Sharing your personal information to suppress fraud - effective Apr 20, 2024 | Tangerine Bank | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Sharing your personal information to suppress fraud - effective Apr 20, 2024
March 21, 2024
3:01 pm
hwyc
GTA
Member
Members
Forum Posts: 1261
Member Since:
September 30, 2017
sp_UserOfflineSmall Offline

Open banking is tip toeing closer. Lo and behold, there is a message in my Tangerine Inbox.

March 21, 2024
6:25 pm
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2142
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

.
The Tangerine message that Hwyc is talking about . . .
.

    "We're updating our Account Terms, effective April 20, 2024.
    .
    We're adding a new subsection under section A. General Terms - applicable to all Accounts. Here's the new section:
    .
    Sharing your personal information to suppress fraud
    .
    As part of our ongoing efforts to detect and prevent fraud, we're working with Ekata, Inc., a wholly-owned subsidiary of Mastercard International Incorporated ("Mastercard"). Your personal data are shared with Mastercard to verify your identity, the accuracy of the data you have provided, and to combat fraudulent and criminal activities (e.g., someone pretending to be you). For the purposes of fraud detection and prevention, you agree that we may disclose your transaction information, along with your name, phone number, email, IP and physical addresses to Mastercard. Mastercard combines the information we provide to them with information that they receive from other sources to create a database that they use to provide these services to us and to others, and may use that information for other purposes such as data analysis and product development, as further described in the Ekata by Mastercard - Global Privacy Notice."

.
It seems to me that; "Sharing your personal information to suppress fraud"
is an 'Oxymoron' ... No ❓

    Dean

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

March 21, 2024
7:39 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 3122
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

Not necessarily. It may increase the odds of a data breach due to data now being at Ekata but the physicals of your data given to them may well help prevent fraud, e.g. being perpetrated from an IP other than the ones you use to access your FI accounts. It won't help in an infection necessarily if an actor can take over your device but it should be helpful in many other instances.

Open Banking is going to open the vault doors between FIs anyway so your data identity will be passed back and forth, obviously only to those in which you do, or wish to do, business.

March 22, 2024
7:29 am
phrank
Member
Members
Forum Posts: 319
Member Since:
January 3, 2009
sp_UserOfflineSmall Offline

Dean said
It seems to me that; "Sharing your personal information to suppress fraud"
is an 'Oxymoron' ... No ❓

    Dean

  

Yes, it's another way to shift blame from the responsible to the innocent and creates another single point of failure.

"If you had only given us all of your personal information, bought a smart phone, pay for a data/voice plan, and walked around on 24/7 call, we would have known it wasn't you making the transactions..."

They fail to acknowledge that the vast majority of fraud is caused not by the individual, but by inadequate security by the manager of the information/accounts which they then often don't even acknowledge happened and provide the bare minimum compensation for.

How many acts of fraud are conducted because somebody accidentally gave up all their personal info and passwords etc?

Another negative of this is what they do with that information. It takes us another step towards requiring digital IDs where at the flip of a switch the majority of your freedoms can be taken away.

If the companies/government could be trusted to provide quality service with integrity it would be a different story, but I don't appreciate the facade of we're protecting you, requiring that you give them more of your personal information like your phone number, when there are better ways of enabling people to protect their identity, securing their accounts, but these do not require you to give information to the institutions which they can compile, monetize or further their agendas.

I'd also have no problem with these sorts of things if you had a choice, but the fact is that most of us are put into situations where no longer have a choice and that's where I see this going. At this point I believe history supports the idea that this will not turn out to be a good thing.

March 22, 2024
8:52 am
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

phrank said

Yes, it's another way to shift blame from the responsible to the innocent and creates another single point of failure.

"If you had only given us all of your personal information, bought a smart phone, pay for a data/voice plan, and walked around on 24/7 call, we would have known it wasn't you making the transactions..."

They fail to acknowledge that the vast majority of fraud is caused not by the individual...

How many acts of fraud are conducted because somebody accidentally gave up all their personal info and passwords etc?

