'Zero Day' vulnerabilities at TD Bank

Discussion in 'other security issues & news' started by Mover, Sep 25, 2019.

  1. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    171
    Most people think of a zero day vulnerability as a vulnerability that hasn't been discovered or is in its infancy stage. Most would think 'Windows' or some other laptop/PC operating system.

    Being someone who understands many platforms and technologies, there are 'zero day' vulnerabilities where very few are being recognized or even listed in the news. The report below didn't surprise me.

    It was only a matter of time.

    https://www.cbc.ca/news/business/etransfer-fraud-banks-blame-customers-1.5286926

    Are there more 'zero day' vulnerabilities that will surface ?
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,733
    Location:
    U.S.A.
    I having a hard time figuring out how this fraud occurred:
    I am assuming that the two-factor authorization is the bank sends an e-mail to the recipient and he replies back with a code supplied to him by the bank customer doing the e-transfer? I never heard of such a two factor authorization method.

    My U.S. bank will require two factor authorization on e-transfers over a certain amount. However, this occurs while I am logged on to the bank's web site. They send a numeric code to my cell phone and I have to manually enter that code on the web site for that e-transfer to occur. After that point, the bank assumes all responsibility in ensuring the money is transferred into the recipient's bank account. Also I have to pre-qualify e-transfer recipient's; name, address, bank name and account number, etc. prior to doing an e-transfer.

    -EDIT- Other things about this story that make no sense is it appears that the attacker by replying to the e-mail was able to redirect the transfer to his bank account. Or use a possible confirmation e-mail after the initial reply to present in person at the bank for a cash payment. Again, I have never heard of such a thing.

    Finally, why is this the bank customer's issue? It was the contractor's e-mail that got hacked. In which case, the payment issue is between the contractor and the customer's bank. Legally from what I can tell, the customer fulfilled all his payment obligations.

    One possibility here is this payment was done under e-bill payment methods which are not as stringent as bank-to-bank e-payments. Why the payer would have chose that method for such a sum of money is beyond me. Possibly because the contractor wouldn't give him his bank account number.

    Anyone pay by paper check these days? A cashier's check would have sufficed in this situation.

    But this is Canada and the whole banking system there is screwed up.
     
    Last edited: Sep 25, 2019
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,733
    Location:
    U.S.A.
    OK. The person most likely used Zelle which my bank just started offering. Note the last paragraph:
    There is also additional text stating in effect this is a kind of "mutual trust" setup with no involved party assuming any liability.

    Bottom line - you get what you pay for. Since Zelle has no service fees, you get very little security in return.
     
  4. Sealord

    Sealord Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    46
    Last edited: Sep 26, 2019
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,733
    Location:
    U.S.A.
    "The devil is in the detail."
    https://www.interac.ca/en/zero-liability.html

    With TD's argument being his lax assignment of easily guessed validation code was "within his control."

    This story is not unique in that bank's everywhere will attempt to "weasel out" of loss reimbursement.
     
  6. Sealord

    Sealord Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    46
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,733
    Location:
    U.S.A.
    At least this "fills in the blanks" missing in earlier articles.

    It was the contractor's e-mail that was hacked by the attacker. He in turn via the contractor's e-mail directed the customer to deposit the money in his account.

    Classic e-mail fraud plain and simple. From a legal standpoint, I would say it is the contractor who is out of the payment since it was his e-mail account that was hacked. It was also he that specified he be paid through this phony baloney e-transfer system involving e-mail exchanges between the parties.

    Now let me guess. Canada has laws in effect that allow a contractor to slap a lien on a property for non-payment for any reason.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.