they were introduced. After all, real recipient is known to bank, how could someone be stupid enough to steal money if they are fully trackable?
Now, I am back to chequebook. Just had contractor do work in my house. He asked if I can pay cash, about $2,500. I politely declined. He asked if I can do Interac transfer. I declined again and offered to write a cheque. He reluctantly agreed.
I am assuming that if he loses my cheque and someone deposits it to their account, bank will know how to deal with that.
1:55 pm
September 20, 2016
Offline
Thanks Norman1 and Alexandre. Still a bit befuddling as Interac never sends me an email. I only get emails from the bank themselves confirming the deposit. Probably "requesting e-transfer" is then the safest method based on the article below from Canadian High Interest Savings links.
-
Secure Interac e-Transfers with Autodeposit and Request Money
The security of Interac e-Transfers is lower if you choose weak transfer passwords. Two ways to eliminate the need for Interac e-Transfer passwords is to set up Autodeposits and use the Request Money feature. Motive Financial recently introduced support for both features. With Autodeposits, you can configure any Interac e-Transfers you receive at certain e-mail addresses to go immediately into a specific account. One way to describe the Request Money feature is that it’s the “Send Interac e-Transfer” feature in reverse, where the recipient starts the payment process by sending out a request. Once the sender responds to that request, the money is immediately deposited into the account the recipient originally specified. If the recipient uses an account that has free Interac e-Transfers (such as the Motive Financial Cha-Ching Chequing Account), the sender might not pay a fee.
More news: Weathsimple buys SimpleTax; Tanger
2:47 pm
October 17, 2018
Offline
Bill said
Article said "his claim was denied because the transaction was authorized from an internet address where he has 'extensive history'". I don't know much about this kind of stuff but isn't that kind of an important tidbit that CBC could have pursued?
The bank stated that was the case and it is probably a proveable fact. But that could have been done by remotely accessing his computer as the security expert in the article mentioned. She noted a couple of examples of banks being hacked and international law enforcemnt effort collaboration was needed to put a stop to it after 40000 people were robbed. So it could have been a scam the account holder was in on or he may have been completely a victim. Maybe the only way to find out would be for his computer to be checked by experts in that field . Which brings me to my next point:
AltaRed said
If someone has been careless enough to get malware or a key logger on to their PC and the hacker can get in and use login credentials from that IP address (spoofed or otherwise), how is that the bank's problem?People have to take responsibility for their own device's security.
Most people know very little about computers , the internet and security. Brand new computers are sold with operating systems that don't have adequate security. That's why you have to install all these anti malwre and anti virus programs. And lots of people don't even do that themselves , they have it done by their computer guy. How can anyone be sure that their computer guy isn't installing some back door or keylogger when you bring it in to get it fixed. I couldn't tell you either so that should really put the onus on the banks to beef up and take responsibility for online banking security , and perform a thorough investigation of each occurence , or provide customers with a laptop that can only be used for online banking with the banks own software installed.
3:18 pm
October 17, 2018
Offline
Norman1 said
skibum said
I need a bit more clarification please. Below is a cut from RBC autodeposit registration -
An email address or mobile number can only be registered to one account, either at Royal Bank or at another financial institution. If you try to register an email address or mobile number that's already been registered to another account, Interac will send you an email or text message asking if you'd like to replace the original registration with a new one at Royal Bank. Re-registration can only be accessed via online banking.
So if your email address is registered, a hacker cannot hijack it to their account. Interac does not send notification to your email Inbox when you receive funds, just your bank does and in my case, to my profile address (not the e-transfer address)
Do you see a loophole?Yes. The loophole is that Interac will change the autodeposit bank account of your e-mail address to any account after the change is confirmed by responding to an e-mail Interac sends to your e-mail address.
After hacker has access to your e-mailbox, the hacker will sign into his online banking and sign up for autodeposit using your e-mail address. Interac will send an e-mail to your e-mail address asking to confirm you'd like to replace your original registration with the hacker's bank account.
Hacker has access to your e-mailbox and is able to access that Interac confirmation e-mail message. Hacker follows the directions in that message to confirm the registration change. Interac now autodeposits e-transfers sent to your e-mail address to the hacker's bank account!
Now how many people thought that E transfers were airtight ? I am under the impression that email is an insecure form of communication and a bank actually wrote that in reply to an email I had sent them on an unrelated matter. Yet they set up this system of money transfer. And it already showing cracks in the armor.
4:48 pm
September 11, 2013
Offline
Oscar, you're right, I know almost nothing about tech, never installed anything on my computer as my internet provider (Bell) assures me they got me covered (via McAfee). I use one desktop computer (used by almost no-one else) for all our banking, almost daily for many years now with numerous institutions. Kids have all moved out now, so aside from them coming and going a bit it's just two of us using the home network. Never had even a hint of a security problem. I wonder if it's the proliferation of mobile devices that is a main reason for increasing security issues.