Someone calls you from the "Security Department" of FI you have account with. There is an issue with your account, it appears there are fraudulent transactions which are currently placed on hold.
To make sure they talk to the right person they ask you to provide your account number, the one you use to login to your online banking.
To confirm it is you, they will be sending security code to your phone number that you registered with FI. When you receive that code you should read it back and verification will be complete.
Security Department will know you are the owner of the account, as they sent the code to the phone number associated with the account only FI knows about.

------------

This should answer your question. Yes, such acts of fraud, where somebody voluntarily gave up their account info and 2FA code to bad actors, do happen often.

March 22, 2024
9:46 am
phrank
Member
Members
Forum Posts: 319
Member Since:
January 3, 2009
sp_UserOfflineSmall Offline

Alexandre said

phrank said

How many acts of fraud are conducted because somebody accidentally gave up all their personal info and passwords etc?

Someone calls you from the "Security Department" of FI you have account with. There is an issue with your account, it appears there are fraudulent transactions which are currently placed on hold.
To make sure they talk to the right person they ask you to provide your account number, the one you use to login to your online banking.
To confirm it is you, they will be sending security code to your phone number that you registered with FI. When you receive that code you should read it back and verification will be complete.
Security Department will know you are the owner of the account, as they sent the code to the phone number associated with the account only FI knows about.

------------

This should answer your question. Yes, such acts of fraud, where somebody voluntarily gave up their account info and 2FA code to bad actors, do happen often.  

The scenario you describe only happened because that bad actor was able to obtain some information likely from the company you are doing business with directly or indirectly from company they are sharing info with. It's a very slick con which feels normal if you're not alert or caught off guard, but while the victim unwittingly gives up their 2FA code, they didn't give up all of their information, like the info which instigated the fraud, that information was obtained elsewhere and most likely from the company/bank which now won't cover you unless you get more visibility on the case. That same company which forced you to give up that information to do business with them and then neglected their duty to guard it.

There are many scenarios and my point is scammers very rarely (if ever anymore) are obtaining the information which enables the instigation of the scam from individuals. These are organized groups that don't operate on a one to one basis, they deal in mass data breaches of companies storing information they took from their clients.

Everything is big data these days, even criminals and forcing people to put more and more of their personal information in centralized locations where more and more organizations have access to it, that's not best practice if the individuals best interest was truly at heart.

There are ways to increase security through decentralizing.

March 22, 2024
12:20 pm
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

phrank said

The scenario you describe only happened because that bad actor was able to obtain some information likely from the company you are doing business with directly or indirectly from company they are sharing info with.

This all is social engineering.

1. Robocalling random phone numbers;
2. Victim picks the phone and connected to human - to bad actor;
3. Telling victim their FI account is compromised. A bit of luck is victim having account with that FI. If not, go to Step 1;
4. Victim asked for and provides account number (for "verification");
5. Victim is told they'll get security code for additional verification;
6. Password reset is initiated for that account number by bad actors;
7. 2FA code sent to victim's phone by FI;
8. Victim reads 2FA code back to bad actors;
9. Bad actors reset password and take control over account.

-------------

Step 3 is obviously hit and miss. Recently I got a call from major telecom provider in Canada, no surprise I have account with them. They told me something is amiss with my account and they wanted to begin with "verification process" to confirm they are talking to account owner.

I explained to the caller why they are not who they pretend to be, surprisingly they insisted so I asked to name CEO of their company. They hang up on me, I am guessing wasting time for googling that info was too much for them.

March 22, 2024
1:16 pm
savemoresaveoften
Member
Members
Forum Posts: 2981
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Alexandre said

phrank said

The scenario you describe only happened because that bad actor was able to obtain some information likely from the company you are doing business with directly or indirectly from company they are sharing info with.

This all is social engineering.

1. Robocalling random phone numbers;
2. Victim picks the phone and connected to human - to bad actor;
3. Telling victim their FI account is compromised. A bit of luck is victim having account with that FI. If not, go to Step 1;
4. Victim asked for and provides account number (for "verification");
5. Victim is told they'll get security code for additional verification;
6. Password reset is initiated for that account number by bad actors;
7. 2FA code sent to victim's phone by FI;
8. Victim reads 2FA code back to bad actors;
9. Bad actors reset password and take control over account.

