Thursday, December 21, 2017

My Scotiabank Report to the OPCC is submitted.

So, as many people know, I've been communicating with the Office of the Privacy Commissioner of Canada about the ongoing abysmal cybersecurity farce at Scotiabank (codenamed "Project EaglePuff"). 

During a recent communication with that office, I agreed that I would consider possibly documenting some of the evidence behind what I know, to help the government grasp the magnitude of the Scotiabank cybersecurity problem and do my part to protect the general public from what these clowns at the bank are doing. That report was completed and submitted last night. It's 40 pages long, which is longer than I had anticipated.  

As you can guess, being a customer of Scotiabank has long tarnished my view of the organisation. Years of having to fight tooth and nail for a resolution to every single issue means I got tired, and for years have just let stuff slide into the black-hole of customer service oblivion at the bank. 

However, my patience only goes so far.  Years of having the bank continually try to screw me over, and dealing with arrogant people who don't give two hoots eventually got to me.  

When I realised the link between the Visa card leaks, the corporate account leaks, how the cloud was compromised, how I could hand the RCMP the SOA key, and why paying my mortgage is so damn difficult for the bank to fix, I concluded that whilst the bank will probably continue to soldier on in it's usual fashion, as one single person I could finally make a difference to help millions of others.

Here's the first page of the synopsis:

Click for bigger

Here's the continuing page of the synopsis:

Click for bigger

As you can see, it's not exactly a good tone.  However, it does give the Government plenty of ammo regarding foul-ups across three countries, and a multitude of organisations.

This is a two part operation; The OPCC report to the government is the first part, and is effectively loading gunpowder into the cannon.  Part two (the cannonball) is being organised right now.

Tuesday, December 12, 2017

Israeli Cybersecurity To Save Scotiabank?

Apparently, a company that can't secure their own Wordpress site are going to be the saviour of Scotiabank's cybersecurity.

Also, I've had a long chat with the Canadian Government...

Friday, December 8, 2017

I bought a Christmas Octopus at Starbucks

In this vlog, I talk about my trip to Starbucks and how I bought a Christmas Octopus there. 

Thursday, December 7, 2017

Scotiabank is also using Israeli Cybersecurity

Yesterday, it came to light that Scotiabank is copying TD and teaming up with Israeli talent to do cybersecurity.

I'm keeping my eye on this closely, given how atrocious Scotiabank currently manages 3rd parties.

Monday, December 4, 2017

The second annual review of Scotiabank's IT security.

It's that time of year again.

Here's the second annual highlights, showcasing how truly ridiculous IT security got at Scotiabank this year.  

Wednesday, November 29, 2017

Christmas is coming...

Christmas is coming.  Everyone is making things.  In the case of my neighbours, they've been brewing stuff for 8 months.

Monday, November 27, 2017

Color grading your vlog in FCPX

Today's vlog entry covers how I do color grading in Final Cut Pro X of the vlogs, and what the difference is when done.

Friday, November 24, 2017

Thursday, November 23, 2017

Hidden Tetris and Pong on MacOS

After the Windows 3.1 video, I was asked about whether there's hidden things in Mac OS.  So, here is Tetris and Pong that ships with every Mac.

The 100th Vlog entry...

So, I had grand plans for this episode, then something unforeseen happened. ha ha! 

Monday, November 20, 2017

Running Visual Basic 3 on Windows 3.1

Today's vlog entry is a trip down memory lane, where I go back to my professional programming roots. 

Friday, November 17, 2017

100th Vlog entry coming up...

So, in today's vlog, I cover that I've hit 10,000 views and got monetization switched on...  Also, I'm canvassing questions for the 100th episode.

I knew when I retired this blog from long form posts, that the 100th episode would happen at some point, but it's still exciting to actually be approaching it for real! 

Thursday, November 16, 2017

Programming Mobile Devices

In this vlog entry, I cover some of the mobile devices I've programmed over the last 19 years.

