Friday, November 18, 2016

Answers on the Scotiabank rogue bank programmer problem.

If you're reading this, it's likely I've just told you via email to come here for some answers to the question(s) you just asked me.  

It's been a strange time since the ScotiaBank incident went public.  Many people have asked me the same questions over and over, and I continue to get asked about it.  It's a serious time drain right now.

So, here are a few of the answers to the more common questions:


How long was this going on for?


The earliest I can confirm it was a problem was March 31st.  Given it was corrected on November 16, that's 230 days.

Did anyone else know about this?

Yes, I had previously communicated the problem to Kony's Chairman & CEO.  I'd been tracking this hidden insult over numerous releases of the app.  Mr Hogan is also aware that after the story broke, ScotiaBank quickly issued an emergency patch.  I've no idea whether ScotiaBank has apologized to him or Kony directly, though I do doubt it.

What's your take on events?

I think Canada was lucky not to have it's first serious "inside job" bank cyber-heist.  

When Scotiabank showed that a rogue programmer can contribute unauthorized code to an app and nobody did adequate code reviews to catch these unauthorized additions, we should be thankful that this rogue programmer only inserted f-bombs, when they could just have easily put in a few lines of code to exfiltrate credentials en-masse.  

What has ScotiaBank said to you?

Nothing.  They're Scotiabank and I'm just a customer.  They don't listen to me, and unless they are chasing money, they won't call me either.

Did you notify them?

No. I used to help Scotiabank because I thought it was the right thing to do, but I publicly withdrew my support a long time ago after the customer/bank relationship broke down.  These days, if it's just a regular vulnerability, I leave it as a warning "canary" to see how long the bank takes to spot it.  If it's a big issue that could impact millions of people, I might document and send to the CCIRC.  At that point, it's down to the authorities to deal with the bank directly.

How did you find this?

I was documenting some other known problems for the CCIRC.  

Do you know of other issues?

Yes.  I'm aware of a number of them. 


Should we be worried?

Personally, I banned my family from using ScotiaBank digital products, and recommended to friends (after the second October breach) to avoid their digital products.  I'm the only one to use online banking (out of necessity) in our family, and this is only done on a designated Mac with additional precautions specifically implemented for dealing with ScotiaBank.  

I don't allow the mobile apps on our devices (I saw what happened in April with the porn problem), as I believe that the bank is allowing itself to be a target for a massive breach.

So, there you go.  That's the answers to the common questions I keep getting asked.