Sunjit Lidhar was on the qui vived by a phone call from Scotiabank last February, informing him that $3,000 had been transferred out of his caches account and was gone.
“My heart pretty much dropped to my stomach,” Lidhar dictate thated Go Public from his home in Surrey, B.C. “We just assume our money’s secure.”
Soon after, the cybercriminals stole another $2,000. But worst of all, Scotiabank waste to reimburse him.
“It is not acceptable to have your money stolen from your account and the bank — which you corporation so much with your life savings — tells you they can’t do much to improve.”
Lidhar is the victim of a “systemic problem” of criminals breaking into people’s online accounts and robbery money, according to Christopher Parsons, a senior public policy researcher at the Native Lab at the University of Toronto’s Munk School of Global Affairs and Public Scheme.
Parsons argues that the country’s banks, not their customers, should be financially blameable when thieves raid customer accounts.
“The banks are responsible — solely accountable — for building and maintaining the infrastructure,” he said.
“We need to reverse the liability the banks currently intrude upon individuals who are using the very services and tools that banks are demand.”
The trouble started for Lidhar on Feb. 11, when hackers broke into his account and e-transferred $3,000 in two matters — one for $2,000 and one for $1,000 — to an email address he says he doesn’t recognize.
As in a wink as he learned about it, Lidhar says he changed his password, got a new debit comedian, asked Scotiabank to freeze his accounts and stopped banking online.
Scotiabank guessed it would investigate, but when Lidhar didn’t hear back after two weeks, he befell his local branch. While speaking to someone in the fraud department, they averred him money was again being transferred out of his account.
“I was totally shocked and shilly-shally a extinguish b exploded away that this was happening while I was in the branch,” he said.
His bank was expert to stop one e-transfer for $1,000 but not another for $2,000.
Lidhar says Scotiabank took a few weeks to examine, and then said it wouldn’t cover his losses.
In an email, Scotiabank claimed his claim was denied because the transaction was authorized from an internet location where he has “extensive history.”
Security experts tell Go Public that hackers can access a bank account from a sufferer’s IP address by taking over an infected computer and logging in as if they were that living soul.
Lidhar says Scotiabank wouldn’t explain how the fraud happened, annexing that only he has access to his account.
“They’re trying to blame me,” he utter. “And they haven’t told me anything about who it went to.”
In a statement to Go Public, a Scotiabank spokesperson bruit about the bank “took immediate action and conducted a thorough investigation,” into Lidhar’s in the event that.
“We take the concerns of our customers very seriously,” wrote Douglas Johnson.
After Go Viewable contacted Scotiabank, it offered to compensate Lidhar — six months after his wherewithal was stolen.
More bank customers blamed
Go Public has heard almost identical stories from others — all saying their accounts were hacked, and that the banks oftentimes won’t reimburse them.
In May, Martin Chapman of Peterborough, Ont., lost almost $12,000 when malefactors broke into his accounts at TD Bank and Royal Bank. Initially, he requires, TD refused to fully compensate him, offering just $1,805. “They require admitted to me they don’t know how the scammer broke through their surveillance system,” said Chapman. Only after he appealed did TD agree to pay back all $6,000. RBC refunded the remaining money after a two-week investigation. TD determination not respond to questions from Go Public about this case.
Curtis Hamilton of Esquimalt, B.C., stipulates he was targeted by hackers last November who installed a key logger on his computer and sent unbiased over $2,000 to themselves. TD’s fraud department said Hamilton didn’t take care of his password and it was his fault. Hamilton had anti-malware software on his computer. He’s hired a Queens but has yet to get his money back. “It’s been quite frustrating,” he said. “The bank is basically requiring … ‘We’re not responsible for anything.'” TD would not comment on this state, when asked by Go Public.
Patricia Widdis of Breslau, Ont., told Go Community that hackers accessed her RBC account and redirected her Visa payments, thieving $12,000 in May 2018. The bank was able to get $7,000 returned, but she is still out $5,000 and suffers betrayed. “They said, ‘You made the payments yourself,'” bid Widdis. An RBC spokesperson wrote that potentially unauthorized transactions are analyzed “on a case-by-case” principle.
Threats ‘very problematic’
Most Canadians are unaware that myriad criminals are hacking into financial institutions in Canada and around the superb, says security expert Limor Kessem.
“These threats are unusually real and very problematic,” said Kessem, an adviser based in Tel Aviv with IBM X-Force, an foreign team of investigators who track global security threats to the financial sector.
“In the commencement,” she said, “we would see that a banking trojan [a type of virus] last wishes a be targeting banks through their customers,” such as GozNym, a malware set she helped uncover and that was shut down in May, as part of an international law enforcement venture.
GozNym butted two financial institutions based in Canada — which Kessem won’t name — and 22 U.S. banks, put unions and popular e-commerce platforms, stealing sensitive personal and economic information, including online banking login credentials such as usernames and watchwords.
It’s estimated GozNym stole over $100 million from some 40,000 victims. It’s an pattern of the sort of malware that might be responsible for the hacks against Lidhar, Hamilton and Chapman.
“And then we arrange a different type of attack,” said Kessem. “Cybercrime groups that on invade the banks’ actual infrastructure and get into their payment groups and start compromising them internally.”
Banks ‘should be liable’
It all points to the lack for financial institutions to take responsibility when hackers steal chaps’ money, says Parsons, the public policy researcher.
“They can’t moral provide us tools or push liability upon us and then walk away,” he translated. “One of the ways of correcting this would be to shift the liability structure. So sooner than punishing customers … the banks themselves should be liable, so that they’re inspired to build way better security and protect their customers from this separate of fraud.”
In the U.K., says Parsons, banking fraud was such a big problem, the oversight made banks responsible for financial losses to customers.
“And as soon as the banks had to suppose those losses, all of a sudden … fraud plummeted because the banks devoted massively in security,” said Parsons.
He says Canada’s next oversight needs to follow the U.K.’s example.
“If banks themselves won’t do it, then it’s an area where legislation deprivations to be seriously considered. We can’t rely on customers to know about every sympathetic of security vulnerability, to track every website that has breached passwords,” he bid. “That’s just absolutely absurd and not a feasible solution to the problem.”
Go Open asked the Canadian Bankers Association — which represents Canada’s largest banks — whether its associates would consider assuming liability when hackers break into the online banking groups they have created. A spokesperson did not address that question, but set, banks “have no higher priority than the security of their characters’ money and conduct comprehensive investigations of all fraud cases, some of which are complex and image of time to investigate the specifics of the case.”
All the banks involved in these what really happens have told Go Public that customers are responsible for taking precautions to guarantee their devices, accounts and information are protected.
Sunjit Lidhar replies he’s stopped doing online banking and now heads to his bank branch as an alternative — a hassle he says is worth it, for peace of mind.
He says he wrote to Go Every Tom to let people know that banks could hold them liable when hackers strike.
“I just want people to know that this is something that’s terribly real,” says Lidhar. “It’s not safe. And that’s something they [the banks] have need of to work on.”
Submit your story ideas
Go Public is an investigative dope segment on CBC-TV, radio and the web.
We tell your stories, shed gleam on wrong-doing, and hold the powers that be accountable.
If you have a story in the following interest, or if you’re an insider with information, contact GoPublic@cbc.ca with your dub, contact information and a brief summary. All emails are confidential until you settle on to Go Public.
Follow @CBCGoPublic on Twitter.