7:13 pm
April 6, 2013
Offline
Oscar said
Now how many people thought that E transfers were airtight ? I am under the impression that email is an insecure form of communication and a bank actually wrote that in reply to an email I had sent them on an unrelated matter. Yet they set up this system of money transfer. And it already showing cracks in the armor.
Interac e-Transfers are secure.
One needs to get the unique e-Transfer token in the e-mail notification to the intended recipient and answer the security question correctly in four or less attempts.
One cannot obtain the funds if one just has the e-Transfer token. The sender in the case seems to have not taken the choice of a security question and answer seriously and contributed significantly to the resulting loss.
7:30 pm
April 6, 2013
Offline
Alexandre said
Perhaps, I was not clear. I am not talking about funds retrieval.
I am concerned that banks seem to brush off escalations about Interac transfer intercepts. Police also does not appear to do much.
Perhaps, this is just bad optics from lack of communication between bank and its client, while on background bank swiftly deals with people stealing money through email transfers. By notifying police and freezing suspicious accounts, for example.Yet, the way it is handled publicly, it undermines trust in Interac.
I, personally, actively used and trusted e-mail money transfers after they were introduced. After all, real recipient is known to bank, how could someone be stupid enough to steal money if they are fully trackable?
Now, I am back to chequebook. Just had contractor do work in my house. He asked if I can pay cash, about $2,500. I politely declined. He asked if I can do Interac transfer. I declined again and offered to write a cheque. He reluctantly agreed.
I am assuming that if he loses my cheque and someone deposits it to their account, bank will know how to deal with that.
The banks are limited in what they can say because of their privacy responsibilities. As well, the bank won't freeze someone's account after one or two complaints. It could be complainant/sender who is trying to scam the Interac e-Transfer recipient.
Yes, it is stupid. But, some of the thieves are smart. They will trick someone else into depositing the Interac e-Transfer and provide them with the money in cash or Western Union transfer.
Ever hear of those accounts receivable work-at-home job scams? Deposit cheques, e-Transfers, and etc into your bank account. Wire or Western Union the money less your 25% cut to the "employer".
A lost cheque is not usually a problem because it is payable only to the order of the contractor. Payment Canada clearing Rule A4 allows up to 6 years for a cheque to be bounced back for the reason "Intended Payee(s) Not Paid".
2:59 pm
September 29, 2017
Offline
Norman1 said
skibum said
I need a bit more clarification please. Below is a cut from RBC autodeposit registration -
An email address or mobile number can only be registered to one account, either at Royal Bank or at another financial institution. If you try to register an email address or mobile number that's already been registered to another account, Interac will send you an email or text message asking if you'd like to replace the original registration with a new one at Royal Bank. Re-registration can only be accessed via online banking.
So if your email address is registered, a hacker cannot hijack it to their account. Interac does not send notification to your email Inbox when you receive funds, just your bank does and in my case, to my profile address (not the e-transfer address)
Do you see a loophole?Yes. The loophole is that Interac will change the autodeposit bank account of your e-mail address to any account after the change is confirmed by responding to an e-mail Interac sends to your e-mail address.
After hacker has access to your e-mailbox, the hacker will sign into his online banking and sign up for autodeposit using your e-mail address. Interac will send an e-mail to your e-mail address asking to confirm you'd like to replace your original registration with the hacker's bank account.
Hacker has access to your e-mailbox and is able to access that Interac confirmation e-mail message. Hacker follows the directions in that message to confirm the registration change. Interac now autodeposits e-transfers sent to your e-mail address to the hacker's bank account!
And the hacker can erase their tracks by deleting the confirming INTERAC emails. SHEESH!
BTW, this makes me realize that this also means that ANY email that is hacked can be set up with auto-deposit directed to a hacker's account of choice, even if it was NEVER originally set up for INTERAC auto-deposit, all without the email owner's knowledge. This means that if your email or text is hacked either before or after auto-deposit is set up, this is vulnerable. Hmmm....
That said, if there is provable fraud involved and it cannot be attributed to negligence by the official recipient, banks CAN and HAVE reversed transactions. Of course, the details matter.
That suggests that the way to maximize the security of INTERAC as it stands is to NOT use auto-deposit, have the recipient send a request for funds, use secure Q&A, get notified ahead of time when payment is being executed, and process the deposit manually as soon as possible. This keeps all parties informed of the transaction as it is taking place and minimized interception. Of course, this takes away from much of the convenience and therefore can be highly impractical.
Please write your comments in the forum.