Between his browser being used (it would have a fingerprint logged as “trusted”), a password, his home IP, and OTPs being sent to his phone, I can see why they aren’t in a rush to cover it. That’s a lot of things lining up at once.
Of course, there could be a combo of a pwned computer and a sim swap, but that’s a lot of trouble to go to for $15k. Not unheard of, but there needs to be a lot more than just his word for it at this point.
That is not a lot of trouble for $15K. Especially in countries with lower living costs
https://www.courts.ns.ca/courts/small-claims-court
Provincial Small Claims Court should be the appropriate avenue for this person to get restitution. This is different than a scam, where the person is fooled into approving a request, banks have more reason to say its the victim’s responsibility, but here the money disappeared with no action on the victim’s part.
Unless TD can prove that it was something the customer did that allowed their money to leave their account that way and the customer can show they weren’t negligent either, and had tried to follow all internal steps to resolution as soon as he noticed, he should have a decent case to argue. I think in this particular case I’d get a lawyer to keep TD from weaseling out on their technical excuses.
As much as I don’t like LTT, this video is interesting on cell hijacking
https://m.youtube.com/watch?v=wVyu7NB7W6Y
I left Tangerine once they started to force SMS 2fa and fought hard to avoid it. Wealthsimple has support for authenticator 2FA which is nice. I looked a year or so ago and I couldn’t find another bank that doesn’t force SMS 2fa
Banks don’t want security, they want plausible deniability. If they say they sent a code to your phone, that’s the end of it for them. They can say it was up to you to secure your phone number then.
RBC doesn’t force SMS 2FA, if you don’t mind having their app on your phone.
Its seriously embarrassing how bad our banks are at security. I’ve complained before and got the response “well you are covered if anything happens to your account”, they didn’t seem to understand when my response was “but I don’t want to have to deal with arguing to get my money back”
Stuff like this is exactly what I was worried about.
The other thing that banks so that really annoys me is they say “don’t share your password to anyone” and then only give the option of a 3rd party company that you provide your login to in order to link accounts between banks. What happens if one of those businesses gets hacked? Would they reject claims because you gave them your account details?
Wealth simple wanted my Tangerine password to link the accounts. I didn’t because I was afraid of that exact thing. I’m pretty sure it’s in the fineprint/TOC/Whatever it is that as soon as you provide your password to the 3rd party the bank isn’t liable anymore.
What happens if one of those businesses gets hacked?
As recent history has shown, it isn’t “if”, it’s “when”, alas.
(This kind of BS is exactly why I do all my banking in person.)
Vancity has OTP 2FA as an alternative, I think they added that sometime last year which I really appreciate.
