TD customers question how Visa Debit chequing accounts were compromised
'How did they get my information and how am I protected from this happening again?' says Mandi Grayston
When Jenn Kivimaki noticed an unexpected charge of $119.88 from Spotify in her TD chequing account last week, it was alarmingly familiar.
In 2015, she was shocked to find her TD bank account about $20,000 in overdraft while she was attending a friend's funeral. Someone had been using her debit number at U.S. supermarkets from New Jersey to California.
Her bank froze her account and she had to borrow money to get home from Thunder Bay, Ont., to Fort Frances, Ont., about a four-hour drive.
"I want to know how things keep happening, especially when they say there's a fraud alert on my account ... it's kind of a mystery," she said.
TD Canada Trust said its investigation into recent Spotify charges found there was no data breach and that "a very limited" number of cardholders "experienced fraudulent activity incurring unauthorized charges from a single merchant."
Why some TD customers are being charged for annual Spotify memberships without ever signing up for the music streaming service has left people across Canada worried their bank accounts aren't secure.
The bank has not said how many customers were affected, but dozens of people reported receiving reimbursements last week after a CBC News story about people discovering multiple unauthorized $119.88 Spotify charges in early July.
TD acknowledges some clients' accounts were refunded without their knowledge after the bank started looking into the suspicious transactions.
For its part, Spotify attributed the problem to an attack targeting the Canadian debit system. Erin Styles, speaking for Spotify, sent CBC News an email that said, "We do not have anything additional to share beyond the statement I shared with you last week."
Mandi Grayston of Brandon, Man., calls those explanations "absolutely horrifying." She discovered five credits totalling $599.40 to her account on July 8 after equivalent withdrawals on July 5.
"Any time you take my money and I didn't consent to it, no matter if you put it back on my account two days later, you still took my money initially and I did not consent to that. That is theft. Bottom line," she said.
"No matter what the problem was, Spotify does not have my bank account information."
No 'satisfactory answers'
Grayston went to a branch to get a new debit card and called TD to find out why she was never notified about the charges.
"I didn't really get any satisfactory answers from them," she said.
"How did they get my information and how am I protected from this happening again? Do I just become like my grandma and I put my money in a sock under the bed?"
No one from TD was made available for an interview, but it said in an emailed statement there are security measures in place to protect customers.
The bank's assurances also don't go far enough for Kivimaki, who said the bank wasn't able to explain how someone was able to go on a spending spree with her chequing account.
Like others affected by the Spotify charges, she had a Visa Debit card, which can be used for online purchases much like a credit card, in addition to operating as an Interac card for in-store purchases or at bank machines. The feature isn't exclusive to TD. Among others, RBC has a virtual Visa Debit and BMO has a debit MasterCard.
"It's supposed to function like a Visa. You're supposed to enter the cardholder's security code on the back, so I wouldn't assume you'd be able to do that without that information," Kivimaki said.
"It's unnerving when it happens more than once when you think your money is safe."
CBC News has reached out to the bank to find out more information about Kivimaki's 2015 charges.
Visa declined comment to CBC News and said to instead contact TD.
Brendan Schiewe of Edmonton asked TD to turn off the Visa Debit feature on his accounts after reading the CBC News story and realizing Spotify had charged his account.
"We're fairly cautious about where our online banking information goes ... in general, the only kind of payments that come out of our chequing account are related to, kind of those brick-and-mortar-type services, that are pretty day-to-day like utilities or daycare costs," he said.
Visa — like MasterCard, American Express and Interac — offers a zero-liability policy, meaning customers pay nothing if it's determined someone fraudulently used their account.
The Financial Consumer Agency of Canada said those policies are not legally binding, but it does monitor them to ensure the public commitments are adhered to.
The agency doesn't have any recommendations specific to preventing accounts from being hacked, but it suggests people check their statements frequently and review credit reports to keep an eye out for unusual activity.
Garry Clement, a former RCMP superintendent and financial crime expert based in Colborne, Ont., said cybercrime and fraudulent activity involving bank accounts happen more often than many people realize. He expects cybercrime will continue to "rise exponentially," especially as organized crime gets more involved.
Clement said it will continue to be challenging and costly to determine who exactly is responsible.
He said banks have tried to build safeguards, but "the big institutions don't like to publicly broadcast what their levels of fraud is or what's occurring in their accounts."
'The cost of doing business'
"The reality of it is they're giant institutions handling billions of dollars and billions of transactions in a day. For the most part, I hate to say it, but some of these losses they look at as the cost of doing business and don't put a lot of weight on doing investigations," he said.
The Spotify charges affecting TD customers are unusual, though, he said.
"We know we've had massive amounts of leaks at various large corporations over the last few years, but that definitely is indicative of a massive data breach somewhere," Clement said.
Schiewe is one of four Canadians who filed a complaint with the Canadian Anti-Fraud Centre after the Spotify charges appeared in the joint chequing account he shares with his wife. He said despite the size of the amount removed, he is considering reporting the incident to the Edmonton Police Service.
Clement said reporting cases to the anti-fraud centre can ensure information is gathered for statistical purposes, which he said can help organizations realize the extent of the problem.
He advises people not to take the security of their accounts for granted, suggesting strong passwords and monitoring accounts so problems can be reported to institutions quickly.
Last month, Schiewe's wife also noticed a fraudulent charge of $18.05 to Walgreens on her TD account. It was also reversed without her knowledge.
"It does raise my hackles because there's been no proactive information or disclosure from TD," he said.
"Is it possible that we're simply really unlucky and both managed to have our information compromised and used within a two- or three-week window and have charges reversed without anyone telling us, or is that just the tip of the iceberg and are there a whole lot of other people who have had the same kind of issues?"
Grayston said amid threats of identity theft and online hacking, it's hard to have confidence that people's money is safe.
She worries the Spotify charges were a test to see if charging people's accounts was possible.
"How could you not feel horribly vulnerable?" she said. "You need to be going into your bank account at least every couple of days and make sure everything is legitimate."
MORE TOP STORIES