How Safe Is Your Money? The Tale of Two Banks and a Computer Hack

Have you ever considered whether the money that you deposit into a bank account is safe?  All major banks have security declarations or “guarantees” on their websites that claim your money is safe and you will be covered if money is removed from your account without your approval, as long as you follow the listed security protocols.  But is that actually true?

Unfortunately, my family had to deal with a situation where these claims were put to the test and the results were both alarming and infuriating.  In early July 2024, a hacker somehow gained remote control of our Windows 11 laptop, possibly via some innocuous link that we inadvertently clicked while surfing on our browser. Whether through monitoring keystrokes or some other unknown method, the hacker was able to access our bank accounts with TD Bank and Equitable Bank (EQ Bank).  Once in the accounts, unauthorized contacts and billers were added and used to withdraw money via Interact transfers and bill payments.  As the funds were leaving our accounts, we were notified via email and reacted immediately to report the issues to the banks, request a freeze on our accounts to prevent further access, and report the losses to the banks’ security teams.

In each case, we informed the bank that we had read the details of its “User Security Responsibilities” and confirmed that we had followed all of them.  These included:

• Having lengthy, secure passwords that include both capital and small letters, numbers and special characters
• Never revealing our passwords to anyone else or writing them down anywhere that could be accessed by others
• Never leaving our computer physically unattended or providing access to anyone else
• Always keeping our operating system updates current including all security updates
• Regularly running anti-virus on our computer
• Checking our balances regularly for unusual activity (which I would do at least twice a week)
• Never clicking on unsafe links in emails or providing personal or financial information over the phone
• Signing off at the end of each banking session
• Informing the bank immediately if unusual activity detected

Despite following all these protocols, we still got hacked. Considering how insidious, determined and skilled that hackers are and the fact that major corporations and conglomerates around the world, with more resources than ours as mere citizens, have been compromised, I am not sure how anyone can be totally confident that their online presence is safe.  Yet we thought we would be protected because the banks assured us that our money was safe with them as long as we took the reasonably requested precautions.  The responses and treatment that we received from TD Bank vs. EQ Bank were polar opposites.

Our initial assumption was that we would get more support from TD Bank because it is a larger, more established entity with more resources, funding and hopefully insurance to deal with such cases.  This could not be further from the truth.  Within 10 minutes of being alerted about the issue, we were across the street at our local branch of TD reporting the security breach, asking for our accounts to be frozen and speaking on the phone with a TD security representative who assured us he would investigate. Responding to his questions, we advised him that we had followed all the user responsibilities that were laid on the TD website.  This was at 3pm in the afternoon.  By the next morning, we received a text message indicating that our claim had been rejected, with no explanation as to why.  We are almost certain that this first response was computer generated and that no one truly investigated our situation.

In the text, we were given the option to further escalate, which we did immediately.  Over two weeks passed before we received a letter in the mail indicating that “upon further investigation, your claim has been rejected again”. Once again there was no explanation, and no live human contacted us directly.  The wording of the letter seemed to imply that this was a form letter. In the letter, we were given an email address to send a third escalation, which again we immediately did.

It was not until early August, a full month after the hack, that we finally had a live human call to speak with us.  She asked all the questions about security protocols once again, which we assured her yet again that we had followed.  She told us that a further investigation would be held and that it would take more than two weeks.  In the meantime, our account was left with so few funds that we were under the minimum balance required for fees to be waived. To add insult to injury, while we were waiting for these lengthy appeals, a fee of $8.95 per month was being deducted.  Yet, there was no way that I was going to deposit more money into a bank that seemed to have no intention of protecting my funds.  After another two weeks and now seven weeks from the initial loss, the agent phoned us back and said unfortunately, we had been rejected again.  I demanded an explanation as to why and was told that because the hack was initiated on our computer and not their systems, TD bore no responsibility.  In essence, unless TD itself was hacked, they would not guarantee the security of your funds.  So basically, their claim that your money is safe is bogus!

