Online banking fraud is on the rise. In a series of investigative articles, the CBC's Erica Johnson has reported on a number of disconcerting cases where Canadian banks left their clients in a lurch: Banks deny compensation when hackers steal customers' money; Banks tell dozens of customers they're to blame for thousands of dollars lost to e-transfer fraudsters; and more. Whether it's the weak security model around Interac e-transfers or the antiquated security model for accessing online banking services, Canadian banks are exposing their customers knowingly to increased risk of online banking fraud by refusing to adopt better security protocols. Canadian banks can and must do better—or face stricter federal regulation. Legislators in Ottawa should take due notice.
‘The EU's 2015 Payment Services Directive 2 shows Canada how to improve online banking security.’
The European Union seems well ahead of Canada in this regards. Enter the Payment Services Directive 2 (PSD2) from 2015, which modernizes Europe's payment services for the benefit of consumers and businesses. PSD2 introduces strong security requirements for online payments (as of September 2019), and it provides new safeguards for the protection of consumers' financial data. PSD2 also increases consumer rights by reducing consumers' liability for unauthorized payments and introducing an unconditional ("no questions asked") refund right for direct debits in euro (since January 2018). Canadian regulators should pay close attention to this EU directive. In my opinion, Canada needs something similar.
How does PSD2 make banking safer? It obliges payment service providers to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. While some EU members already have SCA requirements, it remained voluntary in many other EU countries. PSD2 makes SCA mandatory across the EU effective 14 September 2019. Banks are required to provide at least two of the three following methods of authentication:
- Knowledge: something only the user knows
(e.g., a password or a PIN code) - Possession: something only the user possesses (e.g., a mobile phone); and
- Inherence: something the user is
(e.g., a fingerprint, facial recognition, or voice recognition).
In practice, most European banks rely on unique transaction numbers (TANs) that are generated from a security token or are sent to the smartphone registered with a particular bank account.
Whenever a payer initiates an online transaction above €30, the SCA will be applicable. There are a few exceptions for contactless payments at the point of sale and various corporate payments. Most importantly, Article 73 assigns liability to banks and requires them to refund unauthorized payments promptly, and Article 74 limits a user's liability to €50 for losses "resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument" and essentially zero liability if the banks do not offer SCA.
‘There is no reason why Canadians should not enjoy the same level of fraud protection and online banking security as EU citizens.’
Canadian banks (with the exception of Scotia Bank) do not yet offer their retail customers MFA for online banking. However, the big banks typically offer 3FA to their business customers (a combination of password to log in, a 6-digit PIN and a 6-digit number from a security token). There are only two possible explanations for banks' refusal to roll out MFA. One is technical inability: legacy IT infrastructure making it very expensive to introduce MFA on top of it. This explanation is hard to believe because some banks (such as RBC) offer MFA in overseas markets (the Caribbean islands in the case of RBC) where security is a larger concern. The other explanation is the worry about online banking convenience. The security-convenience trade-off makes some banks worry about losing customers if online banking is forcing them to adopt tighter security protocols. If this is what is holding back Canadian banks from rolling out MFA, they are utterly misreading their customers' preferences and abilities. Canadian banking customers are not all that different from European banking customers, and the European banking customers do just fine with MFA. And what stops banks from offering MFA to those customers who really want it—people like myself? Instead, banks hide behind boiler plate advisories to keep passwords safe and make passwords difficult to guess—and we all know how well that works. More disconcertingly, banks face no liability when things go wrong and passwords do get compromised—as the CBC stories reveal. Of course, when customers go public (thanks to the CBC), banks relent, play damage control, and return stolen funds.
A recent CBC News article by Yvonne Colbert asked pointedly Why is this online banking security feature common in other countries, but not Canada? and "Google offers 2-factor authentication to access your emails, so why don't banks?" When promoted by the journalist, Canadian banks stonewalled and did not offer meaningful replies. It is time more customers asked their banks why 2FA or MFA is not available. And without a meaningful reply, perhaps it is time to talk to members of parliament too.
The extent of online banking fraud is emerging slowly. Statistics Canada reports Police-reported cybercrime, by cyber-related violation, Canada in CANSIM Table 35-10-0001-01, with data since 2014. Fraud is by far the largest category. A 2011 report Measuring the Extent of Cyber-Fraud in Canada by Sara Smyth and Rebecca Carleton concluded that "there needs to be a more well-defined process and a single entity responsible for collecting cyber-fraud information." Data collection would help understand the problem better. However, we already know the defensive solutions how to improve online banking security: MFA will go a long way to diminish fraud. Canadian banks claim to "work hard to prevent billions of dollars of crime each year and protect customers from credit and debit card fraud, identity theft, and mortgage and loan fraud" (Canadian Bankers Association), but they need to work harder. Similar to the EU Directive, the Government of Canada should require banks to provide SCA for all their customers and accept strict fraud liability. Such regulation will make banks invest more into online banking security, educate their customers, and step up enforcement of illegal activities.
Cyber-criminals are attacking Canadian relentlessly. Many scams try to extract sensitive information (like credit card data, online login credentials) from unsuspecting consumers. Virtually everyone has encountered phishing (tricking someone into believing that an email is from a trusted party), vishing (tricking someone into believing that a phone call is from a legitimate organization such as a tax agency), and smishing (tricking someone into believing that a text message is from a trustworthy person or organization). We are also getting attacked more and more with malware and ransomware, the latter aided and abetted by the Bitcoin payment system. As the CBC's Elizabeth McMillan reported, Cyber-crime is going up across Canada and most cases remain unsolved. According to that article, the Canadian Anti-Fraud Centre estimates that nearly $120 million was lost due to mass marketing fraud (which includes extortion and phishing) in 2018. This bleak picture should give pause for thought. Perhaps $120 million is not much to our banks, but it is a lot of money to the fraud victims.
Even my own university, the University of British Columbia, has rolled out enhanced campus-wide login (eCWL) for all its staff when we access university online services. eCWL requires either a security token or a push-TAN to our smartphones using the Duo App. It works well, and the additional inconvenience is negligible.
Lastly, let me add one more item to the wish list for reforming banking in Canada. In my February 2016 blog Canadian banks should embrace electronic funds transfer I have urged banks to adopt standardized International Bank Account Numbers (IBAN) and permit retail customers to transfer funds electronically across financial institutions. Both are eminently feasible and would increase security (by making Interac E-Transfers obsolete), increase convenience (by facilitating inter-bank EFTs), and lower transaction costs. Yet, Canadian banks are still sticking to their antiquated payment system that is no longer fit for the 21th century. The argument against change is always: the cost is too high. Their European counterparts prove them wrong again. They have made the switch successfully and at what appears to be very manageable costs. When will Canadian online banking arrive fully in the 21st century? When will legislators in Ottawa realize that consumer protection requires legislation, not just lip service? With the EU's PSD2 Directive Canada has a blueprint that isn't difficult to copy.
Further readings and sources:
- EU Directive 2015/2366 (PSD2) of the European Parliament, 25 November 2015.
- RCMP: Cybercrime: an overview of incidents and issues in Canada
- Canadian Anti-Fraud Centre
- Canadian Centre for Cyber Security
- Howard Bilodeau, Mohammad Lari and Mark Uhrbach: Cyber security and cybercrime challenges of Canadian businesses, 2017, Statistics Canada. See also graphs at Cyber Security and Cybercrime in Canada, 2017.