Tuesday, November 14, 2017

Project EaglePuff

If you're not familiar with it, Project EaglePuff is the codename for the ongoing Scotiabank cybersecurity problem.  It was chosen as a stupid codename for what is, really, a brainless set of leaks, that were wholly preventable.

The size of the leak has grown from over 750MB to >1GB now - and now covers a large IT vendor in Toronto, Scotiabank Chile, Scotiabank Mexico as as one of the cloud companies that Scotiabank was touting some months back. 

Whilst one of the leakers has realised that certain files shouldn't be public, they've already been curated and documented, so will be handed over as evidence that they were out, when the time comes.

My work is now basically done - I've proven that Scotiabank can't secure stuff the way they should - so, I'm now just waiting for advice on steps.

Friday, November 10, 2017

Getting stuff done...

Today, I cover the simple trick to how I get stuff done.  Really, it's not rocket science, but it's the one simple thing that I do which generates the "You really get more stuff done than the average person" comments that I frequently hear.

Wednesday, November 8, 2017

YouTube Keywords

This vlog episode covers what I learned about YouTube keywords, and how larger companies are not using them...  Which means they don't understand that YouTube is actually the world's second largest search engine (after Google), and if you don't tag your videos, then the search engine will give preference to those that do.

Tuesday, November 7, 2017

The slang I grew up with

In this vlog episode, I cover the various slang influences that I grew up with...  These include, Carny, Cockney, Gypsy, Polari, and Butchers Backslang.  

This was a fun one to record, but a pain in the butt to edit.  ha ha!

Monday, November 6, 2017

Visa Canada's First Reaction to the Scotiabank Breach...

So whilst I wait for the Canadian government to respond on some jurisdictional matters (as this breach covers three countries), it was time for me to engage another stakeholder in the matter - Visa Canada - as I've identified credit card transaction information that belongs to Visa customers....  

... yeah, it went about as well as can be expected.  

Wednesday, November 1, 2017

I got my first vlog dislike...

After running the vlog for some months, I finally hit a new milestone...  I got my first "dislike"... ha ha!

Monday, October 30, 2017

Tuesday, October 10, 2017

Update on the Scotiabank API Breach

Just a quick note to say that as of 11:49am (EST) on Oct 10, 2017, it appears that the CCIRC has successfully removed the Scotiabank security breach.  The offending repository is gone.

Now, this isn't the end of this story - another breach is identified...  More to follow in the coming week.

The dangerous cybersecurity pattern I see at Scotiabank

I’ve noticed something of a dangerous repetition at Scotiabank in Canada.  

October is Cyber Security Awareness Month (CSAM), and for the second year in a row, during CSAM, I found the bank has been compromised and more by luck than skill has dodged a catastrophic cybersecurity problem.

In April 2016 I noticed that Scotiabank was pushing out Android mobile apps that had an “unauthorised addition” in them, after a frustrated programmer added their own personal content to drop an f-bomb at one of the bank’s vendors.  Trying to alert the bank went nowhere and by summer the Canadian Federal agency “CCIRC” (Canadian Cybersecurity Incident Response Centre) was alerted and monitoring the situation too, as regular updates of the app were pushed out by the bank with the unauthorised code.  Scotiabank finally got the message after 230 days on November 15th 2016.  On November 16th Canada had “f-bomb free” apps.

This means that during CSAM 2016, Scotiabank was compromised and not aware of it, even though everyone around them was fully aware.

We can only infer that one of two things happened;  Either someone checked that code and OK’d they insult (an unlikely scenario), or we were seeing that if a terrorist wants to get code out to the masses, they just have to get a job as a mobile programmer with Scotiabank.

Given the situation that unsavoury additions to apps were pushed through to the public, the bank was extremely lucky that any offender only chose to insult a vendor, rather than adding code to syphon off customer information.

For CSAM 2017, the situation repeated, but it also got markedly worse.  

I reported to the CCIRC on October 7th 2017, that a vendor to Scotiabank had posted the keys for the backbone API of the bank to a public GitHub repository.  

