Wednesday, May 25, 2016

Finally, a bank listened.

Anyone that has the smallest bit of familiarity with me will know that I keep a keen eye the security of Canada's banks and telcos, especially those that I know are putting me or my family at risk.  I might sound like a crackpot at times to some people, but those that know me well all know that I'm not going to publicly say something if I couldn't substantiate it.

Over the past month or so, I've spoken to each of these organizations in turn (sometimes I reached out to them, other times they phoned me first), as my concern levels are now at an all time high.  Some banks flat-out said they were not going to entertain the idea of paying me for my time to explain their problems, and that's their decision - I work in IT and I'm not working for free.  Some banks couldn't answer one way or the other as to whether they will or won't entertain the idea, and one bank positively jumped on the opportunity to hear me out.

It's no secret that I consider much of Canada's banks to be a security disaster in motion; I've been saying for years that things are broken.  Things have been surreal at times (for instance trying to fool the bank security into thinking my dog was me), and other times I think I'm moving forward only to find myself going backwards again.  As time has gone by (and especially recently) what started off as my documentation of a small set of issues with a few root causes with one bank has snowballed to something really huge that now spans the entire Canadian financial system and expands out of it in all directions.  

Obviously, I'm not going to say what I found, but it's an uncomfortable situation having the knowledge of what an amazingly precarious situation we are all in.  I know what's broken, what's not being tested. What is likely to be the major vectors to breach most banks and what went wrong in policy to allow this to happen.  So, when I see Twitter feeds from these banks telling their customers that their online banking is guaranteed secure, it makes me cringe because I know it's not secure.  I also know that if I know it's broken, others will know that too.  Of course all the banks in Canada have a standard public mantra throughout this of "It's secure until YOU lost your acct # or password" as if they believe it could never be them at fault for a breach, even though I know they're likely already compromised and they've more than a small chance of compromising other external organisations in the process.  

Now, I don't have to get into a convertible car with the top down to know that if it rains in the future that I'll get wet, because I know and understand what I'm looking at. It's like if a bank gives me an address of a branch in a town I've never visited, I can guess accurately that at night, they can't see the sun from that branch.   Same thing applies to digital banking at most banks in Canada - you don't have to hack them, go into them, or do anything untoward to them to know where and how they can be compromised.  

So, bearing the above logic in mind, I sat down with this bank and explained what's going on in Canada.  Like the car or sun analogy above works with the average person, what I had to say worked with bank security people.  So, I covered how Canadian's are at risk with their mobile apps, how the banks online banking systems are mostly all broken and then covered the security circus that we know of as Interac.  They got it immediately - I didn't have to explain a thing...

...and then I dropped the "Here's the really, really, bad side-effect of this" bombshell.  They got that too - understood it, crystal clear.  Not a single "You're wrong!".  No mention of "That's impossible!".  There was not a single ounce of disagreement.  Finally, after a very long time, I was talking to a major bank and they're like "Everything you say is understood".  

In a surprising twist, after being asked if I've ever considered a career in bank security, I actually got asked my thoughts on the SWIFT situation?  I had an immediate four point answer on what's broken (it needs certs on messages, cert-pinning with clients and servers, hashing of messages to stop alterations and a central pub-sub number authority to stop message injections in the sequence), but as I answered, I couldn't help thinking how far this situation had turned around; Usually big banks argue against me, and now here I was, being asked my opinion on how I'd fix the largest bank messaging system in the world.

This makes a big change from the status quo.

Whilst I have no idea what'll happen next with this particular bank, my immediate job is done. They know what I know and now hopefully there will be action as a result.

As for the other banks?  Well, time will tell if any come back to the table.