Thursday, September 4, 2014

CIBC Customer Communications Fails After Data Breaches

The news over recent years has become increasingly peppered with stories about large scale data breaches.  Notable examples include:

  • Adobe - 152,000,000 records.
  • EBay - 145,000,000 records.
  • Target - 70,000,000 records.
  • JCPenny/Dow Jones/JeyBlue/etc - 160,000 records.
  • Sony PSN - 77,000,000 records.
  • Heartland Payments - 130,000,000 records.
  • TJ / TK Maxx - 94,000,000 records.
  • AOL (2014) - 2,400,000 records.
  • AOL (2006) - 20,000,000 records.
  • AOL (2005) - 92,000,000 records.


As you can see, these aren't small numbers.  

The latest breach appeared this week and it points to Home Depot.  Now, Home Depot operates in Canada as well as the USA, Guam, Mexico and Puerto Rico, and much hay has been made over the issue in the media.  Home Depot themselves put out a statement on the matter, and many security experts are looking at the issue.


Neal O’Farrell, an identity theft and security analyst for credit monitoring site Credit Sesame recommends consumers use the breach as “an earthquake drill” and go through the “security routines you’ve been putting off.”...   

I had a quick think and knowing that I use the Home Depot regularly, I know there's a fair chance I could be caught up in this one if Canada is part of the breach.  Whilst I can look at my statements after a breach, I've no idea about one key aspect of my financial protection:  One way I may be protected is if they geo-fence transactions and can flag a transaction that's trying to go through outside of some safety area.

It turns out I'm not the only one thinking about this.  A Krebs report on the matter (source) even says this: 

The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).

Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.

So, I did the sensible thing and asked my bank to clarify what, if anything, exists to protect me:


I thought this was a straight-forward question to ask a financial institution...  So, you can imagine the face-palm I did when I read the response pointing me to a T&C page that makes no mention of geographic protection radii.

Needless to say, I had to point out that they've not answered the question... Then I re-asked the same question, but using a different wording.




At this point, it should be pretty clear to the bank a) what I'm asking, and b) why I'm asking it.  So having not answered the question, it tries to obfuscate the issue.

Now, anyone that's followed my previous gripes with this bank will know what I think about their relaxed security policies, history of foul-ups and bad communication will know I was getting suspicious that such a number doesn't exist.

So, I changed the question to see if this reveals any security context, or if it generates blow-back:


The following answer came back...

This was the most telling response of all.

In a simple enquiry to the bank to understand how/if I'm protected on a geographical basis, the bank had first actively failed to answer the question, then tried to obfuscate the issue, then finally fell back to an "argument from ignorance" stance and tried to draw a line.

Last time that CIBC drew a line like this, the wager was made where I had to try and extract credit card information from CIBC using a labrador retriever's nose.

Now, "absence of evidence" does not imply "evidence of absence", but as a customer this is highly worrying when the "burden of proof" is on the bank and they can't explain it.

Conclusion:
To add to the litany of other security issues I know about, I don't think CIBC has me covered on this one either.  My guess is it's not geofenced and probably not even geocoded from an address of banks, shops, or ATM's, where cards are used.

I can test this pretty easily too.  Thankfully, this time it doesn't require a dog.