In addition to the keys, the source for a Windows-based security application was also public, and the XSD’s for that API as well as the mock XML requests and responses and other documentation for that API were also available.  I also spotted that a .Net DLL for client side security (referenced in a December 2016 leak) was included, and this was fully reverse-engineerable with no obfuscation. This meant that two annual leaks could be cross-correlated and the DLL used both the AES key and Triple DES key that were in this latest leak, too.

The icing on this cake was this information has been public since November 2015.

In conclusion, what really got me during this episode is that Scotiabank has been potentially compromised for two years, and it’s going to be really tough for Scotiabank to prove that nobody has already used this information to gain unauthorised access to that API.

Sunday, October 8, 2017

How I ended up with the keys to Scotiabank

So, in a chain of events that doesn't surprise me in the least, I have pointed the CCIRC (the cybersecurity bit of the RCMP) at a public GitHub repository that contains a security breach for Scotiabank, originating at one of it's partners South of the US. 

In short, I was researching a YouTube video for Cyber-Security Awareness Month, and knowing that all big banks in Canada have a problem with leaking code into GitHub, went to look for a common example of Scotiabank's continual leaks.  

Like the TCS leak back in summer, I found more than I was bargaining for, and immediately had to notify the authorities.

To summarise the situation:

  • The AES and TripleDES keys to talk to the back end of the bank are public.
  • Windows software that is supposed to be used for security work within the bank is public.
  • The client security library described in the 2016 breach is now public.
  • The XSD's for the com.bns.soa API are public.
  • All the mock requests and responses for the API are public, along with documentation on how the service works.
  • Somebody wrote the username/password in plain text and stored that in a text file.
As you can guess, it turned out that when I looked at the library, it's not been protected either, so anyone can reverse the binary back to source in less than a second second.  That same library was used by the Windows software that was leaked in its Visual Studio source-code form...

Oh, and this has all been wide open since November 2015

The big question while I wait for the CCIRC to clean up this mess is how Scotiabank can prove that nobody else has been going in for two years.

Anyway, more details in the vlog about this...


Monday, September 11, 2017

I'm back in the news...

So, as the title says...  I'm back in the news.  The actual article is here in The Register.

The follow up video explaining how this came about (no surprises for the subscribers of my Vlog) is here.

As of writing this post, I can see that at least two people at Scotiabank have gone to my LinkedIn page, though I've no idea if they're people looking to solve the problem, looking to cover their own backsides, or just curious.

LinkedIn says this on the "Who's looked at your profile"...

I have sent an email to the Scotiabank Office of the President again... To recap the situation to them - as they're still non-responsive after 12 days.

So, where are we at now it's Monday morning?  In short: 

  • Scotiabank's Digital Factory website wasn't fixed over the weekend, and many more people are now aware of how shockingly bad the bank's I.T. through this demonstration.  
  • Scotiabank still has two of my mortgage payments lost in the system and the bone-heads at the collection department are still calling about the money the bank has lost.
  • Many more people now know about the type of bad crap I'm having to put up with.

Thursday, September 7, 2017

Just when you think Scotiabank could not get worse...

So, 9 days ago, Scotiabank lost my mortgage payment in Interac again.  The money is inside Scotiabank somewhere.

The Office of the President are apparently looking into this - and obviously as the left hand doesn't talk to the right hand, the Scotiabank collections department looking for that payment don't like being told to talk to the President's office who are also looking for that payment.

So, today I sent through another mortgage payment.  It is now stuck as well.  That means inside Scotiabank, between two Scotiabank accounts, there are two mortgage payments.

I swear - the ineptitude of Scotiabank knows no bounds.

Thursday, August 24, 2017

The Scotiabank Talk - Part 4

The final part (part 4) of The Scotiabank Talk is up on YouTube.

In this part I cover organized crime, customer service, and show how everything I've covered in this series leads us to an incredibly stupid juxtaposition at Scotiabank where use of HTTPS is concerned... 

Wednesday, August 23, 2017

The Scotiabank Talk - Part 3

Just a quick heads up....

