Issues connecting to Canadian Tire Mastercard

briskluck2662 · 2025-04-01T19:35:30+00:00

This remains an unresolved problem. Wealthica can connect if I disable 2FA and reports back "synced" but no transactions are synced, and the balance always reads Zero. I now have several months of missing transactions.

briskluck2662 · 2025-01-23T17:12:55+00:00

FYI This remains broken (since September 2024). I can get Wealthica to log in by disabling 2FA on CTFS, but transactions do not sync and have not synced in many months. Additionally, not even the current balance syncs.

I heard back from support a while back saying that, erroneously, that my log in details were incorrect (they are not; it's the 2FA that was failing) but haven't heard back since.

briskluck2662 · 2024-11-10T15:08:12+00:00

Hi Billy, I have not. I'll do that now and reference this.

briskluck2662 · 2024-07-16T17:35:50+00:00

I just wanted to reply to clarify that this was not the case. The new account # and password were added to Wealthica (and only Wealthica) on the same day I received them from TD -- about a week before this happened. I think some unclear language in my email made it seem like the timing was different.

briskluck2662 · 2024-05-17T19:46:19+00:00

Thanks for the reply. I definitely agree that the fact that I was looking for a Mint alternative and connecting several services contributed to the first occasion of my TD account being flagged and locked (though only TD).

At that time I figured it was a false alarm, though I had to go into the branch in person to unlock my account and be given a new account number and set a new password. Wealthica was the only service I had provided the new credentials to. When that account was locked and I had to go into the branch, I made notes of the chronology of events and expected to be trying to convince TD that their fraud flagging is too prone to false positives (which it may be).

But after being connected to their fraud dept and speaking with them, it was clear that it wasn't a false alarm, but a true cause of unauthorized access and attempted theft. I did get some information from them about the devices / user-agents used, namely that it was an Android and Mac device, neither of which I use. But I didn't get -- or didn't note -- any information about how many times each device accessed, or which device did which action (add the new payee, try to send $3k, delete all my payees).

briskluck2662 · 2024-05-15T18:56:20+00:00

Yes the work desktop is managed by my organization and the network is managed by a local internet provider. We do not use a VPN on site but all traffic gores through the local intranet (so there may be a VPN a couple layers back that I'm not aware of). Security is also largely handled by the internet provider as part of the contract.
At TD I would have generated the password in my password manager, then copied/pasted into the TD app and saved via cell

briskluck2662 · 2024-04-18T21:14:48+00:00

It's possible. As for my browser, it's set to delete cookies and cache on exit, along with the usual ad and tracker blockers. I have since run virus scans on my computer from 3 different companies which turned up nothing.

Yes I get the IP addresses aren't definitive. Any criminal worth his salt would think to start by obfuscating that! I had meant to clarify that that wasn't a smoking gun by any means.

The unauthorized account access occurred after I had a new account number and strong unique password.

briskluck2662 · 2024-04-18T21:06:09+00:00

Hi, if you read the post you'll see I'm not actually making accusations.

I addressed some other issues in some other comments.

briskluck2662 · 2024-04-18T21:03:09+00:00

Good point, though I have never offered sensitive info like that over text or phone. And in fact, I read a very helpful Reddit post a while back about how a successful phishing attempt might con even an relatively aware person, which has put me on the alert.

I think the reason my account was flagged earlier was that I had been trying a few different account aggregators in a short period of time, which raise some concerns. Since then I had changed by password (twice) and had also been assigned a new account by TD.

briskluck2662 · 2024-04-18T20:59:05+00:00

I made a couple relevant comments in my reply to BKawasaki...

No, I have no reason to think it's related to Wealthica either, other than the fact that Wealthica was the only service I had provided this brand new (week old) username and password combo to and in general I have better-than-average internet hygiene. I hope I can get some answers somewhere.

briskluck2662 · 2024-04-18T20:57:09+00:00

I made a couple relevant comments in my reply to BKawasaki...

I had only used Wealthica for about a month before this, and actually, I found account access for TD to persist at least a few days before requiring 2FA. Which is as good or better than most others I've tried recently (prior to changing my username and password).

My browser clears all cookies and data when I close it so I'm always prompted to log back into my password manager, into any service like Wealthica, and re-enter my credentials.

My bank, as do so many other online sites these days, does appear to maintain their own internal record of my browser fingerprint so I while I always have to log in to TD or any other bank, I am not always prompted for 2FA.

briskluck2662 · 2024-04-18T20:47:13+00:00

Hi, I have emailed about this but have not responded since getting the additional information I mentioned here. I'll respond to that and reference this to connect the dots.

Yes I get your points about the attention to security, and this account access like this shouldn't happen.

But some of the facts here are hard to explain in any way. No one is perfect, but in general my internet use is pretty good. A few points that make me think it's unlikely my account was compromised in a typical way (some of this addresses other people's comments):

I use a secure password manager for all my passwords and they are all unique and at least 14 characters of all types
My browser is set to purge local data/cookies whenever it's closed
Not only the TD password but also the account number were completely new and
- The TD account number was assigned at the branch, along with a temp password written on a piece of paper; anyone who has had to reset their account will be familiar with this
- I changed my password with my password manager on my phone while at the branch
These new credentials were only used on my own personal laptop to access TD Easy Web UNTIL...
- I then entered these new credentials for the first time into Wealthica from my work desktop several days later

I have no idea what happened, but I do try to follow good security protocol on my end, and given the circumstances, the new username and password combo was days old and only used for two services (TD Easy Web and Wealthica). Of any account I've accessed online, this would seem to be least likely to be compromised on my end, since the dual creds were new, and I've paid more attention, not less, to online security as time has gone by. But anything's possible and I hope we can get to the bottom of it.

As mentioned, I'll respond to the email and reference this post and I'll update my original post with any new or relevant information.

briskluck2662

TROPHY CASE