Friday, January 16, 2015

The CIBC dialogue opens up.

Most people who read my blog know that I have traditionally had a horrible time dealing with CIBC. It does appear however that after the recent issue with the IVR system raising it's head again, we finally have a form of ongoing dialogue.  This past week I dropped them a 7 page PDF of issues, and followed that up with an email containing some more items to do with server issues, footholds and such.  Already, I've had confirmation that these more recent items will be corrected.  That's good news.

The flip side is that in looking into these issues and documenting them again, I discovered some things that really didn't sit well.  In showing CIBC that I could prove my hypothesis with concrete examples that would understand, something became apparent to me as I did more thought experiments; CIBC and Bell Canada have similar issues.

In the case of Bell Canada, I'd shown Sheilagh Malloy (Bell's privacy person) that there's a security problem back in May 2013.  When I handed them evidence that there was a problem, they sent me a note saying not to "hack" into their systems and closed off the dialogue.  Ironically, this left Bell's customers in a security loophole because restricting me from showing Bell that a key works in a keyhole does nothing to address where Bell is losing the keys.  Naturally, Bell Canada customer accounts are still being compromised some two years later.

In the case of CIBC, a similar issue has come to light, where no amount of intrusion detection or technology can fix what I've found.  I'm not going to document what I've found here, to give CIBC the chance to evaluate and fix what I've shown to be problematic, but I do appear to have uncovered a sort of negative feedback loop - the more things I prove to be an issue, the more I see things are broken and in proving those items, new items come to light, and so it goes on.

I'm not a security expert, but I do have an interest in maintaining my own security and I have an interest in making sure my banks maintain my security.  This comes with the added benefit that it also improves everyone elses security too.

Whilst I'm traditionally the type of customer that CIBC would have put on a dartboard, it may well turn out that my constant harping on about things could improve CIBC in ways that no amount of firewalls and filters ever could.

It will be interesting to see how this pans out, but ultimately it depends on dialogue being maintained.