A system to transfer money online — used over a million times a day in Canada — is not as safe as it advertises, says a Royal Bank customer who had $1,734 stolen during an e-transfer.
The theft occurred after Anne Hoover of Peterborough, Ont., e-transferred money from her RBC account to her friend Fran Fearnley, only to have a fraudster intercept the transaction and divert the money to his own account at another bank.
“I always use e-transfer,” says Hoover. “I thought it was a safe way to send money.”
An RBC manager says an internal investigation indicated that Fearnley’s email account had been hacked, and when Hoover sent the e-transfer, the fraudster figured out the answer for the security question necessary to deposit the money, and then redirected it to a different bank account.
An expert in online privacy protection and security says financial institutions have opted for convenience over security, which makes strong email passwords and equally strong e-transfer questions and passwords essential.
“How you manage those passwords is very important,” says Claudiu Popa, author of The Canadian Cyberfraud Handbook and a cybersecurity expert who advises government and companies.
“Banks and financial institutions have made it very easy to transfer money via email. Unfortunately, with convenience, comes lack of security.”
How it happened
Hoover and Fearnley had just returned from a trip to Mexico on March 18, when Hoover went online and used her bank’s Interac e-transfer system to reimburse her pal for trip expenses.
But when Fearnley opened the email and tried to accept the payment, she got a message saying the e-transfer had already been deposited.
The women called RBC’s fraud department and a bank employee provided the name of the fraudster, his email, and says he’d transferred the money to a TD Bank account.
“This is clearly a complete stranger,” says Fearnley. “How could that possibly have happened?”
The two friends headed to their local RBC branch, where they are both customers — Hoover, for more than 30 years.
The bank blamed the theft on Fearnley’s email security.
Hoover’s security question to her friend was: “Who is my favourite Beatle?”
The fraudster would have had a one in four chance of getting it right — John, Paul, George or Ringo. In a test of RBC’s Interac system, Go Public was given four chances to answer the security question correctly.
“The manager continued to insist … that it wasn’t really their problem. It was now our problem,” Hoover says.
Eventually, the manager offered Hoover half the missing funds as a “gesture of goodwill.”
Hoover filed a report with Peterborough police, but an officer told her that it’s difficult to clamp down on online fraud and her fight to recoup the money could take ages and would likely be fruitless.
Hoover says she feels misled by the bank’s website.
A webpage about RBC’s digital security tells customers they’re “fully protected” and will be reimbursed “for any unauthorized transactions.”
But when Hoover pointed that out to bank officials, she was told customers aren’t protected if they use weak passwords when transferring funds online.
RBC declined an interview request from Go Public.
In a statement, AJ Goodman, RBC’s director of external communications wrote: “As part of our electronic access agreement, clients commit to using passwords and security questions that are unique and cannot be easily guessed or obtained by others.”
That information is on the bank’s website, but only if a customer reading RBC’s “Security Guarantee” clicks on a few different links to get to a clause in the fine print of a section called “Security.”
Interac makes the same security promises online as RBC, telling customers in bold print that they are “protected from fraud losses.”
No one from Interac would agree to an interview with Go Public, directing questions to RBC.
In a statement, the company’s senior manager of external communications, Adrienne Vaughan, wrote that Canadians must “protect their email and passwords so they do not fall victim to cybercrime and they can safely transact online.”
Woman loses $7,000 in e-transfer
In another, similar case, Dr. Sylvia Veith of Prince Albert, Sask., lost $7,000 when she used Interac to e-transfer money to her son’s hockey league in June 2017.
That money was intercepted and her bank — RBC — blamed a weak password to a security question and told the physician there was nothing that could be done.
RBC would not comment on Veith’s case, except to reiterate the importance of strong passwords. Police say an investigation is ongoing.
Security sacrificed for convenience
“This idea of transferring money by email is much more risky than people realize,” says Popa.
“Companies don’t report [incidents] because they don’t want an investigation from the privacy commissioner, from other regulatory bodies.”
Popa says people have been desensitized to the risk of email transfers “very quickly, almost too quickly” because they use email all the time, so they figure it’s safe.
What banks and other financial institutions have done, he says, is sacrifice security to get a high number of people using the system.
Last year in Canada, there were more than 371 million e-transfers worth more than $132 billion, according to Interac Corp., the biggest online funds transfer service in the country.
The Canadian Anti-Fraud Centre told Go Public that it received 163 reports in 2018 involving e-transfers that were compromised, resulting in money being transferred to fraudsters.
Popa did a quick search of Fearnley’s email on www.haveibeenpwned.com, a website that tracks data breaches and reports almost eight billion occasions when personal accounts have been exposed. The same email address could be acquired from several different sources.
Popa found her email was compromised on two sites when hackers attacked LinkedIn and Verification.io
“That means people have found those e-mail lists. They have sold them to others,” says Popa. “Different people have taken what they’ve needed from those lists, and that’s how they got compromised, very likely.”
Financial institutions resist solutions
The cybersecurity expert says financial institutions and Interac need to require something called “two-factor authentication” to better protect people’s accounts.
“Every time you log into an account you need to use a second factor,” explains Popa. “A code that arrives as a text message or as a separate email to a different email address that is only valid for a few seconds or a few minutes after it’s received.”
He says the financial industry knows more security is needed, but is more concerned about getting customers to use the e-transfer system.
Some financial institutions offer two-factor authentication as an option, not a requirement.
Go Public asked RBC and Interac why they don’t require two-factor authentication. Both declined to address the question.
Hoover says she’s learned the hard way that strong security questions and passwords are crucial.
She’s escalating her case to the RBC Ombudsman, hoping to prompt the bank to better warn customers they could be liable for losses even if they’re victims of fraud.
She’s also closing her business account at RBC, after decades of loyalty.
“How can I feel confident [in RBC] when, in fact, I’ve had money stolen from me — clearly stolen,” says Hoover.
“This isn’t secure, and people need to know.”
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories and hold the powers that be accountable.
We want to hear from people across the country with stories you want to make public.
Submit your story ideas to firstname.lastname@example.org.
Follow @CBCGoPublic on Twitter.
This story originally appeared on CBC