Monday, June 9, 2014

CIBC Security vs A Labrador Dog

Updated - January 2015 - See bottom of article

Anyone that follows me will know that I have some long running gripes with one of my banks, CIBC.  Normally, I'm just complaining about run-of-the-mill stuff at CIBC, like bad customer service, the odd occasion of lying software, or people at the bank doing stuff they shouldn't with my records (that spawned an investigation, so details are not being made public).  All of that stuff, though, pales in comparison to security.  

I take my security rather seriously.  I definitely approach it more aggressively than my banks do.  Given how low the customer/bank trust has fallen in the Coulls/CIBC relationship, I do things like give the bank a unique email address on file, and this serves as a basic breach or data sharing warning if I get an email from a third party company other than the bank.  

I also raise security issues with the bank like this one recently when their security policies meant that they failed to proactively block their domains from credentials sharing sites (in comparison, my other bank ScotiaBank had proactively sought this out and blocked it before I even discovered it).

May 23 2014's Twitter DM to CIBC to raise the alarm.

Now, to bring in the dog in the title...

Back in April, I asked CIBC about a security hole in their Credit Card IVR system.  In short, the hole looks like this:
  • The bank's computer calls the phone number on file.  
  • You're asked to press 1 for English.
  • You're asked to press 1 if you are the person they want to talk to.
  • The computer relays sensitive balance information over the phone.
It doesn't take a genius to spot that CIBC has no idea if you are the nanny, the cleaner, or just the thief that took possession of your handbag five minutes earlier from just pressing the "1" key.  In my books, that's not a valid measure of security.  If CIBC was to concur that this is not a good bit of security, that's as good as an admission that they deployed a customer facing system that gives out private balance info without any security.  

That's probably worse than thinking that pressing "1" will keep out imposters.

Either way the bank just blindly spills out information without properly verifying who it's talking to.  Here's the conversation thread on Twitter with CIBC where this was first raised...

Twitter Conversation With CIBC

As you can see, the people at CIBC dropped the conversation there and then... They never responded and never followed up.

However, I did speak with someone who works as a consultant at a rival bank about this over beers, so the CIBC security hole didn't go away just because CIBC wasn't taking it seriously.

A challenge was then laid down to see if we can train a dog to press the "1" key on a telephone every time it hears "Press One" on the speakerphone.  If we can train a dog to do that, we can prove the current security measure can be breached at the bank.

Before I started training a dog to do this, a seed of doubt had been sown in my mind by "EH" above...  What if my memory was incorrect and it had asked for a password, or some other code and I'd just entered it without thinking?  We would have to wait until CIBC's computer called again to double-check this...

Tonight, it called.  It didn't ask for anything, and the above script of pressing the "one" key twice will get the details spilled, just as I thought.

This mean's it's game on... the challenge has been accepted and I will now attempt to train a labrador dog to show it can circumvent CIBC's security.

Update - January 6th, 2015

It's been nine months since this was raised with CIBC.  I never did get the dog to trigger the bank to give out information and so I lost the wager - not because CIBC is particularly "dog secure" but because it's simply too damn hard for my dog training "skills" to get a Labrador Retriever to reliably use a touch tone phone.  However, today their system got triggered again and it called me.  Amazingly, this security hole is still there - they haven't addressed it in over nine months.

I think it's time to go double-or-quits on the original wager and see if I can breach CIBC using one of my 2yr old twins in place of the dog.