Archive 6 min read

E-transfer Security

CBC's Go Public pointed out the rising rates of e-transfer fraud and consumers are shocking. The expectation was that e-transfers were safe and convenient...turns out, not so much.

E-transfer Security

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How you doing today on this episode of the show, we're gonna talk about the security and privacy of electronic bank transfers, you know, when you email people money. So as you can see a bit of a different look, uh it's episode 200 of mornings with Mark and I decided to film this one on uh my morning walk uh under the umbrella cause it is raining here.

Um It's lighting up a little bit which is nice. Uh It's also fall so all the leaves are turning or starting to turn, which ends up being really beautiful. But we're also testing out the stabilization on the new iphone wanted to see if this is viable for uh conferences or if I still need to pack a whole bunch of extra kids.

But down to the topic at hand, there was recently an article in CBC on the news site um in their go public area which is basically their consumer advocacy uh sort of their consumer. Um You know, hey, we're going to help you out of a jam if companies aren't responding where a Canadian man had been paying his contractor or trying to pay his contractor, uh, $3000.

The total was 3300, but it was in a $3000 limit. So they sent them $3000 and it was accepted the transfer but it never made it to the contractor. Now, you may be thinking, oh, the contractor actually has it and it's fraudulent. Nope, the transfer was intercepted because somebody guessed the password.

Now, if you've ever set up a transfer like this, they're actually quite common for community activities for sports and for paying friends splitting checks, stuff like that. It's not a crazy rare thing. But what happens is essentially you log into your bank site securely, you set up a transfer to an email address and then, uh you have two choices depending on your recipient.

If your recipient is just a standard, vast majority of people in the Ransfer network, you are going to set up a password, either a recurring one or a unique one time password. Um And so you'll say, uh, ask a question and then provide the answer and then whoever provides the answer when they receive the email will be able to deposit their funds.

Now, what's super common here is either there'll be one shared password if it a big event or you're going to set up something brutally obvious. So what happens a lot of the time if you say you're trying to pay for the kids' hockey and you're sending money to the hockey association, you know, your question will be what sport, what for what sport and the answer will be.

Hockey. Not hard to guess. Right. So, in the case of, you know, paying for a contractor, it wouldn't be uncommon to say, you know, for what address and you'd give your home address, which obviously is public information, especially when it's linked to you.

So, something similar happened along these lines now, another way to set this up and we'll tackle it in a second. But what was interesting about this go public article from CBC, was that as this person, you know, protested as he went to the bank, there wasn't much help.

He's started an investigation with the police, which is great. But when you dig into the terms of service of the e transfer network, there's basically no protection for you. When you use a credit card, there's a bunch of legal protections around what you're liable for, for fraudulent transactions.

A lot of that fraud falls onto the merchant and what doesn't fall under the merchant is absorbed by the credit card issuer when it comes to e transfers, uh just like debit, it's not the case and a lot of people aren't aware of that you're actually liable.

Um So you're out the money and if you read through the terms and service, that's exactly what it says is that there's a whole bunch of stuff if the system fails, that's on you. But if somebody guesses your password. It's explicitly said in the terms and service.

If somebody, uh, you know, if, if you're using a weak password and somebody guesses it, then you're out the money. It's not on the network. Now, you may have a case criminally because someone's stolen your money, but you're not gonna get any easy refund like you would if your credit card was stolen.

And that's a huge thing because these e transfers can be really, really convenient. But if you don't have those types of productions, are they the best way to go? It may be better off to pay the transaction fee for uh taking a credit card through something like um uh square or an alternative easy payment provider.

Uh something like a paypal, even though paypal has a ton of issues on its own. But at least you get protections using these credit cards. Now, back to the ransfer network, there is actually a feature called auto deposit and you as a receiver need to set up that auto deposit.

And basically what that means is that if anyone sends you an email to or an email with uh an amount, uh and it lines up with your uh name, then that information is going or that money is going to be directly deposited into your account, you don't actually have to log in.

Now that's far more secure as long as the sender got the information correct. So the challenge here is that if you send me an E transfers and use a question or a password that needs to be unique and interesting and not or not interesting, but it needs to be unique and un guessable.

Um And then I need to click on the link that I received my email and then enter the matching password to deposit it into my account after logged in securely to my bank. Now, there is a way to handle that and we'll talk about that in a second.

But the other flow, the auto deposit flow basically means that if you send it to my email address with my name, Mark Noo, then it's going to be automatically deposited. Now, that's great. But the risk now is if you get my name wrong, that transfer will fail or if you get my email address wrong, there's potential that you could auto deposit into somebody's account erroneously.

Now, that's a pretty low risk. Now, if you're wondering how do you handle the passwords correctly? Because the auto deposit is up to the recipient to sign. So if the recipient hasn't signed up for auto deposit, there's nothing you as a center can do.

Um for passwords, what you need to use is what's called a second channel. So either in person say, hey, Mark, I'm about to send you an E transfers and here is the password. Um and then send the eran through uh with um the question, you know the password we discussed.

And then the password is something unique that we've already talked about in person. Or you could use something like a text message, don't email it to them. You could use a direct message on a secure platform if you want. But the idea is use some other avenue to communicate the password to people as opposed to making the password ridiculously easy to guess because the thing is, is that email is not secure.

Email is very much a postcard. Everybody thinks about email and this doesn't help that. All the iconography around it is an envelope that's sealed. Um Email is a pa a postcard uh for all intents and purposes. It's just a postcard. You're shipping around and when that postcard contains money, you can guess what happens.

Um That's it for this topic. I'd love to hear what you think about it. Let me know just as a side note here based on the feedback that I've gotten from everybody and thank you very much for uh tuning in for 200 episodes for providing tons of feedback.

Um The show has grown beyond what I ever could have imagined. Uh We're gonna keep this going. I was gonna wind things down here in episode 200. But everybody who wants to see this kind of continue on, I have a lot of fun doing it.

We are gonna reduce the volume. I think we're gonna do once a week. I'll figure out a consistent day to be pushing this out. Um So you still get a, uh, you know, at least once a week on this because I'm focusing on some other efforts, especially for the couple of months, uh, leading up to Aws reinvents.

So I've been streaming live over on linkedin. I'll put the, uh URL down here where you can track all those streams where we're going half an hour, 45 minutes learning new Aws services. And that's been a ton of fun as well. So, uh, always hit me up online.

Love to chat about, uh, rans, love to chat about anything. I hope you're set up for a fantastic day and I hope that this setup worked even though, uh, it's a crazy, you know, view, wide angle, view of the umbrella and all that, uh, talk to you soon.

We'll see you on the next episode of the show.

Read next