Quebecers who are victims of bank transfers abroad without their authorization find it increasingly difficult to convince their banking institution that it is a fraud.
Geneviève Desrosiers of Montreal has been trying for months to recover the missing $15,000 from her BMO account.
« Ils [les fraudeurs] made a first transfer of $7,450 in the name of Felipe Marin Benito, an amount in euros”, she relates to the show. JEwhich will be broadcast tonight at 9:30 p.m. on TVA.
The scammers used a new feature of the mobile application offered to customers of this bank for just over a year, “BMO Global Money Transfer”. The bank claims that this type of transfer makes it possible to send money to around fifty countries inexpensively and securely.
Screenshot of the show JE
Geneviève Desrosiers has still not seen the color of the $15,000 allegedly stolen from her BMO account.
Ms. Desrosiers alerted BMO as soon as she saw the suspicious transfer. “When I called, they told me: ‘It’s only been done for an hour. […] We can’t intercept it because it’s marked approved”. »
A week later, she sees another transfer of $7,500.
“A new name, in Spain once more. I called the bank and said, ‘Hurry up and intercept it, it’s not deposited yet’. They let him go! “, she laments.
Refusal to refund
BMO refuses to reimburse her the $15,000, because it maintains that the transactions come from Ms. Desrosiers’ IP address. She also refuses to give him her investigation report, which computer security expert Éric Parent finds difficult to explain.
“There are plenty of maneuvers that might allow this information to be falsified [à propos de l’adresse IP] he says.
However, Geneviève Desrosiers has fulfilled the obligations of the contract which binds her to her bank, according to lawyer Sylvie de Bellefeuille, of Option consumer.
“It’s easier to prove something you’ve done than something you haven’t done,” she laments.
Luckier
Another consumer, Marie Aubry, a client of the National Bank, says she was the victim of a similar scheme.
“All my savings, $8,500, which would have gone to England. There were six transfers in total,” she reports.
Even though she believed for a long time that she would never see the color of her money once more, Ms. Aubry was luckier than Ms. Desrosiers. When we contacted the Canadian Bankers Association, which represents the industry in the country, by email, Ms. Aubry received a call from the National Bank a few hours later.
“I was told that there are too many inexplicable things and that they were going to fully reimburse my losses,” she says.
BMO, for its part, will lose a very good client in Ms. Desrosiers.
“Me, I have my pension fund, my RRSP, my mortgage loan, my line of credit, my credit card, I have everything with them. They are ready to lose a client for $15,000! “, she laments.
They thwart double identification
Fraudsters can now circumvent two-factor authentication, used by banks as an additional security measure.
This is exactly what seems to have happened in the cases of Ms. Aubry and Ms. Desrosiers.
The latter went to the BMO ombudsman to defend her case, without success. The ombudsman says that “three unique access codes were texted to her at the phone number on file and she entered them correctly.” In short, that there was a double authorization from Ms. Desrosiers for each of the transactions, which she vehemently denies.
In the case of Marie Aubry, the National Bank also claims that it was her device and her passwords that were used for the double authorization and therefore allowed the transaction.
Dark web
For expert Éric Parent, the fraudsters have probably got their hands on the email address linked to his accounts.
“Someone is compromising your emails. It can enter your banking system. And we can ask to send the famous code [pour l’identification à deux facteurs] by email. »
According to Mathieu Lavoie, of Flare, a company using artificial intelligence to monitor the digital footprint of its customers, the dark web (or underground web) can make life much easier for fraudsters.
On this platform, he showed us that it is possible for a fraudster to buy the master password linked to a bank account, which then allows them to add a telephone number or an email of their choice for the two-factor authentication.
