Latest news with #JordonJudge
Yahoo
3 days ago
- Business
- Yahoo
Scotiabank holds customer responsible for almost $20K in credit card fraud
Jordon Judge's cellphone rang as he sat in his local Vancouver coffee shop last October — caller ID said the person was from Scotiabank. He had no idea it was actually a fraudster who had manipulated the call display, a practice known as phone call "spoofing." The fraudster said he was calling to flag two suspicious charges that were coming through on Judge's Scotiabank Visa card. Judge said he hadn't approved those charges and the caller said they would be blocked. But two days later, Judge spotted two large charges on his credit card statement, totalling almost $20,000. "Those were not my charges," he told Go Public. "So it was definitely astonishment." It was the beginning of a long and frustrating process, during which Scotiabank continued to insist he was liable for the fraudulent charges. Credit card fraud is a growing problem. The Canadian Anti-Fraud Centre doesn't track how much money people lose to it, but says that over the past three years, an increasing portion of identity fraud cases have involved compromised credit cards. WATCH | On the hook for $20K: The Ombudsman for Banking Services and Investments says complaints related to fraud are the number one issue it deals with, and only e-transfers have more fraud complaints than credit cards. Under federal law, a person's maximum liability for unauthorized credit card transactions is generally capped at $50 unless the bank can prove the customer was grossly negligent in protecting their card. A cybersecurity expert says increasing fraud and the rise in complex technology means financial institutions should be conducting thorough investigations and providing clear evidence when holding customers liable. "All that the bank has done is accuse [Judge] of either negligence or malice," said Claudiu Popa, who has 35 years' experience in cybersecurity and wrote The Canadian Cyberfraud Handbook. "The bank has to prove that the customer is the one who perpetrated this quite significant and sophisticated fraud." Scotiabank declined an interview request, did not answer any written questions and instead sent a brief statement, reminding customers to safeguard their personal information. The fraudster who called Judge asked for his birth date and mother's maiden name, which Judge shared. But then the fraudster asked him to share a "one-time passcode" — a type of two-step verification — that was texted to his phone. Judge says he refused to do that, because the message also told him not to share the code with anyone, and said that no one from Scotiabank would ever ask for it. The fraudster claimed that he stopped the charges from going through and hung up. But two days later, Judge discovered a charge for $17,900 to Anglia Ruskin University in the U.K. on his statement, and a second for $1,800, supposedly paid to someone by the name of Paula S. Taylor. "I wasn't worried at the time because I knew those weren't my charges," said Judge. "I thought I couldn't be held accountable for it." Judge filed a request for compensation with Scotiabank, which sent him a letter a few weeks later, saying the bank had "examined all relevant documentation" and concluded that he was responsible for the charges. The letter did not outline what evidence had been reviewed and did not explain why the bank concluded he should be on the hook for almost $20,000 — plus the growing interest. "When people sign up for credit cards, they're under the assumption that if they get scammed, they're not liable for the purchases made on their credit card," said Judge. "Apparently that's not the case." He appealed, and a second letter — from Scotiabank's Escalated Customer Concerns Office (ECCO) — also found Judge responsible, stating that a one-time passcode was used for the university charge, calling it "a feature that has a proven track record in mitigating fraudulent and nefarious activities". The ECCO letter said that because the code was sent to Judge's phone, it "indicates" that the code was disclosed. Judge appealed that decision, but Scotiabank's Customer Complaints Appeals Office also claimed in a letter that evidence "suggests" Judge revealed a one-time passcode. "Evidence that may 'suggest' something isn't evidence of a fact," said Geoff White, executive director of the Public Interest Advocacy Centre. "One would like to see more in terms of actual evidence demonstrating that the customer was negligent — rather than simply an assertion." White also said the onus shouldn't be on individuals to prove they are innocent of a crime. "The onus is in fact on institutions to take care of their systems," said White. "Make sure that their processes are secure." Popa, the cybersecurity expert, took a look at Scotiabank's correspondence and says the financial institution didn't provide evidence of "the most basic investigation," which would include reviewing a log of activities that would be time-stamped — such as showing when an individual received the