Nova Scotia

TD customers question how Visa Debit chequing accounts were compromised

The mystery of TD customers being charged for Spotify memberships and other charges without their consent has left customers worried their bank accounts aren’t safe.

'How did they get my information and how am I protected from this happening again?' says Mandi Grayston

Jenn Kivimaki of Fort Frances, Ont., says seeing an unauthorized Spotify charge withdrawn from her TD chequing account was the last straw. She's changing banks. (Submitted by Jenn Kivimaki)

When Jenn Kivimaki noticed an unexpected charge of $119.88 from Spotify in her TD chequing account last week, it was alarmingly familiar.

In 2015, she was shocked to find her TD bank account about $20,000 in overdraft while she was attending a friend's funeral. Someone had been using her debit number at U.S. supermarkets from New Jersey to California.

Her bank froze her account and she had to borrow money to get home from Thunder Bay, Ont., to Fort Frances, Ont., about a four-hour drive.

"I want to know how things keep happening, especially when they say there's a fraud alert on my account ... it's kind of a mystery," she said.

TD Canada Trust said its investigation into recent Spotify charges found there was no data breach and that "a very limited" number of cardholders "experienced fraudulent activity incurring unauthorized charges from a single merchant."  

Why some TD customers are being charged for annual Spotify memberships without ever signing up for the music streaming service has left people across Canada worried their bank accounts aren't secure.

The bank has not said how many customers were affected, but dozens of people reported receiving reimbursements last week after a CBC News story about people discovering multiple unauthorized $119.88 Spotify charges in early July.

A TD Canada Trust branch is shown in this file photo. The bank says, 'There is no data breach. TD has in place security measures to protect customer information.' (The Canadian Press)

TD acknowledges some clients' accounts were refunded without their knowledge after the bank started looking into the suspicious transactions.

For its part, Spotify attributed the problem to an attack targeting the Canadian debit system. Erin Styles, speaking for Spotify, sent CBC News an email that said, "We do not have anything additional to share beyond the statement I shared with you last week."

Mandi Grayston of Brandon, Man., calls those explanations "absolutely horrifying." She discovered five credits totalling $599.40 to her account on July 8 after equivalent withdrawals on July 5.

Mandi Grayston of Brandon, Man., didn't know Spotify had removed money from her chequing account until after the company credited it back to her. (Submitted by Mandi Grayston)

"Any time you take my money and I didn't consent to it, no matter if you put it back on my account two days later, you still took my money initially and I did not consent to that. That is theft. Bottom line," she said. 

"No matter what the problem was, Spotify does not have my bank account information."

No 'satisfactory answers'

Grayston went to a branch to get a new debit card and called TD to find out why she was never notified about the charges. 

"I didn't really get any satisfactory answers from them," she said.

"How did they get my information and how am I protected from this happening again? Do I just become like my grandma and I put my money in a sock under the bed?"

Garry Clement, a former RCMP superintendent and current CEO of the Clement Advisory Group, says there’s so much fraud that small unauthorized transactions may not be investigated by law enforcement, but he said it’s important to report situations to the Canadian Anti-Fraud Centre. (CBC)

No one from TD was made available for an interview, but it said in an emailed statement there are security measures in place to protect customers.

The bank's assurances also don't go far enough for Kivimaki, who said the bank wasn't able to explain how someone was able to go on a spending spree with her chequing account.

Like others affected by the Spotify charges, she had a Visa Debit card, which can be used for online purchases much like a credit card, in addition to operating as an Interac card for in-store purchases or at bank machines. The feature isn't exclusive to TD. Among others, RBC has a virtual Visa Debit and BMO has a debit MasterCard.

Spotify says it has nothing further to add since a July 11 statement that attributed the unauthorized charges to an attack targeting the Canadian debit system. (Reuters)

"It's supposed to function like a Visa. You're supposed to enter the cardholder's security code on the back, so I wouldn't assume you'd be able to do that without that information," Kivimaki said.

"It's unnerving when it happens more than once when you think your money is safe."

CBC News has reached out to the bank to find out more information about Kivimaki's 2015 charges. 

Visa declined comment to CBC News and said to instead contact TD.

