The CBC News has reported that Canada’s chartered banks will not take responsibility for money stolen from your online accounts by hackers. The CBC tells the story of a man from Surrey, BC, who was informed by his bank, Scotiabank, that $3,000 of his money had been transferred out of his savings account.
According to Christopher Parsons, a senior public policy researcher at the Citizen Lab at the University of Toronto's Munk School of Global Affairs and Public Policy, Sunjit Lidhar, is the victim of a "systemic problem" of criminals breaking into people's online accounts and stealing money. Scotiabank initially denied his claim, because the transaction was authorized from an internet address where he has "extensive history."
Lidhar went to Go Public, an investigative news segment on CBC-TV, radio and the web. After Go Public contacted Scotiabank, it offered to compensate Lidhar — six months after his money was stolen.
Lidhar’s story isn’t unique. Go Public has heard from other consumers with similar stories, including the case of Martin Chapman of Peterborough, Ont. Chapman lost almost $12,000 when criminals broke into his accounts at TD Bank and Royal Bank. Initially, he says, TD refused to fully compensate him, offering just $1,805. "They have admitted to me they don't know how the scammer broke through their security system," said Chapman. Only after he appealed did TD agree to reimburse all $6,000. RBC refunded the remaining money after a two-week investigation.
Cybersecurity expert Limor Kessem also spoke to CBC about the problem of hackers in banking systems around the world. "These threats are very real and very problematic," said Kessem, "In the beginning, we would see that a banking trojan would be targeting banks through their customers," such as GozNym, a malware attack she helped uncover and that was shut down in May, as part of an international law enforcement operation. “GozNym targeted two financial institutions based in Canada — which Kessem won't name — and 22 U.S. banks, credit unions and popular e-commerce platforms, stealing sensitive personal and financial information, including online banking login credentials such as usernames and passwords. It's estimated GozNym stole over $100 million from some 40,000 victims.” It's an example of the sort of malware that might be responsible for the thefts against Lidhar and Chapman.
Christopher Parsons says ultimately the banks should be responsible for these transactions: "They can't just provide us tools or push liability upon us and then walk away, one of the ways of correcting this would be to shift the liability structure. So rather than punishing customers … the banks themselves should be liable, so that they're encouraged to build way better security and protect their customers from this sort of fraud." Parson points to legislation in the UK that came about because of this same issue: “as soon as the banks had to take those losses, all of a sudden … fraud plummeted because the banks invested massively in security."
So far in Canada, it doesn’t look like banks have to do anything to help consumers when it comes to this type of fraud. The Canadian Deposit Insurance Corporation (CDIC), which is there to protect Canadian deposits up to $100,000, list on their FAQ site that “CDIC does not cover losses due to fraud. CDIC coverage only applies in the event of a member institution failure.” It seems the only recourse Canadians have in the event they are hacked is to contact the media.
Other things that Canadians can do to help prevent fraud, is to use strong passwords in both their online banking and e-transfers. E-transfer fraud is also a growing concern where payments are being intercepted. In addition, use multifactor authentication for all your banking logins. That being said, the absolute safest thing is to no longer conduct any online banking transactions. As in the case of Lidhar, he's stopped online banking and now heads to his bank branch instead — a hassle he says is worth it, for peace of mind. "I just want people to know that this is something that's very real," says Lidhar. "It's not safe. And that's something they [the banks] need to work on."