Most people think of a zero day vulnerability as a vulnerability that hasn't been discovered or is in its infancy stage. Most would think 'Windows' or some other laptop/PC operating system. Being someone who understands many platforms and technologies, there are 'zero day' vulnerabilities where very few are being recognized or even listed in the news. The report below didn't surprise me. It was only a matter of time. https://www.cbc.ca/news/business/etransfer-fraud-banks-blame-customers-1.5286926 Are there more 'zero day' vulnerabilities that will surface ?
I having a hard time figuring out how this fraud occurred: I am assuming that the two-factor authorization is the bank sends an e-mail to the recipient and he replies back with a code supplied to him by the bank customer doing the e-transfer? I never heard of such a two factor authorization method. My U.S. bank will require two factor authorization on e-transfers over a certain amount. However, this occurs while I am logged on to the bank's web site. They send a numeric code to my cell phone and I have to manually enter that code on the web site for that e-transfer to occur. After that point, the bank assumes all responsibility in ensuring the money is transferred into the recipient's bank account. Also I have to pre-qualify e-transfer recipient's; name, address, bank name and account number, etc. prior to doing an e-transfer. -EDIT- Other things about this story that make no sense is it appears that the attacker by replying to the e-mail was able to redirect the transfer to his bank account. Or use a possible confirmation e-mail after the initial reply to present in person at the bank for a cash payment. Again, I have never heard of such a thing. Finally, why is this the bank customer's issue? It was the contractor's e-mail that got hacked. In which case, the payment issue is between the contractor and the customer's bank. Legally from what I can tell, the customer fulfilled all his payment obligations. One possibility here is this payment was done under e-bill payment methods which are not as stringent as bank-to-bank e-payments. Why the payer would have chose that method for such a sum of money is beyond me. Possibly because the contractor wouldn't give him his bank account number. Anyone pay by paper check these days? A cashier's check would have sufficed in this situation. But this is Canada and the whole banking system there is screwed up.
OK. The person most likely used Zelle which my bank just started offering. Note the last paragraph: There is also additional text stating in effect this is a kind of "mutual trust" setup with no involved party assuming any liability. Bottom line - you get what you pay for. Since Zelle has no service fees, you get very little security in return.
Canadian financial institutions use Interac. Started as a cooperative venture among Canada’s major financial institutions. https://www.interac.ca/en/interac-e-transfer-consumer.html
"The devil is in the detail." https://www.interac.ca/en/zero-liability.html With TD's argument being his lax assignment of easily guessed validation code was "within his control." This story is not unique in that bank's everywhere will attempt to "weasel out" of loss reimbursement.
Another article yesterday on this topic https://www.cbc.ca/news/business/etransfer-fraud-security-1.5296860
At least this "fills in the blanks" missing in earlier articles. It was the contractor's e-mail that was hacked by the attacker. He in turn via the contractor's e-mail directed the customer to deposit the money in his account. Classic e-mail fraud plain and simple. From a legal standpoint, I would say it is the contractor who is out of the payment since it was his e-mail account that was hacked. It was also he that specified he be paid through this phony baloney e-transfer system involving e-mail exchanges between the parties. Now let me guess. Canada has laws in effect that allow a contractor to slap a lien on a property for non-payment for any reason.
