RBC customer out of pocket after fraud: What you need to know if you e-transfer money

A system to transfer money online used over a million times a day in Canada is not as safe as it advertises, says a Royal Bankcustomer who had $1,734 stolen during an e-transfer.

The theft occurredafter Anne Hoover of Peterborough, Ont.,e-transferred moneyfrom her RBC account to her friendFran Fearnley, only to have a fraudster intercept the transaction and divert the money to his own account at another bank.

"I always use e-transfer," saysHoover. "I thought it was a safe way to send money."

An RBCmanager saysan internal investigation indicated that Fearnley's email account had been hacked, andwhen Hoover sent the e-transfer, the fraudsterfigured out the answer for the security question necessary to deposit the money, and then redirected it to a different bank account.

An expert in online privacy protection and security says financial institutions have opted for convenience over security, which makes strong email passwords and equally strong e-transfer questions and passwords essential.

"How you manage those passwords is very important," says Claudiu Popa, author of The Canadian Cyberfraud Handbook and a cybersecurity expert who advises government and companies.

"Banks and financial institutions have made it very easy to transfer money via email. Unfortunately, with conveniencecomes lack of security."

How it happened

Hoover andFearnley had just returned from a trip to Mexico on March 18, when Hoover went online and used her bank's Interac e-transfer system to reimburse her palfor trip expenses.

But when Fearnley opened the email and tried to accept the payment, she got a message saying the e-transfer had already been deposited.

The women called RBC's fraud department and a bank employee provided the name of the fraudster, his email, and saidhe'd transferred the money to aTD Bank account.

"This is clearly a complete stranger," saysFearnley. "How could that possibly have happened?"

The two friends headed to their local RBC branch, where they are both customers Hoover, for more than 30 years.

The bank blamedthe theft onFearnley's email security.

Hoover's security question to her friend was:"Who is my favourite Beatle?"

Thefraudsterwould have had a one in four chance of getting it right John, Paul, George or Ringo.In a test of RBC's Interac system, Go Public was givenfour chances to answer the security question correctly.

"The manager continued to insist ... that it wasn't really their problem. It was now our problem," Hoover says.

Eventually, the manager offered Hoover half the missing fundsas a "gesture of goodwill."

Contacts police

Hoover filed a reportwith Peterboroughpolice, butan officer told her that it's difficult to clamp down on online fraudand her fight to recoup the money could take ages and would likely be fruitless.

Hoover says she feels misled by the bank's website.

A webpage about RBC's digital security tells customers they're "fully protected" and will be reimbursed "for any unauthorized transactions."

But when Hoover pointed that out to bank officials, she was told customers aren't protected if they use weak passwords when transferring funds online.

RBC declined an interview request from Go Public.

In astatement, AJGoodman, RBC's director of external communications, wrote:"As part of our electronic access agreement, clients commit to using passwords and security questions that are unique and cannot be easily guessed or obtained by others."

That information is on the bank's website, but only if a customer reading RBC's "Security Guarantee" clicks on a few different links to get to a clausein the fine print of a section called "Security."

Interac makes the same security promises online as RBC, telling customers in bold print that they are "protected from fraud losses."

No one from Interac would agree to an interview with Go Public, directing questions to RBC.

In a statement, the company's senior manager of external communications, Adrienne Vaughan, wrote that Canadians must "protect their email and passwords so they do not fall victim to cybercrime and they can safely transact online."

Woman loses $7,000 in e-transfer

In another, similar case, Dr. Sylvia Veith of Prince Albert, Sask.,lost $7,000 when she used Interac to e-transfer money to her son's hockey league in June 2017.

That money was interceptedand her bank RBC blamed a weak password to asecurity questionand told thephysician there was nothing that could be done.

• Been wronged? Contact Erica and the Go Public team

RBC would not comment on Veith's case, except to reiterate the importance ofstrong passwords. Police sayan investigation is ongoing.

Security sacrificed for convenience

"This idea of transferring money by email is much more risky than people realize," saysPopa.

"Companies don't report [incidents] because they don't want an investigation from the privacy commissioner, from other regulatory bodies."

Popa says people have been desensitized to the risk of email transfers "very quickly, almost too quickly" because they use email all the time, so they figure it's safe.

What banks and other financial institutions have done, he says, is sacrifice security to get a high number of people using the system.

Last year in Canada, there were more than 371 million e-transfersworth more than $132 billion,according to Interac Corp., the biggest online funds transfer service in the country.

The Canadian Anti-Fraud Centretold Go Public that it received 163 reports in 2018 involving e-transfers that were compromised, resulting in money being transferred to fraudsters.

Popa did a quick search of Fearnley's email on www.haveibeenpwned.com, a website that tracks data breaches and reports almost eight billion occasions when personal accountshavebeen exposed. The same email address could be acquired from several different sources.

Popafound her email was compromised on two siteswhen hackers attacked LinkedIn and Verification.io

"That means people have found those e-mail lists. They have sold them to others," saysPopa. "Different people have taken what they've needed from those lists, and that's how they got compromised, very likely."

Financial institutions resist solutions

The cybersecurity expert says financial institutions and Interac need to require something called "two-factor authentication" to better protect people's accounts.

"Every time you log into an account you need to use a second factor," explains Popa. "A code that arrives as a text message or as a separate email to a different email addressthat is only valid for a few seconds or a few minutes after it's received."

He says the financial industry knows more security is needed, but is more concerned about getting customers to use the e-transfer system.

Some financial institutions offer two-factor authentication as an option, not a requirement.

Go Public asked RBC and Interac why they don't require two-factor authentication. Both declined to address the question.

Leaving RBC

Hoover says she's learned the hard way that strong security questions and passwords are crucial.

She's escalating her case to the RBC Ombudsman,hoping to prompt the bank to better warn customers they could be liable for losses even if they're victims of fraud.

She's also closing her business account at RBC, after decades of loyalty.

"How can I feel confident [in RBC]when, in fact, I've had money stolen from me clearly stolen," saysHoover.

"This isn't secure, and people need to know."

• The worst passwords of 2018
• Data breach trends in 2019