May 24, 2019
“Who’s your favourite Beatle?”, and other ways to lose $1,700
Canadians send over a million electronic money transfers – over $360 million – each day. But, as CBC News reports, e-transfers may not be as secure as you think.
Anne Hoover discovered this the hard way. She sent more than $1,700 by e-transfer to a friend, only to find that it was lost in transit. The manager at her local RBC branch told her that a fraudster had hacked the recipient’s e-mail account, guessed the answer to the security question, and redirected the funds. RBC said there was nothing it could do in this situation, but it reimbursed half of the funds as a goodwill gesture. Hoover also filed a report with the police, who told her that she was unlikely to see the money any time soon.
Hoover is not alone. In a similar case in Saskatchewan, in 2017, a fraudster intercepted a $7,000 e-transfer bound for a minor hockey league. The sender’s bank, RBC, blamed the sender’s security question and told her there was nothing they could do. In fact, in 2018, the Canadian Anti-Fraud Centre received 163 reports of compromised e-transfers.
According to RBC’s website, its customers are “fully protected and will be reimbursed for any unauthorized transactions.” Hoover was told that this protection does not apply where the bank thinks the customer’s password or security question is weak. RBC told CBC News that, “As part of our electronic access agreement, clients commit to using passwords and security questions that are unique and cannot be easily guessed or obtained by others.” It’s somewhere in the fine print.
Of course, there’s only so much banks can do to ensure security, but they can do more. Claudiu Popa, author of The Canadian Cyberfraud Handbook, suggests that financial institutions and Interac should adopt “two-factor authentication system”, which adds another layer of security by requiring customers to verify transactions by email or text message. Some institutions offer this to customers as an option but not a requirement.
Financial institutions, for their part, recommend that customers choose security questions and passwords that are difficult for fraudsters to guess. (Hint: Chances are most people can guess your favourite Beatle in four tries or less!) A few security tips:
- In general, it’s a good idea to create difficult passwords, keep different passwords for different websites, change passwords periodically, and never share login information with others. A password manager app can help you keep track.
- Make sure the answer to your security question isn’t readily available on your Facebook or Twitter account. Consider making up fake answers for security questions -- for example, your aunt's pet, or your favourite TV character's maiden name -- and storing them in your password manager.
- A quick search on a site like haveibeenpwned.com may let you know if your login credentials have been compromised.
Additionally, the Canadian Centre for Cyber Security offers tips on identifying threats and protecting yourself on its Get Cyber Safe blog.