A Manitoba man is warning anyone who stores their passwords on their phones, after he lost thousands of dollars in a suspected fraud and was told by his bank he was partly to blame.
Jeremy Carlson has been a member of the Steinbach Credit Union (SCU) for more than a decade.
“I was actually a proud member up until what transpired,” he told CTV News.
It was the middle of the night nearly a month ago when Carlson got an alarming notification on his phone.
“By the time I got the password changed, a lot of the damage had been done,” Carlson said.
He said someone had deposited a $20,000 cheque into his account, added new payees, and drained his savings and overdrafts – all before the cheque bounced, leaving him on the hook for $31,850.
Carlson said he reported the suspected fraud to SCU, and when asked, told investigators he stored his passwords on his phone.
He was then left in limbo for nearly a month, until this week when he got a call from the credit union. He was told only $25,000 would be covered because his phone wasn’t safeguarded.
“I said, ‘Well, what evidence do you have that my cell phone wasn’t safeguarded?’ They told me, ‘Your statement said that you stored your passwords on the phone.’”
Carlson said he keeps his passwords stored in an encrypted cloud-based service that requires his fingerprint to access.
“They said encrypted or not, it doesn’t really matter, the decision’s been made.”
But Carlson believes there could be another way his account was compromised.
Security breach at Steinbach Credit Union call centre
In November, SCU reported a security breach after its contact centre was hijacked. Over 24 hours, the financial institution said the calls were redirected by an unauthorized third party to an outside number, along with two months worth of call logs.
In a notice to members, SCU warned some could be at a higher risk of fraud if they called and shared personal information.
Carlson said his phone was among the numbers impacted.
“If they have my phone number, that could have been the start,” he said.
SCU told CTV News it was aware of the situation but couldn’t comment on specifics.
“In general, the security of personal devices, whether it be computers or cell phones, is the responsibility of the member,” the statement reads in part.
“Regardless of whether or not the member is responsible, SCU makes every effort to recover as much of the loss as we can—unfortunately, this isn’t always possible.”
As for the security breach, SCU said its banking systems were not impacted, and as long as members didn’t share personal information, there is no elevated risk.
How to protect your passwords? Cybersecurity expert weighs in
Marc Perreault is the senior manager of security risk at Mozilla. He said password managers that have multi-factor authentication and biometric security – such as face ID or fingerprint identifiers – are good methods to store passwords.
“I would certainly have thought that these safeguards were enough and that this individual, again, not knowing all the details, has taken enough precautions to ensure the security of their information,” he said.
“I would definitely recommend folks out there, whether you’re with a credit union or a bank, to definitely review what the expectation is from your bank.”
Carlson said he is going to keep fighting for full coverage, but his faith in the financial institution has been shaken.
“Even with my VPNs and everything that I have set up that I felt I was safeguarded with, apparently I wasn’t safeguarded enough.”