Credit card companies routinely reimburse users whose cards are hacked with unauthorized purchases.  I would expect the same protection from my bank.  If it is indeed the established bank policy that it is only responsible for any hacks on its own systems as opposed to unauthorized access to its customers’ accounts, then the security guarantees on the websites are totally misleading and need to be clarified.

We were preparing to file a complaint with the external Banking Ombudsman when we found out that we had to appeal one “final” time within TD before we could escalate beyond the bank.  At this point, it felt like TD was trying to overwhelm us with bureaucracy to force us to give up.  We were able to connect with TD’s “Senior Complaints Department” around the first week of September and our assigned representative promised to do a thorough investigation, which begs the question of what they were doing the previous two months?!?

In mid September, we got a response and an offer.  Because two sums of money were withdrawn from our TD account and the second one happened while we were at the bank requesting our account be frozen, TD would reimburse us for the second (unfortunately smaller) amount.  But TD Bank stood by its policy that that it is NOT responsible for anything that happens to your bank account unless its own servers are hacked to cause the loss.  At this point, we had been fighting for so long with so little success that we decided to accept the offer and be done with it.  We then still had to wait for a bank draft to be issued and it was not until the first week of November (4 months since the hack) that we finally received it and ended this saga.

Through most of this ordeal with TD Bank, we were shown hardly any sympathy, empathy or support.  Needless to say, after this treatment, we no longer trust TD Bank and have closed and canceled all of our TD accounts and credit cards.  We will never do business with TD Bank again.

Now compare this with our experience with EQ Bank who did not reply right away but took two weeks to carefully investigate our case.  By mid July, we got a personal phone call from a security representative who sympathetically apologized for our stress and inconvenience, acknowledged that the hacking dangers are serious and prevalent, then informed us that EQ Bank would be living up to its guarantees and would return all our lost funds. Not only that, but the bank also gave us the interest that we would have accrued had the money not been illegally stolen from us. Then the agent walked us through some steps that we should take to further secure our online accounts. He agreed that while this would lessen the chance of anything like this happening to us again, but there are obviously no guarantees no matter how careful you are.  I have lauded the advantages of EQ Bank in past blogs, but after this experience, we will be loyal customers forever!

After the hack we took extreme measures to further protect ourselves from future exposures and would like to share these steps in hopes that it helps others be more secure.  Some of this may be overkill but after what we went through, better safe than sorry!

• We went to computer virus specialist firms to have our laptop and all other mobile devices including phones and tablets checked for viruses.  The suspicion was that the hack happened on the Windows laptop but scans did not reveal anything obvious, which shows how deep the virus or malware was hidden.  The safest thing to do was to totally wipe out the laptop and reinstall the operating system from scratch.  Luckily, I had a backup of all our personal data, so the impact was less catastrophic although it was still painful to have to reinstall all of my applications.  The mobile devices showed no viruses either.
• We immediately changed and further strengthened the passwords of all our bank accounts, credit cards, emails, WIFI, and all other accounts that might be linked to financial data.  Our passwords are now over 20 characters long each and heavily encoded in a secure area where we can safely look them up.  Even if someone hacked into our secure location, they would need to decode the passwords
• On all of our devices, we have migrated to the Brave browser which is more secure and blocks ads and trackers.  
• Unless the app does not provide all the functionality that we require, we will access our banking information via the bank's mobile app which is generally more secure than its website
• If we must use this browser for logging onto financial websites, we never save the login credentials and clear all cookies after every use
• From our IOS devices, we activated Face or Thumbprint authentication wherever possible
• Wherever possible, we have enabled two-factor authentication, selecting the most secure (less hackable) method of notification in the following priority order:
1. Authentication app like Microsoft Authenticator or push notification to a proprietary app which is tied to a device instead of a cell number or email address
2. Text to cell phone  (*see caveats)
3. Email
• *While text notifications are relatively safe compared to email, they are subject to the new “SIM Swap” scam (google it if you are not aware!).  We called our cell provider and asked for a note to be placed on our accounts saying we do not authorize porting our phone number to a new SIM card
• *Note also that if traveling abroad and buying a local physical or E-SIM for your visiting country, you lose access to your home cell number and therefore any text notifications.
• We turned on every reasonable alert on each of our banking apps to be notified as soon as possible regarding unexpected activities on our accounts
• Note that we had 2-factor authentication for TD Bank but it only sporadically sent an OTP (One Time Password) code as opposed to on every login.  The last time we were verified was in April
• Our Hotmail (also applies to Outlook) email accounts allow us to "go password-less” so that there is no password to hack or regularly change.  Instead, all logins to our email go through Microsoft Authenticator and require a code plus face ID.
• We will no longer ever logon to a financial institution from a Windows computer which has been proven to be more susceptible to hacking.  We will only access financial institutions via an IOS device such as our cell phones or tablets
• We bought a new, dedicated IPAD whose only function will be to access banking apps or banking websites (using the secure Brave Browser with the security measures mentioned above).  
• The IPAD will only access the internet from our secure home WIFI or via hotspot from our cell phones
• When not using the IPAD, we make sure that WIFI access is turned off 
• We continue to regularly logon to our financial accounts from this IPAD and check the listed transactions, contacts, billers and our personal profile information to confirm there were no unauthorized activities or changes
• We no longer leave our laptop connected to WIFI when not sitting at the computer but will logoff or disconnect and go into airplane mode
• We will never connect to WIFI in a public space such as an airport, hotel, or restaurant but will use cell service instead. We will never charge our devices with a public USB port.

