CBC MARKETPLACE and scam warnings | Your stories | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
CBC MARKETPLACE and scam warnings
November 18, 2023
12:06 am
RetirEd
Member
Members
Forum Posts: 1073
Member Since:
November 18, 2017
sp_UserOfflineSmall Offline

I've never used on-line banking, or put anything important on a computer with an internet connection, but not everyone has spare computers around as I do.

This week's (November 17) CBC Marketplace show has an important point to consider. They did their annual phone-scam update, and mentioned something many may not understand.

When a phone scammer gets access to your computer - even for a low-value "tech support" or "order refund" scam - once they convince you (okay, I don't mean that YOU specifically are one to fall for this) to let them access your computer remotely, they can dig into your banking if it's on the same computer! And that's even easier if you let your passwords be saved in your browser or other app!

A stored password is NO password if anyone gets physical OR remote access to your computer.

Once they've breached your computer, EVERY CENT in EVERY ACCOUNT (probably not GICs) can likely be drained. I'm not sure how transfer limits apply in every case, but they mention thefts over $50K so keep an eye on things.

Let's take a moment to remind our friends and family, especially older ones or those less computer-literate. And phones are MUCH less secure than stand-alone computers because of the app vulnerability and always-online qualities.

RetirEd

November 18, 2023
1:20 am
HermanH
Member
Members
Forum Posts: 1204
Member Since:
April 14, 2021
sp_UserOnlineSmall Online

I was very surprised to learn that, because of card skimming devices, Tap is actually considered more secure than using the insert-chip+PIN method. Once your Debit/Credit is skimmed and you enter your PIN, the thief has both vital pieces of information and can drain your account. Gone are the days when you could easily spot an attachment to a PoSale card reader. They are now small enough to be installed within the card reader and there is no way a user can know, without dismantling the device.

November 18, 2023
2:51 am
everhopeful
Member
Members
Forum Posts: 122
Member Since:
September 28, 2023
sp_UserOfflineSmall Offline

A very good reminder. I remind my parents of that constantly, I compare allowing remote access to mailing house/car keys to strangers. Sometimes I use remote access to fix issues while I am on the phone with them, but I remind them each time to watch what I am doing, and tell them to close the session if they have to leave the PC, no matter the brevity. I will definitely watch and send them the link of Marketplace to view.

November 18, 2023
5:42 am
mordko
Member
Members
Forum Posts: 889
Member Since:
April 27, 2017
sp_UserOfflineSmall Offline

When a phone scammer gets access to your computer - even for a low-value "tech support" or "order refund" scam - once they convince you (okay, I don't mean that YOU specifically are one to fall for this) to let them access your computer remotely, they can dig into your banking if it's on the same computer! And that's even easier if you let your passwords be saved in your browser or other app!

There are a couple of additional lines of defence most online banks and brokers provide. I use two-factor authentication for every place which has my money. That means that the thieves would have to get full control of my phone - as well as computer - to access my accounts.

If all else fails, and the thief starts moving out large sums of money, this would likely be intercepted by bank’s fraud department. Brokers usually have constraints on where you can move the money to.

This type of fraud is definitely something to be aware of. In addition to losing money thieves could gain access to your SIN info and use it for identity fraud, other confidential information, photos, company secrets, etc… But the world does not have to end even if thieves accessed your computer.

And I do think that online banking offers security benefits, as well as risks. For example ease of checking recent entries allows one to spot fraudulent charges.

November 18, 2023
5:45 am
savemoresaveoften
Member
Members
Forum Posts: 2943
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

A couple of simple rules to follow:

Never allow anyone remote access to ur computer, even if its ur internet provider technical support trouble shooting. There is never a need that they need remote access. The only exception is if its your work place tech support and for a WFH situation, thats different.

ALWAYS setup 2-factor verification and dont accept "remember your computer /device" when logging in to your account, whether its on ur regular PC or not. The "remember" is really just for convenience and bypass the 2-factor verification, which I considered to be the final and most importance wall of defence against hackers.

