Ottawa woman warned BMO of suspected bank fraud, still lost $15K | General financial discussion | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Ottawa woman warned BMO of suspected bank fraud, still lost $15K
March 26, 2024
5:08 am
davidgeorge
Member
Members
Forum Posts: 293
Member Since:
May 20, 2016
sp_UserOfflineSmall Offline

It's still a mystery how this happened. The bank blamed the client but the client insists that she didn't share any account information with anyone. Another inside job?

https://ottawa.ctvnews.ca/ottawa-woman-warned-bmo-of-suspected-bank-fraud-still-lost-15k-1.6821464

March 26, 2024
6:18 am
Alexandre
Member
Members
Forum Posts: 1085
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

Exactly how the scammers gained access to her account has not been conclusively explained but the bank says there is no way the fraudulent transaction could have gone through without Lemay's bank card number, password, and the one-time passcodes.

I would love to see some sort of the law or regulations which will make bank refund disputed transaction 100% unless bank can provide exact steps of how someone accessed account, including IP address(es) logins were made from, device type and was it app or Web access, phone number to which one-time passcodes were sent.

Banks must have that info already, they must already collect and archive it, but unless they are required to provide that info they would not bother.

March 26, 2024
6:50 am
phrank
Member
Members
Forum Posts: 311
Member Since:
January 3, 2009
sp_UserOfflineSmall Offline

Alexandre said

Exactly how the scammers gained access to her account has not been conclusively explained but the bank says there is no way the fraudulent transaction could have gone through without Lemay's bank card number, password, and the one-time passcodes.

I would love to see some sort of the law or regulations which will make bank refund disputed transaction 100% unless bank can provide exact steps of how someone accessed account, including IP address(es) logins were made from, device type and was it app or Web access, phone number to which one-time passcodes were sent.

Banks must have that info already, they must already collect and archive it, but unless they are required to provide that info they would not bother.  

Great idea, but that would hurt profits, shareholders and political contributions sf-wink

March 26, 2024
7:08 am
Alexandre
Member
Members
Forum Posts: 1085
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

phrank said

Great idea, but that would hurt profits, shareholders and political contributions sf-wink  

Agreed. That's why it must be the law or mandatory financial regulation.

This lady might not be IT competent enough to understand all that IP address mumbo-jumbo, but even she could have shared detailed info from the bank with someone who can, and get answers.

It is very interesting case. They claim remote access (not ABM withdrawal), they claim security codes sent by SMS - so from which IP address, to which phone number?

From the initial looks of it sounds like inside job at FI, someone cloning/copying card number, password and PIN while they are issued to the client, but security code sent by SMS requires access to the phone number. That does not fit inside job definition.

March 26, 2024
7:27 am
savemoresaveoften
Member
Members
Forum Posts: 2831
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

The Amazon Prime scammer phone call has nothing to with how her account was hacked. A voice phone call is not possible to fish any info out of her, unless she gave it away which she said she did not.
This story is weird and there is more to it I believed. It is a pure coincidence that it seems to be connected. And the money was withdrawn right when a branch changes her card# etc etc, and scammer able to produce the proper one time pass code too ?! Did she check if its still the correct phone number listed for authentication ??

March 26, 2024
7:36 am
InterestThis
Member
Members
Forum Posts: 264
Member Since:
November 5, 2022
sp_UserOfflineSmall Offline

Yikes the bank is refusing to pay her the lost 15K.
It could also have been a trojan or keylogger she downloaded, or phishing, which captures all of your log-in data, so then the crooks can access the accounts.
So basically if your computer get hacked, and the criminals steal your money, tough luck for you.
Time to turn off Global money transfer if possible, and accounts really need to be locked down.

March 26, 2024
8:12 am
InterestThis
Member
Members
Forum Posts: 264
Member Since:
November 5, 2022
sp_UserOfflineSmall Offline

Trying to turn OFF Global Money Transfer as don't need it, the CSR says they cannot turn it off.
You cannot even set a limit of $10 or something to control it!
And the CSR says "everything will be fine as long as you don't use it, or misuse it".
Meanwhile there is no limit to the Global Money transfer, unlike the 3K Interac for security. So it's a wide open back door to empty your account if someone hacked into your bank account by stealing passwords with a keylogger or trojan.
The banks are getting worse and worse tht is for sure.
Put in an official complaint about it, but expect they will say take a hike. So the bank puts a wide open back door to empty your account, and won't remove or control it.

March 26, 2024
8:15 am
Alexandre
Member
Members
Forum Posts: 1085
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

InterestThis said
Time to turn off Global money transfer if possible, and accounts really need to be locked down.  

As I read through Global Money Transfer FAQ, I am having more questions:

Are there any transaction limits on Global Money Transfers? How much money can I send?
The minimum transfer amount is C $100 and the maximum amount depends on your daily debit card limit.

I doubt her debit card has $11,000 daily limit - this is how much were transferred from her account in one Global Money transfer.

March 26, 2024
8:33 am
InterestThis
Member
Members
Forum Posts: 264
Member Since:
November 5, 2022
sp_UserOfflineSmall Offline

It also depends on the bank, Simplii Global transfer is 50K and you cannot limit it!!
It should be set to the debit limit, but of course they don't want to have to pay staff to over-ride those limits. They want everything done by the magic of AI.
So for Simplii, at this point it cannot be trusted, as if someone stole your credentials, they could move 50K offshore, and the bank will not reimburse you, as you got hacked.
So Simplii is not secure up to 50K by this criteria.

It appears Tangerine does not allow Global transfer, so that is good. Just need a seperate bank account for Global transfer, and if you ever need it, move the money in, then keep the account basically empty.