The YouTube serialization of the Scotiabank Talk continues. Today part 3 went out.  

Monday, August 21, 2017

Scotiabank finally fixed the HTTP problem.

I noticed today that Scotiabank had quietly sneaked out v17.7.4 of their Android app.

Amongst the list of improvements was the omission that Scotiabank had finally dumped the Enstream framework with the insecure HTTP (not HTTPS) connection to BWANET.CA (Bell Canada), that I've complained about since December 2016.

Whilst I still think Scotiabank is still highly dodgy, technically, and a horrible bank to be with, this fix does make mobile banking safer for all of Canada.

The Scotiabank Talk - Part 1

Just a quickie, incase you missed it:

I'm starting to serialise a special version of what I previously talked about on YouTube.  This series is specific to the silliness seen coming out of Scotiabank.

Thursday, July 27, 2017

See you on the flip side...

TL;DR - I'm pausing this blog and now I'm found over here:

As regular readers of this blog will know, this blog has been around for a lot of years.  A lot of work has been put into it, and I'm happy with what it has achieved over time.  It has grown from a tiny seed where it would get 10 to 15 views a month, to where it is in summer 2017, with about 10,000 views a month. It has covered everything from humour to technology, to banks and parenthood.  However, some issues crept in along the way, and I had to take a long hard look at why I continue to do this, and what I'm now trying to achieve.

Originally, this was supposed to be one man's personal blog about the random things that interest him. Somehow, it predominantly became a blog about Canadian banks, and yet there is so much more that still interests me personally - but having documented all the crazy banking stuff here, there's not much time left for anything else.  

Additionally, this blog feels dry and "ranty" whilst anyone that knows me personally knows I'm actually a relatively fun person, but this never comes across in this blog.  

Times have changed, and so have I.  I started this blog as a younger carefree guy, and now I'm a dad with kids and such... I started this blog when blogs were a thing, and now YouTube is the defacto place where people vlog instead of blogging here.  

I have other goals and aspirations, and one of those goals is to spend more time doing video and less time doing typing.  I simply enjoy it more.  Additionally, there is the added benefit that with videos, I can more accurately portray who I am as a person - and make this fun again.  This is supposed to be fun for you as well as me - and as things stand with this being a predominantly bank-related blog, it's simply not fun any more.  

If you're arriving from one of the banks, or any government agency, the YouTube channel will have videos grouped into Playlists, so you can find just the banking videos that you're probably looking for. 

So, I'm now over here - feel free to pop over and subscribe:

I will keep this blog up, as I may come back to it in the future when I find a good reason to add stuff here, but for now, the regular future posts are over on the youtube channel where I can put more context into things and make this fun again.

Wednesday, July 26, 2017

Banking Silliness

Just when you think the ScotiaBank/Interac debacle is over...  Day 26 and things go wrong... again.

Still experimenting with the idea of migrating the blog to the vlog. 

Whataboutism, Skewed Logic and Invisible Dinosaurs.

I'm experimenting with the idea of moving this blog to the VLOG.  

A) it's quicker for me to knock out 5 minutes of video, than type for 15 minutes.  
B) It gives me a chance to get across things like tone (so it's not so dry), as well as emotion and other things that are sometimes missing in the written blog.
C) Also, it gives me a chance to practice my FCPX skills.

Here's yesterday's entry on Whataboutism, and what you need to apply a rational mind to the amount of BS that we're bombarded with these days.... oh, and invisible dinosaurs.

Sunday, July 23, 2017

A lazy Saturday

Had a lazy Saturday.  Wife and twins went to Wonderland, so I got a day at home by myself (that's not happened in a long while).

Thursday, July 20, 2017

This made me chuckle...

Just ran across this...  It made me chuckle.

The Scotiabank & Interac Debacle - Day 20 - A Result

So, the President's office at Scotiabank just called me (10:15am).

They've apologised and will refund the dollar.  They're also offering an extra monetary goodwill gesture for my troubles.

The thing I'm most happy about was finally speaking to a person who actually listened and didn't deflect my frustration at the bank.