Turn on all possible alert notifications on ALL your bank accounts.

I tell my senior parents that any pop up that says viruses etc on their computer / phones, those are 99.99% scam, just ignore it.

Re phones being much less secure than a PC ? I am not sure about that, its all about the user.

November 18, 2023
6:19 am
Alexandre
Member
Members
Forum Posts: 1181
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

mordko said

There are a couple of additional lines of defense most online banks and brokers provide. I use two-factor authentication for every place which has my money. That means that the thieves would have to get full control of my phone - as well as computer - to access my accounts.

2FA can be bypassed using social engineering, be aware of that.

Giving you an example of conversation, let's say between scammer (SC) and me (ME).

SC: Is this Mr. Alexandre?
ME: Yes, it's me.
SC: This call is from anti-fraud department of your BANK [enter correct bank name]. We have noticed suspicious activity in your account.
ME: What activity?
SC: Someone is trying to send $$$$$$$ from your account to the Nigerian prince. Do you authorize this transaction?
ME: No!!!
SC: We will block that transfer, but we need to verify that we are talking with the account owner. In a few moments our system will send a code to the phone number associated with your account. Please read this code back to confirm your identity.

------------

... and this is how thieves can get access to your 2FA code without getting full control of your phone.

November 18, 2023
6:38 am
mordko
Member
Members
Forum Posts: 889
Member Since:
April 27, 2017
sp_UserOfflineSmall Offline

Yes, I have to take regular courses enlightening me on various fraud techniques like this. I would have to be out of my mind to bite on the example quoted above. Of course that could happen with age.

Much harder to avoid phishing. Very cheap to arrange in large quantities, and the quality of phishing emails and texts seems to be improving. An email may look to you like its coming from someone you know and ask for something you could be expecting.

Phishing scummers may not be able to empty your bank accounts but they could get hold of personal and confidential information and the damage could be very costly. And with AI, one should expect their techniques to improve fast.

November 18, 2023
7:13 am
savemoresaveoften
Member
Members
Forum Posts: 2943
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Alexandre said

mordko said

There are a couple of additional lines of defense most online banks and brokers provide. I use two-factor authentication for every place which has my money. That means that the thieves would have to get full control of my phone - as well as computer - to access my accounts.

2FA can be bypassed using social engineering, be aware of that.

Giving you an example of conversation, let's say between scammer (SC) and me (ME).

SC: Is this Mr. Alexandre?
ME: Yes, it's me.
SC: This call is from anti-fraud department of your BANK [enter correct bank name]. We have noticed suspicious activity in your account.
ME: What activity?
SC: Someone is trying to send $$$$$$$ from your account to the Nigerian prince. Do you authorize this transaction?
ME: No!!!
SC: We will block that transfer, but we need to verify that we are talking with the account owner. In a few moments our system will send a code to the phone number associated with your account. Please read this code back to confirm your identity.

------------

... and this is how thieves can get access to your 2FA code without getting full control of your phone.  

I will reply 'u can block it without my code'. 🙂
All scams all prey on the unsuspected, same old century old trick.

The one i find worse but prob less damaging is scam text, that prompt u to enter "1" or whatever to STOP something. When in fact replying with "1" authorize them to start a subscription using ur phone number. AND telcom carrier actually allow thise type of subscription and then start charging ur account monthly fee of $15 or whatever.
Had that experience on inlaw's phone. Telus basically told me they have no control and cant/refuse to stop the charge (even after escalating to manger level.) They did help to provide barely enuf info for me to track down the company and able to contact the company direct to "cancel" the service. That IS the only one to stop the service !

November 18, 2023
12:53 pm
Bill
Member
Members
Forum Posts: 3967
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

I'm not sure what you mean by "social engineering" (?) but if I got a call from my bank I wouldn't take it, I would tell them I'll call back and I would call the bank's general number and go from there. Also, sending me a code by text (how would they even have my phone number?) for me to read back to verify my identity is not giving them my 2FA code - ?

