Banks deny compensation when hackers steal customers' money
Financial institutions should be liable when customers lose savings, policy researcher says
Sunjit Lidhar was awoken by a phone call from Scotiabank last February, informing him that $3,000 had been transferred out of his savings account and was gone.
"My heart pretty much dropped to my stomach," Lidhar told Go Public from his home in Surrey, B.C. "We just assume our money's safe."
Soon after, the cybercriminals stole another $2,000. But worst of all, Scotiabank refused to reimburse him.
"It is not acceptable to have your money stolen from your account and the bank — which you trust so much with your life savings — tells you they can't do much to help."
Lidhar is the victim of a "systemic problem" of criminals breaking into people's online accounts and stealing money, according to Christopher Parsons, a senior public policy researcher at the Citizen Lab at the University of Toronto's Munk School of Global Affairs and Public Policy.
Parsons argues that the country's banks, not their customers, should be financially liable when thieves raid customer accounts.
"The banks are responsible — solely responsible — for building and maintaining the infrastructure," he said.
"We need to reverse the liability the banks currently impose upon individuals who are using the very services and tools that banks are providing."
The trouble started for Lidhar on Feb. 11, when hackers broke into his account and e-transferred $3,000 in two transactions — one for $2,000 and one for $1,000 — to an email address he says he doesn't recognize.
As soon as he learned about it, Lidhar says he changed his password, got a new debit card, asked Scotiabank to freeze his accounts and stopped banking online.
Scotiabank said it would investigate, but when Lidhar didn't hear back after two weeks, he visited his local branch. While speaking to someone in the fraud department, they told him money was again being transferred out of his account.
"I was totally shocked and blown away that this was happening while I was in the branch," he said.
Been wronged and you're not the only one? Contact our Go Public team
His bank was able to stop one e-transfer for $1,000 but not another for $2,000.
Lidhar says Scotiabank took a few weeks to investigate, and then said it wouldn't cover his losses.
In an email, Scotiabank said his claim was denied because the transaction was authorized from an internet address where he has "extensive history."
Security experts tell Go Public that hackers can access a bank account from a victim's IP address by taking over an infected computer and logging in as if they were that person.
Lidhar says Scotiabank wouldn't explain how the fraud happened, adding that only he has access to his account.
"They're trying to blame me," he said. "And they haven't told me anything about who it went to."
In a statement to Go Public, a Scotiabank spokesperson said the bank "took immediate action and conducted a thorough investigation," into Lidhar's case.
"We take the concerns of our customers very seriously," wrote Douglas Johnson.
After Go Public contacted Scotiabank, it offered to compensate Lidhar — six months after his money was stolen.
More bank customers blamed
Go Public has heard similar stories from others — all saying their accounts were hacked, and that the banks often won't reimburse them.
In May, Martin Chapman of Peterborough, Ont., lost almost $12,000 when criminals broke into his accounts at TD Bank and Royal Bank. Initially, he says, TD refused to fully compensate him, offering just $1,805. "They have admitted to me they don't know how the scammer broke through their security system," said Chapman. Only after he appealed did TD agree to reimburse all $6,000. RBC refunded the remaining money after a two-week investigation. TD would not respond to questions from Go Public about this case.
Curtis Hamilton of Esquimalt, B.C., says he was targeted by hackers last November who installed a key logger on his computer and sent just over $2,000 to themselves. TD's fraud department said Hamilton didn't protect his password and it was his fault. Hamilton had anti-malware software on his computer. He's hired a lawyer but has yet to get his money back. "It's been quite frustrating," he said. "The bank is basically saying … 'We're not responsible for anything.'" TD would not comment on this case, when asked by Go Public.
Patricia Widdis of Breslau, Ont., told Go Public that hackers accessed her RBC account and redirected her Visa payments, stealing $12,000 in May 2018. The bank was able to get $7,000 returned, but she is still out $5,000 and feels betrayed. "They said, 'You made the payments yourself,'" said Widdis. An RBC spokesperson wrote that potentially unauthorized transactions are analyzed "on a case-by-case" basis.
Threats 'very problematic'
Most Canadians are unaware that more criminals are hacking into financial institutions in Canada and around the world, says security expert Limor Kessem.
"These threats are very real and very problematic," said Kessem, an adviser based in Tel Aviv with IBM X-Force, an international team of investigators who track global security threats to the financial sector.
"In the beginning," she said, "we would see that a banking trojan [a type of virus] would be targeting banks through their customers," such as GozNym, a malware attack she helped uncover and that was shut down in May, as part of an international law enforcement operation.
GozNym targeted two financial institutions based in Canada — which Kessem won't name — and 22 U.S. banks, credit unions and popular e-commerce platforms, stealing sensitive personal and financial information, including online banking login credentials such as usernames and passwords.
It's estimated GozNym stole over $100 million from some 40,000 victims. It's an example of the sort of malware that might be responsible for the hacks against Lidhar, Hamilton and Chapman.
"And then we have a different type of attack," said Kessem. "Cybercrime groups that will invade the banks' actual infrastructure and get into their payment systems and start compromising them internally."
Banks 'should be liable'
It all points to the need for financial institutions to take responsibility when hackers steal customers' money, says Parsons, the public policy researcher.
"They can't just provide us tools or push liability upon us and then walk away," he said. "One of the ways of correcting this would be to shift the liability structure. So rather than punishing customers … the banks themselves should be liable, so that they're encouraged to build way better security and protect their customers from this sort of fraud."
In the U.K., says Parsons, banking fraud was such a big problem, the government made banks responsible for financial losses to customers.
"And as soon as the banks had to take those losses, all of a sudden … fraud plummeted because the banks invested massively in security," said Parsons.
He says Canada's next government needs to follow the U.K.'s example.
"If banks themselves won't do it, then it's an area where legislation needs to be seriously considered. We can't rely on customers to know about every kind of security vulnerability, to track every website that has breached passwords," he said. "That's just absolutely absurd and not a feasible solution to the problem."
Go Public asked the Canadian Bankers Association — which represents Canada's largest banks — whether its members would consider assuming liability when hackers break into the online banking systems they have created. A spokesperson did not address that question, but wrote, banks "have no higher priority than the security of their customers' money and conduct comprehensive investigations of all fraud cases, some of which are complex and take time to investigate the specifics of the case."
All the banks involved in these cases have told Go Public that customers are responsible for taking precautions to ensure their devices, accounts and information are protected.
Sunjit Lidhar says he's stopped doing online banking and now heads to his bank branch instead — a hassle he says is worth it, for peace of mind.
He says he wrote to Go Public to let people know that banks could hold them responsible when hackers strike.
"I just want people to know that this is something that's very real," says Lidhar. "It's not safe. And that's something they [the banks] need to work on."
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrong-doing, and hold the powers that be accountable.
If you have a story in the public interest, or if you're an insider with information, contact GoPublic@cbc.ca with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.
Follow @CBCGoPublic on Twitter.
With files from Enza Uda