Whereas when things get tough with CIBC they can assemble a room of senior people to hear me out, Scotiabank said this was not possible with them.  They are therefore going to read through some documentation I'm going to send them to see if there's anything else that can be resolved.

I've had years of pain with Scotiabank, and this quote always comes to mind.

The Scotiabank & Interac Debacle - Day 20

It's been nearly 24 hours since I sent in my formal complaint to Scotiabank and CC'ed the OBSI and Interac.  Neither Scotiabank or Interac had the courtesy to acknowledge receipt of the email in the 22 hours since, but I know someone at least is looking into what I've publicly said previously.

The reason I know it's being looked into is someone's case management system went through 22 pages of the blog yesterday.

(Click for full size)

Wednesday, July 19, 2017

You couldn't make it up...

Something just happened that makes me want to bang my head on my desk.

Twitter followers will remember that I told ScotiaBank and Interac on the 14th July, that if things were not fixed by Monday, I'd be escalating.

(Click for full-size)

...naturally, nobody did anything with this. As of this morning, it was still unresolved.  It's now the 19th July and around 4 hours since I pulled the trigger to get this escalated by submitting a formal complaint.

So guess what happened?  Scotiabank's twitter team now responds... 

(Click for full-size)

Of course, I've no idea now if this is a result of someone higher up at the bank yelling at them to stop ignoring customers, or what...  Either way, it's a bit late now.

Seriously, you couldn't make this up. 

A TED Talk video just appeared

Most people know what I do (See here if you don't). I like doing work that makes the world a better place.

The TED talk people just released this 2014 talk on YouTube from their archives...   

It's a little bit dated as that scanner hardware was retired a few years ago, and the current generation scanner is a lot smaller and faster than the one shown... Also, the software is a lot different as I wrote new new apps in 2015 and added more in 2016.

Anyway, it's an interesting video that explains how this all got started. 

The ScotiaBank & Interac Debacle - Day 19

Just a quick update...

It's day 19, and a formal complaint has been submitted to Scotiabank.  I know we're only talking a single dollar here, but it's the principal of the matter.

Tuesday, July 18, 2017

The Scotiabank & Interac Debacle - Day 18

So we've reached day 18 without resolution on the Scotiabank and Interac silliness.  

Here's something to consider: 
Scotiabank read this blog 18 times last week.
Screen Shot of Analytics Log

Both Interac and Scotiabank were pinged on Twitter about the matter last week, and obviously Scotiabank is also aware of the issue through the blog given the number of times they're hitting the pages of this blog.

As of posting this, they've looked at this blog 4 times today already, too, so it's now looking bad that this hasn't been resolved.

Monday, July 17, 2017

The Interac Debacle Day 17 - An Interac Anecdote

I needed to test some lighting to see if it was viable for some chroma-key (aka "Green screen") work I want to do for another project, so recorded this little story that I wanted to share and save some typing at the same time... 

...and yes, I spotted the lighting problem, too.  That needs fixing before I try this again. 

The Interac Debacle - Day 17

Just a quick update...

As you know, both Interac and Scotiabank are aware of the issue....

...but nothing has been communicated back to me in the way of a resolution.

As I'd not heard anything, I just went online to see if Scotiabank had quietly sneaked anything back into the account without writing to me.

I was just greeted with this.

(Click for full-size)


Thursday, July 13, 2017

The Interac Debacle Continues - Day 13.

A quick recap:
1) We had a problem in Canada with Interac (Link) where I predicted that ScotiaBank would likely be dishonest and double-dip on fees.
2) When the money finally showed up, sure enough they double-dipped (Link) on fees.

Where we are at now (Day 13):
I just got off the phone with Scotiabank and the lady I spoke to is claiming that although Scotiabank charged me the Interac fee twice, I need to ask Interac and not Scotiabank to refund the $1 that was charged for the transaction that never completed.

I know we're only talking about $1, but it's the damn principle of the matter at this point.  