March 26, 2024
9:27 am
InterestThis
Member
Members
Forum Posts: 264
Member Since:
November 5, 2022
sp_UserOfflineSmall Offline

Actually the Simplii CSR told false info, its not 50K
Its 75K per day per account, so if a person got hacked with a trojan keylogger, in theory the criminal could move 150K offshore very easily.
The banks must make good money on the FX conversion, and hey if you get scammed that is your fault.
Isn't it interesting that domestic transactions can be capped at lower amounts even though they are more secure. Perhaps the domestic laws require this, but once its global you are on your own.

Simplii Financial Global Money Transaction Limits
https://www.payments.simplii.com/assets/documents/rates_en.pdf

March 26, 2024
10:32 am
Norman1
Member
Members
Forum Posts: 6732
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

savemoresaveoften said
The Amazon Prime scammer phone call has nothing to with how her account was hacked. A voice phone call is not possible to fish any info out of her, unless she gave it away which she said she did not.
This story is weird and there is more to it I believed. …

I agree. Her recounting of the what happend is not believable.

People don't waste their time going to their bank branch to get a new cards and reset passwords each time they receive an Amazon Prime scam call. She warned the bank of nothing.

For a $11,000 transfer to another country, BMO would likely have sent a two-factor SMS or e-mail code to confirm.

The Ottawa $14,500 victim's story in the Ottawa Citizen article that InterestThis mentioned is likely what actually happened.

March 26, 2024
10:41 am
davidgeorge
Member
Members
Forum Posts: 293
Member Since:
May 20, 2016
sp_UserOfflineSmall Offline

A even more bizarre case.

https://ottawacitizen.com/news/local-news/viola-societys-bank-account-emptied-of-16000-by-fraud-artist

That money, she said, was stolen even though the society’s account had a new bank card and a new password, neither of which she had used online.

“They weren’t entered or stored on my computer and I hadn’t told anyone the numbers,” Frederking insisted. “I have the only bank card. The other signing officer for our society doesn’t have a card.”

March 26, 2024
10:54 am
The Rock
Member
Members
Forum Posts: 98
Member Since:
December 22, 2022
sp_UserOfflineSmall Offline

Banks almost always blame the client. Their favorite thing to do is to accuse the client of sharing their login credentials with someone else. They tend to only take responsibility if the client goes public with the fraud and shames the bank in the media.

March 26, 2024
11:07 am
InterestThis
Member
Members
Forum Posts: 264
Member Since:
November 5, 2022
sp_UserOfflineSmall Offline

There can be browser based javascript trojans that can keylog. Its pretty easy to get hacked. Never mind all of the holes in mobile devices. If they hack into an account they can change the devices, or probably even spoof them.
If this keeps getting worse, for those with some money, it might be a good idea to have it offline in bulk, or have a seperate device only for banking. But even then.
It would be interesting to have an account only accessible from your home IP address for example, but probably not doable.
Frankly Scarlett, the big banks don't give a damn. Its a numbers game of risk.

March 26, 2024
11:10 am
InterestThis
Member
Members
Forum Posts: 264
Member Since:
November 5, 2022
sp_UserOfflineSmall Offline

On top of all this, there are certainly cases where someone in the household, like a wayward adult child or cousin, would steal Grandma's money by seeing where she kept her password, and then try to blame it on hacking.
Like people stealing $60 out of grandma's wallet, some people do that.

March 26, 2024
11:50 am
Norman1
Member
Members
Forum Posts: 6732
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

davidgeorge said
A even more bizarre case.

https://ottawacitizen.com/news/local-news/viola-societys-bank-account-emptied-of-16000-by-fraud-artist

That money, she said, was stolen even though the society’s account had a new bank card and a new password, neither of which she had used online.

“They weren’t entered or stored on my computer and I hadn’t told anyone the numbers,” Frederking insisted. “I have the only bank card. The other signing officer for our society doesn’t have a card.”

It is bizarre if the treasurer's claims are true.

But, unfortunately, an occassional volunteer treasurer is not really volunteering as in the case of one who ripped off a hockey club of $48,000+:

Chatham Daily News (2024/02/26): Ex-treasurer pleads guilty to taking nearly $50K from junior hockey team

We'll have to see when more details come out whether there is an issue at BMO or with the treasurer.

March 26, 2024
11:54 am
Norman1
Member
Members
Forum Posts: 6732
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

InterestThis said

It would be interesting to have an account only accessible from your home IP address for example, but probably not doable.

Not doable. Home IP address is not fixed. Mobile phone IP address is not fixed either.

March 30, 2024
8:36 am
davidgeorge
Member
Members
Forum Posts: 293
Member Since:
May 20, 2016
sp_UserOfflineSmall Offline

Claim of etransfer theft prompts class-action suit against BMO

'It's just strange that all of these people in the last year or two have suffered from this,' says woman organizing the lawsuit, despite bank ombudsman saying BMO Canada is not to blame

https://www.newmarkettoday.ca/local-news/claim-of-etransfer-theft-prompts-class-action-suit-against-bmo-8454964

March 30, 2024
10:04 am
savemoresaveoften
Member
Members
Forum Posts: 2831
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Norman1 said

InterestThis said

It would be interesting to have an account only accessible from your home IP address for example, but probably not doable.

Not doable. Home IP address is not fixed. Mobile phone IP address is not fixed either.  

If one signs up for a dedicated IP address, that maybe doable ? The technology is already there for FIs to record your IP and use that for ‘trust your computer’ feature when loggin in and bypass 2FA.

No permission to create posts

Please write your comments in the forum.