Tuesday, June 30, 2015

IVR Security Hole Redux with CIBC

In January, I was dealing with the bank CIBC over an issue with their IVR system.

To recap, there was a problem with their automated system, where it would call and ask the person who picked up my phone to "press 1" if they were me.  If someone presses 1, the bank would then fail to verify if I'm actually me, or the cleaner, the child-care assistant or the robber that just stole my phone and would rattle off what I consider to be personal information.

Obviously, I wasn't happy about that security hole as I had reported it in early-2014.

Eventually, a dialogue opened up with the bank (after I complained the hole had been there for 9 months since I first reported it) in January 2015, and eventually the solution was rather than fix the issue for everyone the bank would unsubscribe me from it.  This meant I was at least protected, even if nobody else was.

Six months have now passed and CIBC has reversed this security fix and the system called me again today.