Tuesday, July 11, 2017

How do you fix mobile banking in Canada - Part 4

Some years ago now, I found myself looking at a SQL backup file. It was for a Caribbean arm of CIBC bank, and contained competition entries from one of their Caribbean websites. It displayed names, email addresses and phone numbers, but not banking info.  Someone thought it was perfectly fine to backup those competition entries and then just upload the entire backup to the web server....  Back in those days, I was a bit wet behind the ears with bank security and so I reported the problem directly to the bank, thinking that it would be expeditiously rectified.  From what I remember, it stayed up for what seemed like an eternity.  I guess that the problem rattled around inside the bank for a bit, until it was finally removed later, when the entire Caribbean site platform was pulled down and re-done as part of a global re-working of all their websites.

Later, about six years ago, I sold one house and bought a new house. I logged into CIBC and changed my address and entered my new postcode.  Some time later, having not received any statements and such in the mail, I checked my details and saw that someone at the bank had entered that I'd moved somewhere else.  Again, I changed my address back to the correct one, and reentered the correct postcode.  Then I checked the site every day to see if it changed.  Sure enough, it soon changed back to the wrong address and wrong postcode.  Perplexed as I know where I lived whilst the bank seemed to think I was living somewhere that I wasn’t, this time I took screen shots and recorded the times that I made my changes, documented what I was entering, and then when it changed the next day, I raised the alarm at the bank that someone was deliberately tampering with my personal details behind my back.  This was one of two straws that broke the camels back of trust with me and that bank for a many years (the other being some transaction stupidity similar to what I’m going through with ScotiaBank right now), and so an internal investigation was opened up at CIBC. Whilst I never did find out anything more than someone had repeatedly edited my details for no reason, and the bank had confirmed that, it reinforced a viewpoint that I’ve held for some time; that sometimes people do some really ridiculous things when they've got access to server side data that they really don’t need access to. 

These two issues are partly how my interest in server side security at the banks got started.  Wherever I looked, I saw something that was wrong. Other people, especially criminals, might be interested in working out how to get to the underlying data and services these servers provide, but the big question I was personally interested in answering (because I’m into technology) was not finding out what the data was, but looking at how the servers themselves could be grouped by administrative problems, errors or cutting corners.  I you can spot a pattern, you can "read" how a bank prioritises issues. If a bank fixes something that affects its brand quicker than something that affects customers, you can draw conclusions from that about bigger issues.

Each bank in Canada has it’s strengths and weaknesses as you’d expect.  You can tell a lot about how a bank operates from it’s servers and how things are deployed publicly.  Some banks like TD or RBC will secure the servers well, but then allow phishing on their websites, or undermine efforts in some other fashion.  Banks like Scotiabank have a litany of issues, far too many to mention in detail, and in many cases stuff has just been left unsecured for years. Kids can just use simple "Google Dork" queries to access stuff that’s broken or incorrectly secured, as Google indexed it years ago (for example,, or, and so on) and that’s before we get to the bigger problems they have with server code sprayed all over the internet unauthorized code making it to production, etc.  Some banks like CIBC will do things like leave servers sitting on the default Microsoft IIS welcome pages, which always makes me wonder a lot about what’s going on, because if the IIS page is the default, are the firewall rules also default? What about other protection if the default is none? Are these forgotten servers that never get patched and yet still sit connected to the bank with a public facing server end point?  Many of these servers have disappeared over the years, so it’s nowhere as near as bad as it was before.  I’ve spoken to CIBC at some length about those problems and many others over the years, and one day they might even fix these things…  Then there’s Desjardins... At first glance, you'd think they have BMO's technical team working with them - they appear very similar (technically conservative, and straight forward architecturally).  However, there's a one thing Desjardin did that when I noticed it, it blew my mind and changed my perception of the bank entirely. I don't bank with Desjardins and have no history with them, so for now, just know that they make me scratch my head. 