one-time passcode and when it was entered into a web interface. "This was never provided," said Popa. "Nor was there an indication that this kind of log was inspected." Contrary to Scotia's insistence that a one-time passcode is a proven fraud deterrent, Popa says a code sent via email or SMS is vulnerable to "a number of different types of compromises" and is less safe than using an authenticator app. Cellphones can be hacked using malware or spyware and SIM cards can be hijacked — allowing fraudsters to intercept text messages. The Canadian Anti-Fraud Centre also told Go Public that it recommends people use an authenticator app when possible. "Unlike SMS/text messages or email messages, authenticator apps generate time-sensitive passcodes that are not vulnerable to SIM swapping or potential text message and email interception," wrote CAFC spokesperson Jeff Horncastle. The Quebec-based advocacy group Option consommateurs has been calling on the federal government to strengthen protections for banking customers in cases of fraud. In a proposal to MPs earlier this year, the organization said the Bank Act should require transparency when a bank investigates, and clarify that the burden of proving the customer was highly negligent rests on the bank. Go Public contacted Anglia Ruskin University to ask about the charge on Judge's credit card. A representative said Scotiabank never contacted the university — another disappointment to Popa. "Why would you not contact an organization that you know exists?" asked Popa. "They have a duty to investigate and to protect their customers." After Go Public made several inquiries with the university, it said it conducted an investigation and reimbursed Judge. A spokesperson said it could not elaborate on its findings, such as whether the money was used to pay for someone's tuition. Go Public also asked Scotiabank several times what evidence it had to hold its customer responsible for the fraudulent charges. Although the bank did not reply, it recently credited Judge's bank account — covering the outstanding $1,800 paid to "Paula S. Taylor" and the interest that had accrued on both charges. Judge says no one from Scotiabank contacted him to explain the about-face. "I do think it's ridiculous that it took the media to get involved until they decided they would even act as if they cared," said Judge. Previously, Scotiabank had offered Judge $200 as a "goodwill gesture," but said he would have to acknowledge his claim was resolved and drop any further action. Judge declined. Although he has been fully compensated, Judge had to push for almost eight months, and is still left without any answers about why Scotiabank insisted for so long that he was responsible for the fraud. "My biggest concern is that there are people in his situation … who may not have the ability to pressure their financial institution to be more transparent or to recognize the fact that they might not be guilty," said Popa, the cybersecurity expert. "People are out there who are simply being silently victimized." Submit your story ideas Go Public is an investigative news segment on CBC-TV, radio and the web. We tell your stories, shed light on wrongdoing and hold the powers that be accountable. If you have a story in the public interest, or if you're an insider with information, contact gopublic@ with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public. Read more stories by Go Public. Read about our hosts.
Yahoo
3 days ago
- Business
- Yahoo
Scotiabank holds customer responsible for almost $20K in credit card fraud
Jordon Judge's cellphone rang as he sat in his local Vancouver coffee shop last October — caller ID said the person was from Scotiabank. He had no idea it was actually a fraudster who had manipulated the call display, a practice known as phone call "spoofing." The fraudster said he was calling to flag two suspicious charges that were coming through on Judge's Scotiabank Visa card. Judge said he hadn't approved those charges and the caller said they would be blocked. But two days later, Judge spotted two large charges on his credit card statement, totalling almost $20,000. "Those were not my charges," he told Go Public. "So it was definitely astonishment." It was the beginning of a long and frustrating process, during which Scotiabank continued to insist he was liable for the fraudulent charges. Credit card fraud is a growing problem. The Canadian Anti-Fraud Centre doesn't track how much money people lose to it, but says that over the past three years, an increasing portion of identity fraud cases have involved compromised credit cards. WATCH | On the hook for $20K: The Ombudsman for Banking Services and Investments says complaints related to fraud are the number one issue it deals with, and only e-transfers have more fraud complaints than credit cards. Under federal law, a person's maximum liability for unauthorized credit card transactions is generally capped at $50 unless the bank can prove the customer was grossly negligent in protecting their card. A cybersecurity expert says increasing