Thursday, October 6, 2016

Thoughts on this month's #FraudChat

Toronto's Financial Crimes Unit (FCU), in partnership with other community and government stakeholders, has a Twitter chat each month called #FraudChat.  I usually try to listen in on it, and most months I have no comment.

But not this month.

I was particularly looking forward to this month's, as in Canada right now it's Cyber Security Awareness Month, and this means we were more likely to be in for some special guests.  As always, it was an informative event to follow along with.  The topic was identity theft/fraud.  Some guests concentrated on property/title fraud, but I was interested in hearing what one particular guest had to say - the Canadian Bankers Association (hereafter the "CBA").

The entire chat covered many angles, from physical issues like people dumpster diving for mail, to hacking and trojans, credit reports, scams, property title fraud, etc.  However, given my knowledge of Toronto, I was looking for signs of something specific to come up in conversation.  

Diving in a dumpster might reasonably reveal information on between 1 to 5-6 people.  A trojan on your phone might slurp the contact details of 1,000 people.  When you have 20 million people doing online banking on just a handful of websites, thats where I'm interested.

Now, the CBA is obviously going to be biased into pushing all the security onus on to the customer.  In this chat, however, all they brought to the table was a series of tweets that pointed to pre-existing articles on their website.  All of which were exactly as biased as you would expect them to be (how to spot a phishing email, don't give out your personal details, etc).  

I feel like this was a lost opportunity on the part of the CBA.  Whilst there was no usual "we take security very seriously" that you'd expect to hear from any bank or banking-related organisation, there was also zero mention of what their members were doing that was new and would tackle the existing security deficiencies that Canadian banks have.

However, every cloud has a silver lining.  The CBA website gave me something that I can use to determine what I've suspected for years, but have never been able to prove with bank cyber security.  So, as soon as I've had some spare time, I will be back with the result to the burning question of the past five years.