-------------

Step 3 is obviously hit and miss. Recently I got a call from major telecom provider in Canada, no surprise I have account with them. They told me something is amiss with my account and they wanted to begin with "verification process" to confirm they are talking to account owner.

I explained to the caller why they are not who they pretend to be, surprisingly they insisted so I asked to name CEO of their company. They hang up on me, I am guessing wasting time for googling that info was too much for them.  

It's really simple to prevent these fraud, just ask for the name of the person, then look up the real phone number and call that number back to verify. Never give out any info from a call that you receive and not initiated.

March 22, 2024
1:32 pm
phrank
Member
Members
Forum Posts: 319
Member Since:
January 3, 2009
sp_UserOfflineSmall Offline

Alexandre said

phrank said

The scenario you describe only happened because that bad actor was able to obtain some information likely from the company you are doing business with directly or indirectly from company they are sharing info with.

This all is social engineering.

1. Robocalling random phone numbers;
2. Victim picks the phone and connected to human - to bad actor;
3. Telling victim their FI account is compromised. A bit of luck is victim having account with that FI. If not, go to Step 1;
4. Victim asked for and provides account number (for "verification");
5. Victim is told they'll get security code for additional verification;
6. Password reset is initiated for that account number by bad actors;
7. 2FA code sent to victim's phone by FI;
8. Victim reads 2FA code back to bad actors;
9. Bad actors reset password and take control over account.

-------------

Step 3 is obviously hit and miss. Recently I got a call from major telecom provider in Canada, no surprise I have account with them. They told me something is amiss with my account and they wanted to begin with "verification process" to confirm they are talking to account owner.

I explained to the caller why they are not who they pretend to be, surprisingly they insisted so I asked to name CEO of their company. They hang up on me, I am guessing wasting time for googling that info was too much for them.  

That's crazy, but you're so right IMO on all that stuff.

March 23, 2024
1:22 am
RetirEd
Member
Members
Forum Posts: 1153
Member Since:
November 18, 2017
sp_UserOfflineSmall Offline

...And if you get a "grandparent scam" or someone who says they need money - and you have already guessed someone you know as the caller - ask for their last name, or better yet, the "family password." Even if you don't have a family password, that will still knock them off script.

RetirEd

March 23, 2024
5:43 am
Alexandre
Member
Members
Forum Posts: 1232
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

savemoresaveoften said

It's really simple to prevent these fraud, just ask for the name of the person, then look up the real phone number and call that number back to verify. Never give out any info from a call that you receive and not initiated.  

If it were that simple, we would not have had people losing hundreds of thousands of dollars to scammers. We would not need sophisticated anti-fraud systems like one that Tangerine appears to test on its clients.

I am totally speculating here, but I can see scenario where such anti-fraud system can spot quite simple cases of fraud, just because info is shared.

Case 1. Customer who usually resides in Montreal initiates password reset from the location in India.

People do travel, FI has no reason to believe something is wrong with that, sends 2FA code and grants request.

With shared info, FI might learn that just 30 minutes earlier same customer checked their balance in their account with different FI, from their usual location in Montreal. Now FI does have reason to suspect something might be wrong here, as it is usually hard to get from Montreal to India in just 30 minutes.

Case 2. Starts same as Case 1, but FI is informed, by anti-fraud system, that same location in India which is office building initiated multiple password reset requests for personal accounts of different clients of a dozen of other Canadian FIs in the last hour.

