BMO, Simplii hacked
#1
BMO, Simplii hacked
Personal details held for ransom
CBC radio report suggested money had been demanded to prevent the release of the personal details.
BMO said “fraudsters” contacted it on Sunday, May 27, claiming to have gained access to the personal and financial information of “a limited number of customers.” The bank said it believes the attack originated from outside the country.The warning from BMO follows a similar alert from Simplii,
#2
Re: BMO, Simplii hacked
I heard on CBC radio news last night that the hackers had put up the details of 100 BMO customers somewhere on the internet - the equivalent of the kidnapee finger, I suppose - to show they're serious.
I can't find anything about that now.
I can't find anything about that now.
#3
Re: BMO, Simplii hacked
I've seen supposed links to that data dump online, but didn't actually look at it.
Latest rumour I've seen is that, if you knew (or could guess) a card number, you could exploit a hole in the website to reset the 'security question' answers for that account, then get into the account that way. Which wouldn't surprise me, as 'security questions' are possibly the biggest security hole in IT history.
Latest rumour I've seen is that, if you knew (or could guess) a card number, you could exploit a hole in the website to reset the 'security question' answers for that account, then get into the account that way. Which wouldn't surprise me, as 'security questions' are possibly the biggest security hole in IT history.
#4
Re: BMO, Simplii hacked
Latest rumour I've seen is that, if you knew (or could guess) a card number, you could exploit a hole in the website to reset the 'security question' answers for that account, then get into the account that way. Which wouldn't surprise me, as 'security questions' are possibly the biggest security hole in IT history.
So, yes, someone can get in and change them but the only potential advantage of that is to delay the account holder access so there's extra time to do stuff with the money in the account. But you'd still need the main password to go with the card number - if indeed it's one of those sign ins that need it as not all do. Some want something else in addition to the password.
Not sure how one guesses a card number though. If you have that sort of skill why mess about with paltry sums in bank accounts; why not go straight for a big lottery win.
#5
Re: BMO, Simplii hacked
With a couple of million customers and card numbers using a known format, it's probably not hard to keep trying different possible card numbers until you find some that are valid.
#8
Re: BMO, Simplii hacked
Not on any account I've ever seen. Password and a card number or username as a minimum on 10 different accounts I've had at various times
#9
Re: BMO, Simplii hacked
The original BMO debit cards suffered from an algorithmic flaw in the way the numbers were assigned to the cards and there are no names on the cards, so it's possible to figure out the numbers on the cards by getting one number and calculating the other numbers and then go into online banking and get into the password reset. The solution is to get one of the new Mastercard debit cards, the same hack doesn't work with those. BMO has been issuing them for awhile now but some customers are still using the older InterAC only cards.
Yet another crappy InterAC flaw to add to the incredibly simple skimming technique people were using up until chip+PIN, I always thought it was mad to not have people's names on the cards and also the cards have no expiry date, which means you can develop an automated attack on the login as there is no other information needed other than a simple 16-digit number which you derive using the algorithm. Then you can automate the password reset using a bit of Javascript as well so it's pretty simple to do really.
It does make me wonder whether CIBC and BMO were aware of this security flaw, because CIBC was the first bank to issue Visa debit cards and then BMO followed with Mastercard.
Yet another crappy InterAC flaw to add to the incredibly simple skimming technique people were using up until chip+PIN, I always thought it was mad to not have people's names on the cards and also the cards have no expiry date, which means you can develop an automated attack on the login as there is no other information needed other than a simple 16-digit number which you derive using the algorithm. Then you can automate the password reset using a bit of Javascript as well so it's pretty simple to do really.
It does make me wonder whether CIBC and BMO were aware of this security flaw, because CIBC was the first bank to issue Visa debit cards and then BMO followed with Mastercard.
#10
Re: BMO, Simplii hacked
So yesterday I paid a couple of bills and noticed a mystery $20 interac payment from the day before to someone in my payment list who I've had no dealings with for over 2 years.
I'm sure I had deleted them previously and maybe the conversion from PC to simplii resurrected it in the same way a system restore of a computer might.
Anyway, I cancelled it as it hadn't gone through yet - the recipient to be not accepting it as he knew it was wrong. No loss except there's a cancellation fee of $3.50.
Spoke to the bank today to confirm it wasn't me and to get the $3.50 refunded. Told them my history shows I didn't access the account on that day.
I have a new card on the way, already changed my password in case and they will investigate.
I suppose someone does something small to see if I notice it before doing something bigger, but why involve a third party and double the chance of it being noticed because of the email the third party gets? If someone had hacked into the account and wanted a trial run, why not a bill payment from a list that doesn't produce an email?
More likely some sort of computer error but what triggers something like that?
I'm sure I had deleted them previously and maybe the conversion from PC to simplii resurrected it in the same way a system restore of a computer might.
Anyway, I cancelled it as it hadn't gone through yet - the recipient to be not accepting it as he knew it was wrong. No loss except there's a cancellation fee of $3.50.
Spoke to the bank today to confirm it wasn't me and to get the $3.50 refunded. Told them my history shows I didn't access the account on that day.
I have a new card on the way, already changed my password in case and they will investigate.
I suppose someone does something small to see if I notice it before doing something bigger, but why involve a third party and double the chance of it being noticed because of the email the third party gets? If someone had hacked into the account and wanted a trial run, why not a bill payment from a list that doesn't produce an email?
More likely some sort of computer error but what triggers something like that?
#11
Re: BMO, Simplii hacked
MIL's turn this week. Some rogue on line purchases (computer/internet service related). Funnily enough, they span a period where sign in details were changed so obviously not a hack of her computer and likely related to the bank hacking of a few weeks ago, with those details being used to pay for something.
All sorted at the bank today and a new card so any further attempts will be thwarted.
Anyone else had any rogue debits lately?
All sorted at the bank today and a new card so any further attempts will be thwarted.
Anyone else had any rogue debits lately?