As Fintech and Open Banking Promise Greater Value for Customers, the "Bank-Level" Security Improvements are Urgently Needed to Foster Trust in the System

A new class action that has brought together over 100 (allegedly) jilted BMO customers has the potential to rock the Canadian banking space, but not for the reasons people think. This is less about unauthorized financial transfers and more about the culture of isolation in the financial sector, where the focus is always on "containing" a situation for fear that it will turn into a damaging reputational issue.

Technology is Not a Panacea, But Solutions Exist

Banks agree that "the consumer has unknowingly shared or given access to their confidential information" and yet those same institutions fail to consider the ABCs:

  • A. If this is likely to happen to more than one person, then the public at large should be alerted about the situation. Join forces with other banks and create an awareness campaign, instead of keeping it as an individual under a veil of secrecy, as so many current issues are handled.
  • B. If this can happen at all, then banking controls are clearly insufficient for the simple reason that users must be uniquely identified as legitimate customers, not just someone who might have stolen access credentials. That's absolutely the hard part, but this is why this case calls for banks to protect against "sophisticated" attacks, not just password stuffing or virus infections. It will be interesting to see how accountability is assigned.
  • C. If customers are able to carry out transactions they cannot repudiate, then banks have a solid case, but the above statement contradicts that argument. Even if the chance of a transaction being fraudulent is based on probability, banks that know the difference are responsible for doing something about it as opposed to stating that "the bank has complied with its obligations".

Claiming compliance when "in some cases, one-time codes were sent and entered correctly, and the IP addresses matched those of the client" is a rhetorical device that no longer works. Yes, that's called a keylogger or a MITM attack, and they've been bypassing access controls for over two decades.

Consideer Past Performance

According to Newmarket Today: "An Office of the Privacy Commissioner of Canada investigation from 2021 found BMO Canada's online banking software had "significant weaknesses" in its technical safeguards between June 2017 and January 2018, allowing potential attackers to breach about 113,000 bank accounts.

"A lot of other banks are doing things like a two-step authentication code to improve their security," said one victim. "Even after that breach, the Bank of Montreal has done nothing to improve their security."

Many of the customers that signed on to the class action claim they did not receive a one-time verification code sent by the bank, yet when asking for proof that it was sent - a simple request that is very easy to satisfy - they were ignored. This galvanizes suspicion and polarizes people who already feel victimized, so it's no wonder they would want to take the matter public despite the effort and cost involved.

A Systemic Problem

The problem is systematic opacity, normalized obscurantism and the unwillingness to share information with valuable clients. Making people feel marginalized, victimized or plain stupid is not the right approach, and the solution starts with simple stuff ideas like getting customer consent for blocking suspicious transactions based on different levels of certainty. When it comes to cyberfraud protection and security communications, financial institutions need to do better.

Transferring Accountability

Blanket statements such as: "we encourage customers to be diligent in protecting their online and mobile credentials and keep their secret code and card number confidential" no longer cut it. When banks stoop so low as to send one-time codes via the untrusted medium of the Internet, there can be no expectation of secrecy, let alone confidentiality. As for victims that have been ignored under the pretense of 'confidentiality', that's a matter of privacy that applies to one's own identity as much as it does to the customer's privacy, so the Privacy Commissioner should immediately be notified.

This is not just about the money. It's about trust in the system. Without protecting people's identities and livelihoods, what value does the financial sector offer? With the advent of open banking and fintech adoption, it's a critical time to put some substance behind the tired old phrase "bank-level security".

Final Thoughts

  1. No one should do business with any financial organization that does not enforce multifactor authentication, preferably using an authenticator app on the phone, because codes sent via email are more likely to be compromised.
  2. All online banking users should access the settings on their online banking and ensure that notifications are turned on for absolutely all activity, especially logins and transfers. Ask your bank if there are any other alerts that could be turned on, or automatic blocking that can be enabled even outside your dashboard or mobile app.
  3. Resist convenience features and definitely shun financial apps that claim to simplify your banking. That's something you want to pay particular attention to, not skip steps. When in doubt, call your bank and ask them whether they endorse the new fintech gizmo: chances are they will caution against any app that's not their own or refuse to comment on a start-up. That ought to give anyone pause.
Click the image to read CTV's article on the Growing number of BMO customers that raised concerns with the bank's security and investigative processes.