Archive for BMO

Visa and BMO Expand Flexible Payment Options in Canada 

Posted in Commentary with tags , on October 30, 2023 by itnerd

Visa and BMO announced a new collaboration to provide eligible BMO credit cardholders access to Installments, enabled by Visa. The convenient payment option is expected to launch in 2024 and enables consumers to convert qualifying purchases into smaller, equal payments made over a defined period of time. BMO will be the latest Canadian issuer to launch installments with Visa since its product launch in 2021.  

The launch will expand on BMO’s post-purchase credit card-based installment plan solution, BMO PaySmart™. With BMO PaySmart™, clients can shop in-person or online, and later convert eligible purchases into installment plan payments through BMO Online Banking. Clients can then make their installment payments as part of their monthly credit card payments. As clients continue to face economic uncertainty, they can turn to BMO PaySmart™ to maintain control with smaller, predictable payments.  

This new offering will make it simple for clients to select an installment option that fits their budget at time of purchase with participating merchants. Like any BMO PaySmart™ installment plan, clients can then view and manage these plans through BMO Online Banking.  

Installments enabled by Visa provides issuers, processors, and merchants with an installment payment option for their customers. For more information on Visa Installments, visit: Visa.ca/installments

For more information on BMO PaySmart™, visit: BMO.com/paysmart. 

Leave a comment »

Here’s How The Last 4 Digits Of Your Credit Card Can Be Used To Commit Fraud

Posted in Commentary with tags , on June 8, 2020 by itnerd

Following up on this story from last week where Bank Of Montreal or BMO was sending marketing material to customers using the last 4 digits of their credit card, I got a few people who emailed me asking what a miscreant can do with four digits of a credit card number.

Actually, quite a bit. The fact is that credit card numbers aren’t just random blocks of 16 digits. There are some mathematical relationships that hold between them. So if a miscreant knows the last four digits and those relationships, that narrows the attack surface considerably. Let me give you an example. If you know the last four digits up front, here’s what a miscreant can do:

  • All Visa cards start with 4 and all MasterCards start with 5, that’s one digit right there.
  • If you know the bank or the card issuer, that’s few more digits.
  • The type of card, be it gold or whatever, that can give you a couple more digits.

That leaves a miscreant with a handful of digits to figure out. Now, I will admit that this is still not a trivial exercise. But from my research on the dark web, this approach is successful way more often than you think. Which to be frank is quite scary. Sure they still have to figure the expiry date and the CCV number on the back of the card. But it is doable.

The fact is that a small amount of personal information can be used to perpetrate some sort of fraud. The information in question can be used to combine information that has been acquired separately. If there’s a large breach on social security numbers (For example, the Equifax hack), and credit card numbers (like some online store hack) you could link those together to perpetrate some sort of fraud. Which is why I put out the story on BMO’s use of the last 4 digits of customer’s credit cards in their marketing. It’s an attack vector. One that while is not easy to take advantage of, it is exploitable. Thus you need to make sure that you’re on the right side of this so that you don’t become the next victim.

On a related note, I have yet to hear back from BMO on my questions related to this topic. That’s a shame and I think it says something about how BMO views this situation.

4 Comments »

Why Does BMO Use The Last For Digits Of Your Credit Card For Marketing Purposes?

Posted in Commentary with tags , on June 5, 2020 by itnerd

I became aware of something that I truly find bizarre. One of my PR contacts got some marketing material from the Bank Of Montreal, or better known as BMO. In that marketing material were the last four digits of her credit card number. She found that to be very odd which is why she pinged me on this.

But it doesn’t end there. When she reached out to BMO on Twitter to inquire as to why they were doing this, they said this:

“I can advise that with marketing offer, we ask that you provide certain information, so we can track who is taking advantage of the offers we send out. This information is only used by BMO and not provided to any third parties.”

Here’s my take.

BMO offers MasterCard branded cards and the format of the card number goes something like this:

5191-23xx-xxxx-xxxx

So if I were some sort of miscreant, having the last 4 digits of a credit card makes life a whole lot easier to guess what a card number might be. Sure it may take effort to get the full card number. And then you have to get the expiry date and perhaps even the CCV (the three digit security code on the back of the card) to exploit the card for fraud. So it would take some work. But it is possible to do. Beyond that, simply having the credit card number can be enough to grab personal information to commit some sort of fraud that isn’t related to going on a spending spree with someone’s credit card.

Both of those outcomes would of course be bad for the customer.

The other thing that I will point out is that there are many ways to track if a customer takes advantage of an offer or not. There are many tools like Pardot which is made by Salesforce for example that can do this transparently. And I am pretty sure that using a credit card number, even a partial one, is not a good way way of doing this. So I was very interested as to why BMO decided to go with using the last four digits to track if a customer takes advantage of an offer. So I decided to ask them.

If I get an answer, I will update this story. But on the surface, this sounds like a bit of a risk to customers. And perhaps BMO needs to take a second look at this, as we live in times where everyone should be risk adverse.

UPDATE: I have a screen shot of the piece of marketing that this person received. I have removed all the personal information and noted where the last four digits of the credit card number is located with the words “Last 4 Digits Of Credit Card Number Above” which of course I have removed.

2 Comments »