BristolUK

Personal details held for ransom CBC radio report suggested money had been demanded to prevent the release of the personal details.

BristolUK

I heard on CBC radio news last night that the hackers had put up the details of 100 BMO customers somewhere on the internet - the equivalent of the kidnapee finger, I suppose - to show they're serious.

I can't find anything about that now.

MarkG

I've seen supposed links to that data dump online, but didn't actually look at it.

Latest rumour I've seen is that, if you knew (or could guess) a card number, you could exploit a hole in the website to reset the 'security question' answers for that account, then get into the account that way. Which wouldn't surprise me, as 'security questions' are possibly the biggest security hole in IT history.

BristolUK

A possible victim of this particular hack (it may have been something entirely different) said they found they couldn't get into their account, they phoned and did a password reset and once in, noticed that security questions had been changed.

So, yes, someone can get in and change them but the only potential advantage of that is to delay the account holder access so there's extra time to do stuff with the money in the account. But you'd still need the main password to go with the card number - if indeed it's one of those sign ins that need it as not all do. Some want something else in addition to the password.

Not sure how one guesses a card number though. If you have that sort of skill why mess about with paltry sums in bank accounts; why not go straight for a big lottery win.

MarkG

With a couple of million customers and card numbers using a known format, it's probably not hard to keep trying different possible card numbers until you find some that are valid.

BristolUK

And then finding the corresponding password or username that matches it.

MarkG

Doesn't need a username, since you log in with the card number. And you can presumably change the password if you have the security questions?

BristolUK

Not on any account I've ever seen. Password and a card number or username as a minimum on 10 different accounts I've had at various times

Steve_

The original BMO debit cards suffered from an algorithmic flaw in the way the numbers were assigned to the cards and there are no names on the cards, so it's possible to figure out the numbers on the cards by getting one number and calculating the other numbers and then go into online banking and get into the password reset. The solution is to get one of the new Mastercard debit cards, the same hack doesn't work with those. BMO has been issuing them for awhile now but some customers are still using the older InterAC only cards.

Yet another crappy InterAC flaw to add to the incredibly simple skimming technique people were using up until chip+PIN, I always thought it was mad to not have people's names on the cards and also the cards have no expiry date, which means you can develop an automated attack on the login as there is no other information needed other than a simple 16-digit number which you derive using the algorithm. Then you can automate the password reset using a bit of Javascript as well so it's pretty simple to do really.

It does make me wonder whether CIBC and BMO were aware of this security flaw, because CIBC was the first bank to issue Visa debit cards and then BMO followed with Mastercard.

BristolUK

So yesterday I paid a couple of bills and noticed a mystery $20 interac payment from the day before to someone in my payment list who I've had no dealings with for over 2 years.
I'm sure I had deleted them previously and maybe the conversion from PC to simplii resurrected it in the same way a system restore of a computer might.

Anyway, I cancelled it as it hadn't gone through yet - the recipient to be not accepting it as he knew it was wrong. No loss except there's a cancellation fee of $3.50.

Spoke to the bank today to confirm it wasn't me and to get the $3.50 refunded. Told them my history shows I didn't access the account on that day.

I have a new card on the way, already changed my password in case and they will investigate.

I suppose someone does something small to see if I notice it before doing something bigger, but why involve a third party and double the chance of it being noticed because of the email the third party gets? If someone had hacked into the account and wanted a trial run, why not a bill payment from a list that doesn't produce an email?

More likely some sort of computer error but what triggers something like that?

BristolUK

MIL's turn this week. Some rogue on line purchases (computer/internet service related). Funnily enough, they span a period where sign in details were changed so obviously not a hack of her computer and likely related to the bank hacking of a few weeks ago, with those details being used to pay for something.

All sorted at the bank today and a new card so any further attempts will be thwarted.

Anyone else had any rogue debits lately?