Plus I delete any text (without opening it) from a number I don't know, so that won't work either.

November 18, 2023
1:22 pm
Alexandre
Member
Members
Forum Posts: 1181
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

Bill said
I'm not sure what you mean by "social engineering" (?) but if I got a call from my bank I wouldn't take it, I would tell them I'll call back and I would call the bank's general number and go from there. Also, sending me a code by text (how would they even have my phone number?) for me to read back to verify my identity is not giving them my 2FA code - ?

Bill,

Let me start with punchline: "Never read back, email or forward to anyone any codes sent to you."

To clarify, the conversation I provided targets in real life people who need our wisdom in dealing with scammers. Not you and me.
Also, this was in reply to "the thieves would have to get full control of my phone - as well as computer - to access my accounts."
I gave an example when full control of the phone will not be necessary. Reworded it from real life cases.

Here is how it works. Suppose, scammer got full control of my PC. They know I bank at Motive (using Motive as an example). They can see my Motive login name and password. Annoyingly for them, for every login attempt Motive sends SMS with code to my smartphone, that I must enter to log into my account. Scammers don't have access to my smartphone, but they managed to get one of my phone numbers from my PC they had access to. Could be landline number, for example.

Scammer calls my landline number pretending to be from Motive. They tell me they'll send me a code I must read back to verify my identity. On their computer they enter my email and password to Motive banking Web site. Motive sends 2FA code to me. I read it to scammers. They enter it to login page and gain access to my account.

Later, realizing my money is gone, I call Motive to request refund on transaction(s) made by scammers I didn't authorize and bank tells me they won't, because I voluntary provided 2FA code to the third party.

---------------

There are other scenario possible, and while 2FA MUST be turned on when available and while it is a good tool to protect you, it is not 100% bulletproof. So, I'll finish with punchline I started: "Never read back, email or forward to anyone any codes sent to you."

November 18, 2023
1:35 pm
serendipity
Member
Members
Forum Posts: 168
Member Since:
October 30, 2023
sp_UserOfflineSmall Offline

I have thought of that many times.

But you should be safe if you have NO cash in your accounts. Or minimize where you have your cash.

And TURN on all of the alerts that you can and make sure the FI or Credit card company has your home and mobile number.

That's where the quarterly GICs and the floating rate GICs could add a layer of protection.

Bottom line if I don't the the caller on the phone or at the door. Guess what? I don't answer.

My phone is set up with every contact that I know. Then is set to only ring if the contact is in my phone. Then I see the name and decide to answer or not. Those that don't ring still show in my recents and they have the option to leave voicemail.

Our front door has a drive way alarm on it and the house is alarmed too. The front porch, side and back of house have motion detectors to turn lights on. We are covered from racoons, cats, bears and people.

Think about it.....some one cold calling you or knocking on the door, is an invasion of your privacy and it is not rude if you choose not to answer. The problem is...we are toooooo polite.

November 18, 2023
2:01 pm
Bill
Member
Members
Forum Posts: 3967
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

I agree, if someone has control of my computer then all bets are off. But as I also said I'd never give anyone a code if they called me.

But reading back a code to someone is fine if you initiated the call. For example the other day I had to call a big bank discount broker and they first sent a code to my phone that I read back to them to verify my identity.

A few months ago I got home and my wife shushed me as she was on the phone with "Microsoft", she had called them because something froze the computer and popped up to call their number and now they were controlling our computer, I could see the cursor moving. I immediately hung up the phone and turned off the computer, nothing bad has happened so far, wife very embarrassed but she started talking again after a couple of days, all's well. Except there's this "Supremo (283 704 861")" icon that shows up when I hover over the hidden icons up-arrow near the bottom right of my screen, I deleted the related program files but that icon has stayed there.

