The fraudster who called Judge asked for his birth date and mother’s maiden name, which Judge shared. But then the fraudster asked him to share a “one-time passcode” — a type of two-step verification — that was texted to his phone.
Judge says he refused to do that, because the message also told him not to share the code with anyone, and said that no one from Scotiabank would ever ask for it.
The fraudster claimed that he stopped the charges from going through and hung up.
But two days later, Judge discovered a charge for $17,900 to Anglia Ruskin University in the U.K. on his statement, and a second for $1,800, supposedly paid to someone by the name of Paula S. Taylor.
“All that the bank has done is accuse [Judge] of either negligence or malice,” said Claudiu Popa, who has 35 years’ experience in cybersecurity and wrote The Canadian Cyberfraud Handbook.
On the Scotiabank website:
The footnote on their website for 1, 2, and 3, are in the “Legal Notes” section, and I had to increase the fucking font size to even read it. But point 3 just refers you to FOUR different documents, in addition to other agreements for whatever product/service you have with them.
I’m sorry, but consumer protection laws need to end this kind of bullshit. A company simply can’t make their TOS so complicated that the user is always in the wrong.
And if they designed their “security system” to use SMS as a 2FA, fuck them! Banks need to be better than this!
ScotiaBank might be the reason why most of our bank laws exist.
TD is why we still have them.
Why is SMS bad as a 2FA? And what would be a better alternative?
Genuinely asking because I don’t know
Because it’s actually very easy to clone a number and intercept all the texts.
Veritasium video on it:
https://youtu.be/wVyu7NB7W6Y
SMS 2fa is considered the least secure of the multi-factor world.
An authenticator app is going to be a far better option, and doesn’t rely on a user having a smartphone, either.
Hardware keys would also be good, but not everyone has one.