The National Bank has broken its silence regarding the phishing campaign which affected dozens of its corporate clients during the month of September. She assures that already, in the “vast majority of cases”, affected customers have been fully compensated, and that the remaining cases will know their fate very quickly.
“We are hopeful that we will be able to recover the sums lost for all of our customers,” assured in an interview with The duty the first vice-president, business and private management 1859 for the National Bank, Geneviève Turbide-Potvin. This may seem like a long time, because “we analyze things like an insurance company would,” she adds. “We are in the process of finishing our study, when the money comes out [de la banque] and goes to several places, it takes a while. »
Accompanied by his head of information security, André Boucher, Mr.me Turbide-Potvin wanted to reassure its affected customers, who are all small or medium-sized businesses: the bank is completing its study of the phishing cases that occurred in September where some of its customers saw their bank accounts completely emptied , including, in some cases, their line of credit.
“Of course it’s difficult for the customers who are going through this, but the customer connection is very important to us. I repeat, let them call us back, let them even ask me by name,” declared Geneviève Turbide-Potvin twice during the interview.
“Lessons to be learned”
There are a few common threads in how the dozens of customers affected by this phishing campaign saw their money disappear. Most importantly, the hackers emptied the accounts by making several dozen wire transfers in a very short period of time, at a time when entrepreneurs are usually busy elsewhere.
It is surprising that this practice did not sound an alarm within the National Bank’s security teams, observes cybersecurity expert and lecturer at the University of Sherbrooke Steve Waterhouse. “In this type of situation, we expect the financial institution to be able to spot seemingly abnormal transactions,” he says. “When we go on a trip and we don’t notify our bank, they won’t hesitate to block our transactions. People, especially traders, generally behave in ways that are easy to recognize – banks have known that for decades. »
The head of IT security at the National Bank André Boucher admits that system protection will need to be strengthened. “There are going to be lessons to be learned,” he said. “We need to be more vigilant. Pirates are very vigilant too. »
The Bank cannot guarantee that attacks of this type will not occur again, adds Mr. Boucher. He also cannot indicate whether the Bank is acting in concert with the authorities to try to trace the pirates who stole hundreds of thousands of dollars from small Quebec businesses.
Mr. Boucher, however, guarantees that there is “no indication in our investigations” that the phishing campaign came from an internal source. “The bank remains the safest place to keep your money. »
All banks
Financial institutions are a prime target for hackers. They can easily send several thousand emails in the colors of big banks to try to scam Internet users. On the whole, it is impossible for a few dozen people to take the bait, which would give a result like what is currently happening at the National Bank.
However, contrary to what one might think, protection such as two-factor authentication to access one’s account via the Internet is not necessarily enough to completely protect oneself from these attacks.
“In the world of hackers, there are always people on the lookout, we saw them send out fraudulent text messages quickly after the attack,” noted André Boucher.
Steve Waterhouse also notes that even an RSA security key, a small key that you keep in your pocket and which provides a security code that renews every 30 seconds, is not entirely hacker-proof. . “This scenario is likely if the pirate skates quickly,” he illustrates.
“Otherwise, it takes spy software that logs touches – if it sends the information to the hacker in real time, he has 30 seconds to do it. It’s not easy, but it’s not impossible either. »
Faced with this phenomenon, which is growing every year, banks are putting their reputation at risk. But the public also has a certain responsibility, nuance Steve Waterhouse.
“All institutions are under attack,” he said. “The National Bank, before that Desjardins, and even the other Canadian banks – RBC, Scotia have also had their incidents. If as a customer you change banks, you only change your location problem if you do not adopt safe practices. »