Brendan Schiewe of Edmonton asked TD to turn off the Visa Debit feature on his accounts after reading the CBC News story and realizing Spotify had charged his account.

Zero-liability policy

"We're fairly cautious about where our online banking information goes ... in general, the only kind of payments that come out of our chequing account are related to, kind of those brick-and-mortar-type services, that are pretty day-to-day like utilities or daycare costs," he said.

Visa — like MasterCard, American Express and Interac — offers a zero-liability policy, meaning customers pay nothing if it's determined someone fraudulently used their account.

The Financial Consumer Agency of Canada said those policies are not legally binding, but it does monitor them to ensure the public commitments are adhered to.

The agency doesn't have any recommendations specific to preventing accounts from being hacked, but it suggests people check their statements frequently and review credit reports to keep an eye out for unusual activity.

Jenn Kivimaki says she was shocked to discover thousands of dollars worth of fraudulent charges to her TD chequing account in 2015. At the time, she thought her overdraft capped at $300. (Jenn Kivimaki)

Garry Clement, a former RCMP superintendent and financial crime expert based in Colborne, Ont., said cybercrime and fraudulent activity involving bank accounts happen more often than many people realize. He expects cybercrime will continue to "rise exponentially," especially as organized crime gets more involved.

Clement said it will continue to be challenging and costly to determine who exactly is responsible.

He said banks have tried to build safeguards, but "the big institutions don't like to publicly broadcast what their levels of fraud is or what's occurring in their accounts."

'The cost of doing business'

"The reality of it is they're giant institutions handling billions of dollars and billions of transactions in a day. For the most part, I hate to say it, but some of these losses they look at as the cost of doing business and don't put a lot of weight on doing investigations," he said.

The Spotify charges affecting TD customers are unusual, though, he said.

"We know we've had massive amounts of leaks at various large corporations over the last few years, but that definitely is indicative of a massive data breach somewhere," Clement said.

Brendan Schiewe says he's debating reporting an unauthorized charge of $119.88 to the Edmonton Police Service. He has already filed a report with the Canadian Anti-Fraud Centre. (Submitted by Brendan Schiewe)

Schiewe is one of four Canadians who filed a complaint with the Canadian Anti-Fraud Centre after the Spotify charges appeared in the joint chequing account he shares with his wife. He said despite the size of the amount removed, he is considering reporting the incident to the Edmonton Police Service.

Clement said reporting cases to the anti-fraud centre can ensure information is gathered for statistical purposes, which he said can help organizations realize the extent of the problem.

He advises people not to take the security of their accounts for granted, suggesting strong passwords and monitoring accounts so problems can be reported to institutions quickly.

Brendan Schiewe says his wife never authorized a charge to Walgreens and only saw the relatively small amount after checking her TD chequing account balance. He wonders how frequently this happens. (Submitted by Brendan Schiewe )

Last month, Schiewe's wife also noticed a fraudulent charge of $18.05 to Walgreens on her TD account. It was also reversed without her knowledge.

"It does raise my hackles because there's been no proactive information or disclosure from TD," he said.

"Is it possible that we're simply really unlucky and both managed to have our information compromised and used within a two- or three-week window and have charges reversed without anyone telling us, or is that just the tip of the iceberg and are there a whole lot of other people who have had the same kind of issues?"

Mandi Grayston first noticed she'd been credited almost $600 by Spotify before realizing she'd been charged for five annual memberships to the music streaming service a few days previously. TD didn't notify her about the problem. (Submitted by Mandi Grayston)

Grayston said amid threats of identity theft and online hacking, it's hard to have confidence that people's money is safe. 

She worries the Spotify charges were a test to see if charging people's accounts was possible.

"How could you not feel horribly vulnerable?" she said. "You need to be going into your bank account at least every couple of days and make sure everything is legitimate."

MORE TOP STORIES

About the Author

Elizabeth McMillan is a journalist with CBC Nova Scotia. Over the past 10 years, she has reported from the edge of the Arctic Ocean to the Atlantic Coast and loves sharing people's stories. She can be reached at elizabeth.mcmillan@cbc.ca

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.