Tuesday, March 1, 2016

Canadian Financial Infrastructure and DROWN attack.

About three weeks ago, I reported that there was a security issue with etransfer.interac.ca, where the server was susceptible to the POODLE TLS attack.

Of course, before I said anything publicly, I gave CIBC a few weeks notice (CIBC was told on February 4th) to look into it and speak to Axcsys about fixing it (all the major banks in Canada have a stake in making sure this system works well)...  To date, it's not been fixed on Interac's end, and also CIBC hasn't gotten back to me either, which means they've likely not gotten very far in resolving things or it's dropped off their radar altogether.

Today, I found an additional problem.  The same server is also open to the DROWN attack.  I'm not going to go into the details about what that attack is, as it's fully documented here at drownattack.com.  There's also a complete paper on the full technicalities here.

I also quickly checked to see who else was vulnerable in the big Canadian banks.

In the bad pile, we see:
CIBC.  (UPDATE: As of March 4th, many CIBC servers have been patched)

In the middle we have ScotiaBank & RBC.
Scotiabank has less servers vulnerable.
RBC.com has some issues which RoyalBank.com does not.

In the clear is:
Royal Bank.

There's some surprises for me here:  
Seeing TD in the bad pile does surprise me as they're usually pretty good with security.  I'm not surprised at all about CIBC.  I also thought that ScotiaBank would fare a little better than they did.  

I'll finish this post by coming back to Interac... The etransfer.interac.ca site is also vulnerable.  This doesn't surprise me as it's been a month since the first issue was first reported and still hasn't been fixed.  

I have a feeling we're about to see a lot of PR about security in financial services from Canada's big banks and Interac.