fraud and the rise in complex technology means financial institutions should be conducting thorough investigations and providing clear evidence when holding customers liable. "All that the bank has done is accuse [Judge] of either negligence or malice," said Claudiu Popa, who has 35 years' experience in cybersecurity and wrote The Canadian Cyberfraud Handbook. "The bank has to prove that the customer is the one who perpetrated this quite significant and sophisticated fraud." Scotiabank declined an interview request, did not answer any written questions and instead sent a brief statement, reminding customers to safeguard their personal information. The fraudster who called Judge asked for his birth date and mother's maiden name, which Judge shared. But then the fraudster asked him to share a "one-time passcode" — a type of two-step verification — that was texted to his phone. Judge says he refused to do that, because the message also told him not to share the code with anyone, and said that no one from Scotiabank would ever ask for it. The fraudster claimed that he stopped the charges from going through and hung up. But two days later, Judge discovered a charge for $17,900 to Anglia Ruskin University in the U.K. on his statement, and a second for $1,800, supposedly paid to someone by the name of Paula S. Taylor. "I wasn't worried at the time because I knew those weren't my charges," said Judge. "I thought I couldn't be held accountable for it." Judge filed a request for compensation with Scotiabank, which sent him a letter a few weeks later, saying the bank had "examined all relevant documentation" and concluded that he was responsible for the charges. The letter did not outline what evidence had been reviewed and did not explain why the bank concluded he should be on the hook for almost $20,000 — plus the growing interest. "When people sign up for credit cards, they're under the assumption that if they get scammed, they're not liable for the purchases made on their credit card," said Judge. "Apparently that's not the case." He appealed, and a second letter — from Scotiabank's Escalated Customer Concerns Office (ECCO) — also found Judge responsible, stating that a one-time passcode was used for the university charge, calling it "a feature that has a proven track record in mitigating fraudulent and nefarious activities". The ECCO letter said that because the code was sent to Judge's phone, it "indicates" that the code was disclosed. Judge appealed that decision, but Scotiabank's Customer Complaints Appeals Office also claimed in a letter that evidence "suggests" Judge revealed a one-time passcode. "Evidence that may 'suggest' something isn't evidence of a fact," said Geoff White, executive director of the Public Interest Advocacy Centre. "One would like to see more in terms of actual evidence demonstrating that the customer was negligent — rather than simply an assertion." White also said the onus shouldn't be on individuals to prove they are innocent of a crime. "The onus is in fact on institutions to take care of their systems," said White. "Make sure that their processes are secure." Popa, the cybersecurity expert, took a look at Scotiabank's correspondence and says the financial institution didn't provide evidence of "the most basic investigation," which would include reviewing a log of activities that would be time-stamped — such as showing when an individual received the one-time passcode and when it was entered into a web interface. "This was never provided," said Popa. "Nor was there an indication that this kind of log was inspected." Contrary to Scotia's insistence that a one-time passcode is a proven fraud deterrent, Popa says a code sent via email or SMS is vulnerable to "a number of different types of compromises" and is less safe than using an authenticator app. Cellphones can be hacked using malware or spyware and SIM cards can be hijacked — allowing fraudsters to intercept text messages. The Canadian Anti-Fraud Centre also told Go Public that it recommends people use an authenticator app when possible. "Unlike SMS/text messages or email messages, authenticator apps generate time-sensitive passcodes that are not vulnerable to SIM swapping or potential text message and email interception," wrote CAFC spokesperson Jeff Horncastle. The Quebec-based advocacy group Option consommateurs has been calling on the federal government to strengthen protections for banking customers in cases of fraud. In a proposal to MPs earlier this year, the organization said the Bank Act should require transparency when a bank investigates, and clarify that the burden of proving the customer was highly negligent rests on the bank. Go Public contacted Anglia Ruskin University to ask about the charge on Judge's credit card. A representative said Scotiabank never contacted the university — another disappointment to Popa. "Why would you not contact an organization that you know exists?" asked Popa. "They have a duty to investigate and to protect their customers." After Go Public made several inquiries with the