this post was submitted on 02 Jun 2025
43 points (100.0% liked)

Canada

9805 readers
832 users here now

What's going on Canada?

Related Communities

🍁 Meta

🗺️ Provinces / Territories

🏙️ Cities / Local Communities

Sorted alphabetically by city name.

🏒 SportsHockey

Football (NFL): incomplete

Football (CFL): incomplete

Baseball

Basketball

Soccer

💻 Schools / Universities

Sorted by province, then by total full-time enrolment.

💵 Finance, Shopping, Sales

🗣️ Politics

🍁 Social / Culture

Rules

  1. Keep the original title when submitting an article. You can put your own commentary in the body of the post or in the comment section.

Reminder that the rules for lemmy.ca also apply here. See the sidebar on the homepage: lemmy.ca

founded 4 years ago
MODERATORS
otter
mp3
43
Scotiabank holds customer responsible for almost $20K in credit card fraud (www.cbc.ca)
submitted 4 days ago by [email protected] to c/canada
14 comments fedilink hide all child comments
 

The fraudster who called Judge asked for his birth date and mother's maiden name, which Judge shared. But then the fraudster asked him to share a "one-time passcode" — a type of two-step verification — that was texted to his phone.

Judge says he refused to do that, because the message also told him not to share the code with anyone, and said that no one from Scotiabank would ever ask for it.

The fraudster claimed that he stopped the charges from going through and hung up.

But two days later, Judge discovered a charge for $17,900 to Anglia Ruskin University in the U.K. on his statement, and a second for $1,800, supposedly paid to someone by the name of Paula S. Taylor.

"All that the bank has done is accuse [Judge] of either negligence or malice," said Claudiu Popa, who has 35 years' experience in cybersecurity and wrote The Canadian Cyberfraud Handbook.

top 14 comments
sorted by: hot top controversial new old
[–] Showroom7561 29 points 4 days ago (2 children)

On the Scotiabank website:

At Scotiabank, we're committed to keeping your accounts and financial information safe and secure. In the unlikely event that you suffer direct financial losses due to unauthorized activity¹ in your accounts² we’ll fully reimburse you, provided you’ve met all of your security responsibilities as outlined in the terms of our customer agreements³.

The footnote on their website for 1, 2, and 3, are in the "Legal Notes" section, and I had to increase the fucking font size to even read it. But point 3 just refers you to FOUR different documents, in addition to other agreements for whatever product/service you have with them.

I'm sorry, but consumer protection laws need to end this kind of bullshit. A company simply can't make their TOS so complicated that the user is always in the wrong.

“one-time passcode” — a type of two-step verification — that was texted to his phone.

And if they designed their “security system” to use SMS as a 2FA, fuck them! Banks need to be better than this!

[–] [email protected] 12 points 4 days ago (1 children)

ScotiaBank might be the reason why most of our bank laws exist.

[–] [email protected] 7 points 4 days ago

TD is why we still have them.

[–] [email protected] 4 points 3 days ago (2 children)

Why is SMS bad as a 2FA? And what would be a better alternative?

Genuinely asking because I don’t know

[–] Sturgist 4 points 3 days ago

Because it's actually very easy to clone a number and intercept all the texts.

Veritasium video on it:

https://youtu.be/wVyu7NB7W6Y

[–] Showroom7561 4 points 3 days ago

SMS 2fa is considered the least secure of the multi-factor world.

An authenticator app is going to be a far better option, and doesn't rely on a user having a smartphone, either.

Hardware keys would also be good, but not everyone has one.

[–] [email protected] 16 points 4 days ago

Note to self: do not do business with Scotiabank

[–] [email protected] 9 points 3 days ago

I can believe this. Scotiabank is fucking horrible. I deposited a business cheque that was made out to a numbered company and the name was off by one digit (5 instead of 6). Holee goddamn fuck, it took 6 months and a convo with the RCMP, who were fucking mad that they were brought in on this bullshit, to get it squared away. The company that made out the cheque wasn't about to reissue the cheque until it was figured out, so I got to finance that job for an extra half year out of my pocket.

Fuck Scotiabank, they're goddamn malicious fuckwits.

[–] stealth_cookies 11 points 4 days ago (1 children)

I've had banks reach out about possible fraud and it always seems scammy. I have definitely been on the phone and had a text or email with a code that I had to repeat to the person on the phone. So it isn't even universal that you don't give the code to the person you are talking to.

The best policy is that if your financial institution calls you is to hang up and call the number on the back of your card. You might have to wait on hold for a bit or explain to the operator but it is the only way to be very confident that you are speaking to the bank.

[–] Sturgist 3 points 3 days ago

I just had a fraud prevention call yesterday. It was automated. It said it's a fraud prevention call, and to look up the number on the website, repeated once then hung up.

[–] [email protected] 12 points 4 days ago

Corporations don't care about people.

[–] [email protected] 7 points 3 days ago

Crypto: one little mistake can cost everything you've got

Credit: one little mistake can cost more than you've got

[–] toastmeister 3 points 3 days ago (1 children)

So they hacked the account with two pieces of public information, the birth date and maiden name?

[–] [email protected] 2 points 2 days ago* (last edited 2 days ago)

Phone number as well.

There's a video link above explaining how they could have intercepted the code.

I know of sms cloning, but you don't even need to do that which was new to me.