Wednesday, December 7, 2016

A whiff of SWIFT

Regular readers of this blog will know that when a bank tells me how safe I'm "supposed to be", I will largely view anything I'm told as hornswoggle.  All my adult life, I've listened to people telling me how much effort, technology and protocol is in place to protect me, yet, it can always be demonstrated that things are nowhere near as safe as people would have you believe.

Recently, I've been working on the hypothesis that Canadian banks spray source code around like some people spray air-freshener... that it's just flying about and nobody cleans up when it lands somewhere it shouldn't.  This hypothesis may initially sound absurd in the face of conventional wisdom, but then again, conventional wisdom assumes that the banks are actually safe - even though you can pick it apart and peel back the layers.

Banks obviously say that source code is kept suitably safe - after all, they have to say that to keep up confidence - but today, during my lunch break, I decided to do something different.  Very different.

Instead of looking for an accidental source code leak like I usually do, I assumed this time that I'm looking for code put somewhere by a programmer that really doesn't give a crap about what they're doing, and generally has no regard for customers or the bank.  This meant that not only did I have to look somewhere outside of the banks, but it had to be somewhere that bordered on maniacal to think that someone would even conceive of putting code there.

I found what I was looking for.  Yes, I was surprised, too.  Most surprisingly, in this source code was my first run-in with code that handles SWIFT transactions.  

You may remember news stories about how the SWIFT system was compromised earlier this year, well any code that interfaces with that system or interfacing with the data going through that system, should definitely not be laying around outside of a bank as that's just asking for trouble.... However, real life is often stranger than fiction, and that's what happened.  

This code is from one of the core financial services at the centre of one of the South American subsidiaries, which runs through all transaction types, and reading through the code we can see it's processing mortgages, Forex, SWIFT, drafts, deposits, and so on.  It also gives insights into how the overall service was built and what components it comprises of (a task for another lunch break, perhaps).

I won't say where I found this or which bank it is for, until I've worked out what to do with it.  Canadian banks don't always cooperate with me anyway, and given it's nature, I may have to report this directly to SWIFT to deal with.