Last week, The Citizen spoke to Keith Pearce, a St. Adolphe resident who lost thousands of dollars to a scammer in an e-transfer transaction.
The incident began innocently enough, with Pearce agreeing to accept a $100 e-transfer from someone in order to hold an item he had advertised on Kijiji. For Pearce, the e-transfer notification and process of accepting it was just like every other time he’d done this.
But the transfer didn’t happen instantaneously, triggering concern. By the time Pearce got into his online account to check, at least one unauthorized transfer had taken place between accounts and two withdrawals had been made, totalling $6,000.
For Pearce and many others who rely on e-transfer money exchanges, this type of theft comes as a complete shock, especially given that our banking institutions assure us that they’ve got top-notch security protocols in place to protect clients.
But for all the hype placed around creating strong passwords and setting up multifactor authentication, cybersecurity expert Michael Jensen says that it’s not enough.
And he should know. Jensen, who lives in Ste. Agathe, has impressive credentials in the area of cybersecurity. He’s gained some of his most significant experience helping to prevent cybersecurity breaches at top intelligence agencies such as the Department of National Defence.
How Scammers Do It
Understanding how to prevent victimization is made easier with an understanding of how the criminals accomplish it in the first place.
For experts like Jensen, Pearce’s victimization, while tragic, isn’t new. In fact, cybersecurity gurus have a name for it. They call it a “token session theft” with an “adversary in the middle” (AiTM) approach.
Putting that in layperson’s terms, every time you log in to your online bank account, or any account requiring a login, such as Amazon or Walmart, the bank (or company) provides you with a session token.
This session token allows you to close the window momentarily and then get back in without having to re-authenticate. It’s essentially like showing your ID at the door of a nightclub and not being required to show it again if you briefly step outside.
If a scammer can find a way to intercept your token session, that’s called token session theft. Having momentarily usurped your session, while you and your bank are unaware, the scammer becomes the adversary in the middle.
“The way these scams work is they get you to login first, steal the session token from your computer, and perform what’s called a replay attack,” Jensen says.
A replay attack simply means they’ve gained access to your authentication data and then retransmitted it to the source—in Pearce’s case, TD Bank—allowing them to impersonate you in an online banking transaction.
When Pearce noticed that his e-transfer was taking longer than it should, Jensen says that this was the scammer at work, using his token session. For a skilled attacker, it doesn’t take long to move funds, grab what they can, and disappear.
But according to Jensen, there was more at risk for Pearce than just bank account theft.
“If he had also been logged into Amazon at the time, and had his credit card attached, and if the thief was set up for it, they could have stolen those session tokens, too, and made purchases against his credit card.”
Protecting Yourself
First and foremost, Jensen says that the best way for anyone to protect themselves is to never fully trust technological controls. Human controls will trump every time.
Next, he says, it’s imperative that people stop accepting e-transfers in traditional forms.
“Never ever, ever click on a link that is supposed to initiate an e-transfer,” Jensen says. “What the scammers are doing is they’re sending links that are very well designed, like websites that mimic [Interac]. When it hits your email, it looks like a [legitimate] e-transfer. Unless you’re very schooled on what you’re looking at, you don’t know how to check the digital footprint.”
If you’re going to use e-transfer, Jensen strongly advises setting up the auto-deposit function with your bank.
“If you’re having to open an email and then choose your banking institution, that’s not auto-deposit because it’s not depositing automatically.”
For those with true auto-deposit, when they receive an e-transfer, the notification received will simply inform them that a transfer of a specific amount has been deposited to their account. They don’t need to open an email or click on a link to direct the transfer to their bank.
If you have auto-deposit set up and you receive an email that requires you to open it and click on a link to accept, it’s a scam. Further, when a potential scammer sees that you have auto-deposit set up, their opportunity for token session theft has been foiled and they’ll generally just move on.
Another way to ensure that you’re protected is by always being the initiator of any e-transfer. Just as everyone has the ability to send an e-transfer, online banking options also include the ability to send a request for an e-transfer.
So if you’re selling an item online and someone wants to send you an e-transfer, let them know that you’ll initiate the money transfer process.
“You’ll have to get their email address, but you’ll be initiating the transfer from your end, so you’ll know that it’s legitimate,” Jensen says.
The final piece of advice Jensen has for those using buy-and-sell sites is to never trust a request to hold an item with a deposit. Nine times out of ten, it’s a scam.
“The number one thing people can do if they’re doing a transaction on a [buy-and-sell site] is meet in person in a police station parking lot,” Jensen says. “People don’t like that answer, but it’s not just good for cyber safety, it’s good for physical safety. There’s been reports of people being assaulted at [general] meetup locations. So go to a police station.”
It’s been a week since Keith Pearce was scammed, and so far he’s received no indication that TD Bank, the police, or various fraud departments are making any headway. He’s not fooling himself into believing he’ll ever see the money again.
Shortly after the incident occurred, Pearce also noticed that a portion of the text conversation between himself and the scammer, then posing as a buyer, had been erased. Somehow the scammer was successful in covering his tracks there too.