As much as we are now forever grateful to EQ Bank, trusting it to look after our money and to have our backs if anything happens, we wish some of its security measures could be improved.

• Instead of account number, the user id to access your EQ accounts online is your email, which is easily hackable. To mitigate this, I created a new dedicated email that will only be used for this bank, as opposed to my primary email that I have used to sign up for innumerable online accounts through the years.  Presumably with less online presence, my new email will be more secure
• Currently EQ Bank only supports text or email for 2-Factor authentications and alerts.  We switched to text as the more secure method but have an issue when traveling abroad when we are forced to be notified via email. I hope that it is in EQ Bank’s plans to add a push notification option in the near future.
  

EQ Bank recently came out with a new product called the “Notice Savings Account” which offers better interest rates in exchange for requiring some number of days’ notice before executing any requested withdrawal requests.  Currently 10-day notice accounts pay 3.5%. (Note: Rates may drop as the Bank of Canada lowers its rates).  Aside from the stellar payout on savings, there is an added security bonus.  Whereas an interact transfer or bill payment occurs immediately, the 10-day notice adds an extra level of security.  If you check your Notice account at least once a week for pending transactions, you would be able to spot and stop any unauthorized withdrawal requests before they are executed.  Now if only there was an alert sent when the Notice account withdrawal request is first made, then such frequent checks might not be required.  This is a new product, so hopefully that will come soon.  I have voiced my desire for this to EQ Bank support.

After this extremely traumatic experience, which included scrambling to pay bills while not having access to our frozen bank accounts for weeks, it is clear to us where our money is protected and where it is not.  EQ Bank lived up to their security guarantee and TD Bank did not, and probably never intended to.  I urge anyone who has funds deposited with TD Bank to think twice and if you still want to stay with them, then make sure you do everything humanly possible to protect yourself, since TD obviously will not do anything for you if you are hacked.

It is quite possible that this is the modus operandi for all the Big Six banks, in which case the government needs to step in to protect its constituents.  The following legislations might help:

• Force the banks to be up front and clear in their “security guarantees” to indicate that you are not protected if you get hacked, despite never divulging your login credentials and having lengthy, hard-to-guess passwords
• Make two-factor authentication mandatory for all financial institutions, as opposed to leaving it up to the user whether or not to turn it on.  It is interesting that more and more non-financial institutions (e.g. Amazon, Booking.com) have unilaterally added 2 factor authentication to their sign on processes while it is still optional at the banks
• Force the banks to take some level of responsibility for online losses due to hacking since currently there seems to be none

I would not hold my breath hoping that the government or banks will step up to protect us, so it is up to you to protect yourself.  While extra steps such as two-factor authentication may seem to be a pain, trust me when I say that it is nothing compared to the real pain of being hacked.