university, it said it conducted an investigation and reimbursed Judge. A spokesperson said it could not elaborate on its findings, such as whether the money was used to pay for someone's tuition. Go Public also asked Scotiabank several times what evidence it had to hold its customer responsible for the fraudulent charges. Although the bank did not reply, it recently credited Judge's bank account — covering the outstanding $1,800 paid to "Paula S. Taylor" and the interest that had accrued on both charges. Judge says no one from Scotiabank contacted him to explain the about-face. "I do think it's ridiculous that it took the media to get involved until they decided they would even act as if they cared," said Judge. Previously, Scotiabank had offered Judge $200 as a "goodwill gesture," but said he would have to acknowledge his claim was resolved and drop any further action. Judge declined. Although he has been fully compensated, Judge had to push for almost eight months, and is still left without any answers about why Scotiabank insisted for so long that he was responsible for the fraud. "My biggest concern is that there are people in his situation … who may not have the ability to pressure their financial institution to be more transparent or to recognize the fact that they might not be guilty," said Popa, the cybersecurity expert. "People are out there who are simply being silently victimized." Submit your story ideas Go Public is an investigative news segment on CBC-TV, radio and the web. We tell your stories, shed light on wrongdoing and hold the powers that be accountable. If you have a story in the public interest, or if you're an insider with information, contact gopublic@ with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public. Read more stories by Go Public. Read about our hosts.
CBC
3 days ago
- Business
- CBC
Scotiabank holds customer responsible for almost $20K in credit card fraud
Social Sharing Jordon Judge's cellphone rang as he sat in his local Vancouver coffee shop last October — caller ID said the person was from Scotiabank. He had no idea it was actually a fraudster who had manipulated the call display, a practice known as phone call "spoofing." The fraudster said he was calling to flag two suspicious charges that were coming through on Judge's Scotiabank Visa card. Judge said he hadn't approved those charges and the caller said they would be blocked. But two days later, Judge spotted two large charges on his credit card statement, totalling almost $20,000. "Those were not my charges," he told Go Public. "So it was definitely astonishment." Got a story you want investigated? Contact Erica and the Go Public team at gopublic@ It was the beginning of a long and frustrating process, during which Scotiabank continued to insist he was liable for the fraudulent charges. Credit card fraud is a growing problem. The Canadian Anti-Fraud Centre doesn't track how much money people lose to it, but says that over the past three years, an increasing portion of identity fraud cases have involved compromised credit cards. WATCH | On the hook for $20K: Bank blames customer for $20K in credit card fraud | Go Public 5 hours ago Duration 2:09 The Ombudsman for Banking Services and Investments says complaints related to fraud are the number one issue it deals with, and only e-transfers have more fraud complaints than credit cards. Under federal law, a person's maximum liability for unauthorized credit card transactions is generally capped at $50 unless the bank can prove the customer was grossly negligent in protecting their card. A cybersecurity expert says increasing fraud and the rise in complex technology means financial institutions should be conducting thorough investigations and providing clear evidence when holding customers liable. "All that the bank has done is accuse [Judge] of either negligence or malice," said Claudiu Popa, who has 35 years' experience in cybersecurity and wrote The Canadian Cyberfraud Handbook. "The bank has to prove that the customer is the one who perpetrated this quite significant and sophisticated fraud." Scotiabank declined an interview request, did not answer any written questions and instead sent a brief statement, reminding customers to safeguard their personal information. What happened The fraudster who called Judge asked for his birth date and mother's maiden name, which Judge shared. But then the fraudster asked him to share a "one-time passcode" — a type of two-step verification — that was texted to his phone. Judge says he refused to do that, because the message also told him not to share the code with anyone, and said that no one from Scotiabank would ever ask for it. The fraudster claimed that he stopped the charges from going through and hung up. But two days later, Judge discovered a charge for $17,900 to Anglia Ruskin University in the U.K. on his statement, and a second for $1,800, supposedly paid to someone by the name of Paula S. Taylor. "I wasn't worried at the time because I knew those weren't my charges," said Judge. "I thought I couldn't be held