Friday, November 18, 2016

Answers on the Scotiabank rogue bank programmer problem.

If you're reading this, it's likely I've just told you via email to come here for some answers to the question(s) you just asked me.  

It's been a strange time since the ScotiaBank incident went public.  Many people have asked me the same questions over and over, and I continue to get asked about it.  It's a serious time drain right now.

So, here are a few of the answers to the more common questions:

How long was this going on for?

The earliest I can confirm it was a problem was March 31st.  Given it was corrected on November 16, that's 230 days.

Did anyone else know about this?

Yes, I had previously communicated the problem to Kony's Chairman & CEO.  I'd been tracking this hidden insult over numerous releases of the app.  Mr Hogan is also aware that after the story broke, ScotiaBank quickly issued an emergency patch.  I've no idea whether ScotiaBank has apologized to him or Kony directly, though I do doubt it.

What's your take on events?

I think Canada was lucky not to have it's first serious "inside job" bank cyber-heist.  

When Scotiabank showed that a rogue programmer can contribute unauthorized code to an app and nobody did adequate code reviews to catch these unauthorized additions, we should be thankful that this rogue programmer only inserted f-bombs, when they could just have easily put in a few lines of code to exfiltrate credentials en-masse.  

What has ScotiaBank said to you?

Nothing.  They're Scotiabank and I'm just a customer.  They don't listen to me, and unless they are chasing money, they won't call me either.

Did you notify them?

No. I used to help Scotiabank because I thought it was the right thing to do, but I publicly withdrew my support a long time ago after the customer/bank relationship broke down.  These days, if it's just a regular vulnerability, I leave it as a warning "canary" to see how long the bank takes to spot it.  If it's a big issue that could impact millions of people, I might document and send to the CCIRC.  At that point, it's down to the authorities to deal with the bank directly.

How did you find this?

I was documenting some other known problems for the CCIRC.  

Do you know of other issues?

Yes.  I'm aware of a number of them. 

Should we be worried?

Personally, I banned my family from using ScotiaBank digital products, and recommended to friends (after the second October breach) to avoid their digital products.  I'm the only one to use online banking (out of necessity) in our family, and this is only done on a designated Mac with additional precautions specifically implemented for dealing with ScotiaBank.  

I don't allow the mobile apps on our devices (I saw what happened in April with the porn problem), as I believe that the bank is allowing itself to be a target for a massive breach.

So, there you go.  That's the answers to the common questions I keep getting asked.

Tuesday, November 15, 2016

When programmers are unhappy...

Update 1:  After this post was made, Scotiabank quickly cleaned up the f-bomb on November 16, 2016, a mere 230 days after it first appeared. 

Update 2: An update to all the questions I got about this are here.

Over the years, I've learned that an unhappy programmer is a bad thing.  What ultimately happens is either the programmer does something bad, or does something stupid - and in some unfortunate cases, does both.  

Here's an example with Scotiabank that showed up an unhappy programmer, and it's actually quite embarrassing for that bank.

ScotiaBank built their current Android app using the Kony system, and this is outlined on Kony's website.

  (Click for full resolution)

However, the unhappy developer left a "F**k kony" message in the app and then shipped it to over a million of the bank's customers....  Here's the figure backing that up, as shown on the Google Play store.

(Click image for full resolution)
Here's the offending message pulled from Scotiabank's Android 16.9.1 app (it was also there going back to April at least).

(Click image for full resolution)

This is the type of thing that can make or break a reputation of an institution.  You need to keep your developers happy, and address the issues they have, otherwise things slip and what we're seeing out of ScotiaBank is the result.