March 23, 2024
10:58 am
Oscar
Member
Members
Forum Posts: 290
Member Since:
October 17, 2018
sp_UserOfflineSmall Offline

A quick search of ( Gates Foundation partners with Mastercard ) brings up many hits and should make it clear that the goal from the start has been to implement digital id using PPPartnerships and for them to be a leader. Example - https://www.forbes.com/sites/tomgroenfeldt/2014/12/09/why-the-gates-foundation-is-funding-a-mastercard-lab/?sh=5e6b0c45778f
and - https://www.businessfor2030.org/covid19-1/2020/3/27/member-spotlight-microsofts-covid-19-assessment-bot-eliminates-bottlenecks-85xcb-y4sec-3lxsk-8jy5f-rgald-fgntl
Notice how the name shows the UN 2030 symbol in their name - https://www.businessfor2030.org/
If one looks at the Ekata website and clicks on "how it works" link you will see they gather into their proprietary databases very detailed information such as your old roommate address, your mothers phone number and you IP address from your public library. To keep you safe sf-confusedSame type of charts the WEF uses, and they are also partnered with them of course.

March 23, 2024
11:06 am
Oscar
Member
Members
Forum Posts: 290
Member Since:
October 17, 2018
sp_UserOfflineSmall Offline

phrank said

Yes, it's another way to shift blame from the responsible to the innocent and creates another single point of failure.

"If you had only given us all of your personal information, bought a smart phone, pay for a data/voice plan, and walked around on 24/7 call, we would have known it wasn't you making the transactions..."

They fail to acknowledge that the vast majority of fraud is caused not by the individual, but by inadequate security by the manager of the information/accounts which they then often don't even acknowledge happened and provide the bare minimum compensation for.

How many acts of fraud are conducted because somebody accidentally gave up all their personal info and passwords etc?

Another negative of this is what they do with that information. It takes us another step towards requiring digital IDs where at the flip of a switch the majority of your freedoms can be taken away.

If the companies/government could be trusted to provide quality service with integrity it would be a different story, but I don't appreciate the facade of we're protecting you, requiring that you give them more of your personal information like your phone number, when there are better ways of enabling people to protect their identity, securing their accounts, but these do not require you to give information to the institutions which they can compile, monetize or further their agendas.

I'd also have no problem with these sorts of things if you had a choice, but the fact is that most of us are put into situations where no longer have a choice and that's where I see this going. At this point I believe history supports the idea that this will not turn out to be a good thing.  

Yup

March 23, 2024
12:21 pm
savemoresaveoften
Member
Members
Forum Posts: 2981
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Alexandre said
If it were that simple, we would not have had people losing hundreds of thousands of dollars to scammers. We would not need sophisticated anti-fraud systems like one that Tangerine appears to test on its clients.

I have not yet seen a story about a person lose $$$ to a really sophicated scam scheme. Every story has been "grandson in trouble", "can u use ur credit card to pay for my pizza and i give u cash instead", "Nigeria prince needs ur help", "your SIN# is locked, called us to unlock" type. And to make it even worse, a lot require gift card as payment...
I hate to say it, but all those victims are simply they dont apply "common sense" ,choose to "trust a complete stranger" or let their emotions take over their thought process.
So yes it is indeed pretty simple not to get scammed. Its not that scammers are smart (if they are, they can make a living without scamming), just that the victims are dumber.

March 23, 2024
4:08 pm
phrank
Member
Members
Forum Posts: 319
Member Since:
January 3, 2009
sp_UserOfflineSmall Offline

savemoresaveoften said

Alexandre said
If it were that simple, we would not have had people losing hundreds of thousands of dollars to scammers. We would not need sophisticated anti-fraud systems like one that Tangerine appears to test on its clients.

I have not yet seen a story about a person lose $$$ to a really sophicated scam scheme. Every story has been "grandson in trouble", "can u use ur credit card to pay for my pizza and i give u cash instead", "Nigeria prince needs ur help", "your SIN# is locked, called us to unlock" type. And to make it even worse, a lot require gift card as payment...
I hate to say it, but all those victims are simply they dont apply "common sense" ,choose to "trust a complete stranger" or let their emotions take over their thought process.
So yes it is indeed pretty simple not to get scammed. Its not that scammers are smart (if they are, they can make a living without scamming), just that the victims are dumber.  

I don't feel calling victims dumb is appropriate.

March 23, 2024
6:34 pm
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2142
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline
    'Ditto' What Phrank said ⬆

Sadly, blaming the Victim(s) seems to be a common practice, for some here. sf-confused

No worries ... Karma will eventually see that that they Fall Off their High Horse.