accountable for it." No transparency Judge filed a request for compensation with Scotiabank, which sent him a letter a few weeks later, saying the bank had "examined all relevant documentation" and concluded that he was responsible for the charges. The letter did not outline what evidence had been reviewed and did not explain why the bank concluded he should be on the hook for almost $20,000 — plus the growing interest. "When people sign up for credit cards, they're under the assumption that if they get scammed, they're not liable for the purchases made on their credit card," said Judge. "Apparently that's not the case." He appealed, and a second letter — from Scotiabank's Escalated Customer Concerns Office (ECCO) — also found Judge responsible, stating that a one-time passcode was used for the university charge, calling it "a feature that has a proven track record in mitigating fraudulent and nefarious activities". The ECCO letter said that because the code was sent to Judge's phone, it "indicates" that the code was disclosed. Judge appealed that decision, but Scotiabank's Customer Complaints Appeals Office also claimed in a letter that evidence "suggests" Judge revealed a one-time passcode. "Evidence that may 'suggest' something isn't evidence of a fact," said Geoff White, executive director of the Public Interest Advocacy Centre. "One would like to see more in terms of actual evidence demonstrating that the customer was negligent — rather than simply an assertion." White also said the onus shouldn't be on individuals to prove they are innocent of a crime. "The onus is in fact on institutions to take care of their systems," said White. "Make sure that their processes are secure." Popa, the cybersecurity expert, took a look at Scotiabank's correspondence and says the financial institution didn't provide evidence of "the most basic investigation," which would include reviewing a log of activities that would be time-stamped — such as showing when an individual received the one-time passcode and when it was entered into a web interface. "This was never provided," said Popa. "Nor was there an indication that this kind of log was inspected." Contrary to Scotia's insistence that a one-time passcode is a proven fraud deterrent, Popa says a code sent via email or SMS is vulnerable to "a number of different types of compromises" and is less safe than using an authenticator app. Cellphones can be hacked using malware or spyware and SIM cards can be hijacked — allowing fraudsters to intercept text messages. The Canadian Anti-Fraud Centre also told Go Public that it recommends people use an authenticator app when possible. "Unlike SMS/text messages or email messages, authenticator apps generate time-sensitive passcodes that are not vulnerable to SIM swapping or potential text message and email interception," wrote CAFC spokesperson Jeff Horncastle. The Quebec-based advocacy group Option consommateurs has been calling on the federal government to strengthen protections for banking customers in cases of fraud. In a proposal to MPs earlier this year, the organization said the Bank Act should require transparency when a bank investigates, and clarify that the burden of proving the customer was highly negligent rests on the bank. Judge gets his money back Go Public contacted Anglia Ruskin University to ask about the charge on Judge's credit card. A representative said Scotiabank never contacted the university — another disappointment to Popa. "Why would you not contact an organization that you know exists?" asked Popa. "They have a duty to investigate and to protect their customers." After Go Public made several inquiries with the university, it said it conducted an investigation and reimbursed Judge. A spokesperson said it could not elaborate on its findings, such as whether the money was used to pay for someone's tuition. Go Public also asked Scotiabank several times what evidence it had to hold its customer responsible for the fraudulent charges. Although the bank did not reply, it recently credited Judge's bank account — covering the outstanding $1,800 paid to "Paula S. Taylor" and the interest that had accrued on both charges. Judge says no one from Scotiabank contacted him to explain the about-face. "I do think it's ridiculous that it took the media to get involved until they decided they would even act as if they cared," said Judge. Previously, Scotiabank had offered Judge $200 as a "goodwill gesture," but said he would have to acknowledge his claim was resolved and drop any further action. Judge declined. Although he has been fully compensated, Judge had to push for almost eight months, and is still left without any answers about why Scotiabank insisted for so long that he was responsible for the fraud. "My biggest concern is that there are people in his situation … who may not have the ability to pressure their financial institution to be more transparent or to recognize the fact that they might not be guilty," said Popa, the cybersecurity expert. "People are out there who are simply being silently victimized."
