Wednesday, February 25, 2015

The CIBC Canary

Following on from my post last month where CIBC finally opened up a dialog, it's time to post a quick update on the results.

In short, the first item that I had raised (See here for backstory) has been addressed in that sort of way only a bank could deal with it:  Having raised a number of scenarios where it can be shown they've no idea who's on the phone system talking to their credit card system, they agreed to remove me from that system and put me back to paper.  Whilst that solves my problem, in my opinion it does nothing to address the problem for millions of other people.

The other issues I raised in my 7 page report to them (about runaway data, policy failures, etc) were "conveniently" ignored in the letter they sent me in response.  However, I did note today that some of the issues are being addressed in the form of a cleanup operation.  

Of particular note was an example of runaway data when accounts are compromised.  Because compromised accounts don't appear on CIBC's radar, they don't get cleared up.  One example I sent them was this (I've blocked out the cc number as I've no idea if CIBC replaced the card yet):

  
As you can see from the transit code, this is a Commerce Court based account that was compromised.    I've known for a long time it was compromised and used it as an example to CIBC in my report.

Today, that same information is removed.


This is superficially good news - at least Mr Donald J Steadman is now "safer" than he was.  

I say superficially, as some instances have not been cleaned up.  By not explicitly telling CIBC where all the accounts are, the public has a digital "canary".  When the other compromised accounts "die" and disappear from the Internet, we know CIBC has caught up on security and policy enough that they're actually scanning for this type of leak.  If they remain visible, we know that CIBC is still wrestling with the concept of runaway data.

For those with no idea about canary's, an excellent example was Apple's "Warrant Canary". Apple was forbidden with telling the public that it had been subpoenaed for information by the US Gov. So, what it did was put in it's transparency report that it had not been subpoenaed.  When that statement disappeared, it meant that they had been subpoenaed, without them actually saying it.

The same principal applies to CIBC in this instance.  When the cleanup is truly visible, you can infer that CIBC has a grasp on the data issue - but all the time the canary is visible, you know it's still a problem.