CBC News: RBC customer out of pocket after fraud

[Jason]

I don't necessarily blame RBC for this fraud and I think you might agree when you read the article. As you'll read it's less about e-Transfer and more about properly securing your email accounts but the article does talk about two-factor authentication and how banks don't seem to use it here so I thought it was relevant. Having 2FA authentication for the recipient's email account or on the transfer would have stopped this fraud in its tracks.

Financial institutions resist solutions

The cybersecurity expert says financial institutions and Interac need to require something called "two-factor authentication" to better protect people's accounts.

"Every time you log into an account you need to use a second factor," explains Popa. "A code that arrives as a text message or as a separate email to a different email address that is only valid for a few seconds or a few minutes after it's received."

He says the financial industry knows more security is needed, but is more concerned about getting customers to use the e-transfer system.

Some financial institutions offer two-factor authentication as an option, not a requirement.

Go Public asked RBC and Interac why they don't require two-factor authentication. Both declined to address the question.

[ssfc72]

Thanks very much for posting this info, Jason!  It is an eye opener for me.

RBC is in the wrong and needs to make good the fraud cost.
The article mentions that the etransfer system allows 4 attempts at guessing the password but the article does not state that the etransfer terms mentions this guessing of password is allowed up to 4 times.

I also can't believe the cops feel it is basically useless to go after the fraudster, when they know who he is and what bank ( the TD Bank ) he used to complete the fraud.

[Jason]

That's a good point about giving the recipient four tries at the password.
But I think the big problem here is that somebody took over their email account probably because the recipient used the same password with linkedin or verification.io that they use with their email address. Even if the bank had given them only one try at the security question, the "hacker" could have simply emailed the sender to ask her to remind her again of the answer.

It is weird that the Police say they likely won't be able to do anything when the fraudster used a TD account to get the money but this could be a lack of understanding how e-Transfer works.

Honestly, I think mistakes were made on the bank side to not have 2FA or allow 4 guesses at answering an security question. But I also think the recipient should have taken greater care over protecting her email account. If she was using a email service with 2FA, she could have also stopped the hacker.  The bank's offer to reimburse half seems fair under the circumstances. It's kind of like using a password service to share a password directly to somebody else's email and then blaming them when the recipient's email is hacked.

I know we like to blame the banks for everything but they're not the only one that dropped the ball on this.

Honestly, I'd never use e-Transfer for large amounts of money like that. It's pretty obvious to me after having used it a few times, there is no identify verification on the other end. You click on a link, choose the bank and the funds go there. There's no identity verification. But one other thing you can do is setup e-transfer to it automatically deposits funds you get. I do that. So even if somebody got my email, they couldn't get my money, though my email is also protected with 2FA using YubiKey.