November 18, 2023
3:33 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 3018
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

Run the free version of Malwarebytes to see what else it can scrub off the system. That application does a good job on malware. Delete the program when you are done to avoid being pestered with pop ups to upgrade to Premium.

November 18, 2023
3:56 pm
Norman1
Member
Members
Forum Posts: 6899
Member Since:
April 6, 2013
sp_UserOnlineSmall Online

Malwarebytes and other security software likely won't do anything because SupRemo is not malware.

SupRemo is legitimate remote desktop software from Nanosystems S.r.l, a software company in Italy.

Sounds like the scammer may have installed "Supremo for unattended access" which will start something when Windows starts. See uninstall instructions here:

https://www.supremocontrol.com/how-to-uninstall-supremo/

November 18, 2023
4:17 pm
Alexandre
Member
Members
Forum Posts: 1181
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

I would not trust computer after it were compromised. I would not use it after that, I would have replaced it.

November 18, 2023
4:50 pm
savemoresaveoften
Member
Members
Forum Posts: 2943
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Alexandre said
I would not trust computer after it were compromised. I would not use it after that, I would have replaced it.  

You don’t need to replace it. Just wipe out what’s on it and reinstall windows.
Obviously u can’t back up what’s on it, not knowing what’s infected and to what extent. But reinstall windows will cleanse it 100%, no need to burn it lol

November 18, 2023
4:56 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 3018
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

Norman1 said
Sounds like the scammer may have installed "Supremo for unattended access" which will start something when Windows starts.

My point was to run Malwarebytes to see what else it can scrub off the system given Bill's wife responded to a pop up. What else beyond SupRemo might be there?

There is no need to throw the PC out nor even wipe it clean. Apps like Malwarebytes stay up to date on malware that is out there. A Windows Defender scan and Malwarebytes (or similar) scan would be all that I would feel needs to be done.

One link to review as regards malware protection https://www.techradar.com/best/best-malware-removal The free version of Malwarebytes relies on manual scans rather than real time protection (Premium version) but that is good enough for Bill's situation to cleanse something he might suspect is there.

November 18, 2023
5:12 pm
Loonie
Member
Members
Forum Posts: 9307
Member Since:
October 21, 2013
sp_UserOfflineSmall Offline

So, there's something to be said for being an old codger who never got the hang of computers and is happy with their not-smart house phone!
Maybe, instead of encouraging our elders to adopt new tech, we should support them in avoiding it! It could save us a bundle in the end!

This thread got me thinking about those "call backs" which we like to get from FIs that do not adequately staff their phone lines. They quite rightly ask us for ID info, but how do we know for sure who is calling us?

November 18, 2023
5:55 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 3018
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

It does take some 'street wisdom' to not fall prey to online phishing and scams but that is true for a whole range of real life scams such as peddling of stolen goods on FB Marketplace, asking for e-transfer deposits to hold product, door-to-door salesmen (to the extent this still occurs), etc, etc, etc.

Saying 'no' to online solicitation is no different than saying 'no' to the peddler on the street. Helping our family and friends is the best we can do.

As for callbacks, it would be a huge coincidence for a phishing attempt to be coincident with a request for a callback. Not impossible of course.

November 18, 2023
6:31 pm
savemoresaveoften
Member
Members
Forum Posts: 2943
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Loonie said
So, there's something to be said for being an old codger who never got the hang of computers and is happy with their not-smart house phone!
Maybe, instead of encouraging our elders to adopt new tech, we should support them in avoiding it! It could save us a bundle in the end!

This thread got me thinking about those "call backs" which we like to get from FIs that do not adequately staff their phone lines. They quite rightly ask us for ID info, but how do we know for sure who is calling us?  

Sorry to say it but

Old or not, adopt to new tech is a must, that’s how society advance. Imagine support horse drawn carriage as oppose to a motor car !

Advance in medical field that prolongs the life of the elderly is only possible cuz new technology is being invented and adopted, not cuz it’s being rejected.

No permission to create posts

Please write your comments in the forum.