    Dean

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

March 23, 2024
8:37 pm
Loonie
Member
Members
Forum Posts: 9391
Member Since:
October 21, 2013
sp_UserOfflineSmall Offline

Quite a number of years ago, it was considered good practice to phone your bank, and especially your credit card issuer, to inform them if you were going overseas. This precaution arose because sometimes people found themselves stranded when their FI decided they were doing something unusual and therefore suspicious, and cut them off.

I remember calling my bank once for this purpose, and the fellow I spoke to was positively grateful that I'd called, and congratulated me for doing so. I was so surprised at the warmth of his reaction that it has stuck in my mind.

A few years later, I did this again, and was then told it was "no longer necessary".

Both of these occasions were quite few years ago now. I always wondered why it was "no longer necessary". Had they really solved the problem (not very likely)? Did they somehow have access to my travel plans, even though bookings not necessarily made on their card? Or did they just not care very much any more? I concluded, in the absence of more compelling information, that they'd decided it was too much trouble (i.e. cost too much) to keep track of such phone calls.
Today's requirements for more and more unwarranted releases of information sound to me like an extension of this policy, designed in a way that best protects the FI, not the customer. Why expect otherwise? People are too willing to give them whatever they ask for, and don't realize the ultimate consequences.
Privacy is something you can't get back.

March 23, 2024
10:24 pm
Norman1
Member
Members
Forum Posts: 7162
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

Loonie said
…. I always wondered why it was "no longer necessary". Had they really solved the problem (not very likely)? …

Yes, the problem was solved. The credit cards with a chip make it highly unlikely that the real card was not there for a successfully validated card-is-present transaction.

In contrast, the magnetic-stripe cards were easily cloned without the cardholder's knowledge.

March 24, 2024
7:41 am
phrank
Member
Members
Forum Posts: 319
Member Since:
January 3, 2009
sp_UserOfflineSmall Offline

Norman1 said

Loonie said
…. I always wondered why it was "no longer necessary". Had they really solved the problem (not very likely)? …

Yes, the problem was solved. The credit cards with a chip make it highly unlikely that the real card was not there for a successfully validated card-is-present transaction.

In contrast, the magnetic-stripe cards were easily cloned without the cardholder's knowledge.  

This is no longer the case, but they are still acting like it is. Chips have been able to be cloned as well and like stealing cars using FOBs vs physical keys, it will eventually become a big problem.

IMO, they simply do not care and rather like most other services these days, the customer should appreciate the privilege of the business allowing you to do give them your money for their service. The customer is expected to give them all information they request and do with as they please in an insecure fashion, plus the customer must maintain an ability to be in constant contact by email, sms, phone and internet if they wish to maintain their service.

One of the kickers here is even when you do everything they force you to do, when you have an issue they are often not available to take your call due to more cost cutting.

It's another example of offloading of what used to be the companies responsibility to the customer.

No one pushes back so why wouldn't they keep adding to their bottom line and reducing their responsibility.

I still call my financial institutions when I go out of town. I've even had one admit that they can manually put in notifications which the fraud department can refer to when what they deem suspicious activity occurs and luckily I have only had my card locked while I was making out of province purchases while still at home.

I don't have a problem with people making mistakes if they are putting an effort into their work, but as Dean states, it's just accepted now to blame the victims. It's more profitable for the shareholders. sf-laugh

March 24, 2024
9:17 am
HermanH
Member
Members
Forum Posts: 1238
Member Since:
April 14, 2021
sp_UserOfflineSmall Offline

Norman1 said
Yes, the problem was solved. The credit cards with a chip make it highly unlikely that the real card was not there for a successfully validated card-is-present transaction.

Not likely. I recently had my card locked while I was still in town. I made a larger single purchase than normal via chip and PIN and was immediately locked out and had to go through the onerous task of trying to reach Visa security department. Of course, my convenience was subordinate to theirs, as the department only opens during business hours. sf-yell

No permission to create posts

Please write your comments in the forum.