I've not made it a secret that from my viewpoint, banks in Canada also leak like collanders.  If you look for it, there are many gigabytes of source code available to the public on the web, covering everything from mobile apps to entire bank web sites, as well as source for specific processes, microservices frameworks, prototype systems, security, as well as code for scam tools used against the banks and their customers…. and that’s before they have their staff out doing technical presentations and then posting on the web PowerPoints that explain how security is done, what tools they’re using, and so forth.  

Given all of this bank code is freely available, you have to ask why is it freely available?  For example, a programmer with a simple php question at ScotiaBank only needed to upload a line or two of code to illustrate a PHP programming problem they needed help with, and didn't need to upload the their entire smurf report emailing process, but they did it anyway.  Banks like CIBC have consultants who upload prototype code to public places where everyone can see what they're researching, and then you have the multiple chunks of Scotiabank's Java backend floating around the web because their programmers had an awesome lapse of common sense to upload huge chunks, too… (and I use the word “awesome” in the original sense of “truly frightening”)

Contrary to the bank's reality that anyone with access to a search engine can see, my personal view is that banks should properly secure the backend server code that drives Canadian online banking and mobile banking from getting out in the first place.  We covered the mobile bit in Part 1 of this series, where I showed that it’s common in Canada to just put out a mobile app with no security, but the same applies to the server side. Banks need to secure this code properly.  Once a bank uploads its server code to a public place, it's a free-for-all and leads to problems.  

Once criminals know how a bank is structured they can target it in an equally structured way.  

In April of 2017 this was evident when someone clearly thought it was worth targeting the Scotiabank UAT staff using TrickBot.  Whilst I mentioned in the last installment about how Scotiabank's customers were targeted, I didn't mention that two further campaigns had been spotted that targeted staff on non-customer facing systems.  

And how do you think everyone knows where those systems are? The banks already let this stuff out.

So, let's tie this knowledge back to mobile.  

The servers that your mobile banking apps talk to are connected to the bank. Many other servers also connected to the bank leave doubt that they are setup properly, as kids can navigate their way around the Google cache of server areas that are supposed to be securely protected, getting to see what’s inside the bank without ever entering the bank systems themselves…  When you think about the possibility of a hacker jumping from one of these other servers to your mobile banking server, how comfortable do you feel?  

When the bank is testing a new version of it’s digital banking, and we know that TrickBot operators have been targeting the bank testing staff on the same website, we could hypothesise that these criminals are doing the same thing - testing their code on the new website against the bank UAT staff, so that they can then later go out and do a proper campaign on the public.  How do you feel now?

If a bank has leaked a server side username/password and you know the username is a 5 character combination of letters and numbers and they only used one letter and one number repeatedly, how would you feel about that Canadian bank’s security?  Now if I told you they used the same 5 character phrase for the password too, how comfortable are you feeling now?  

Obviously, the server side of Canadian bank security is a huge topic.  There could be many posts on this topic alone, but I’m trying to just educate people here on the high level items.  In a post like this, it’s important to not broadcast what certain issues are, because doing so would actually cause more problems.  I wanted to paint the reader a picture that reflects a reality that is closer to how I see it, than how bank marketing departments want you to see it.  When you think about the implications of the above items which are common in Canada, you can’t help but agree with the recent report (Link) that came out here.

So, to recap this series so far:
Part 1 (Mobile) - Don't be lazy with mobile app security, and check the code being pushed into production for unauthorized additions.
Part 2 (Staff) - Stop people doing dumb things like posting confidential documents in public by training them with proper rules and protocols.
Part 3 (Policy) - Stop treating mobile banking as a second rate privacy area.
Part 4 (Servers) - Secure the back end servers.  Don’t leave restricted server areas open to search engine crawling, stop posting server code, don’t hardcode your server credentials into URLs between systems, and basically use some common sense.

Monday, July 10, 2017

Update on the ScotiaBank Interac problem - As expected, they double-dipped.

So, ScotiaBank finally found my mortgage money after the Interace debacle.  Even though I've gotten written confirmation that it was deposited in the destination account, the money showed up in the originating account again.

Now, you'll remember in the last sentence of my original post, that I was fully expecting the bank to be dishonest and try to screw me by double-dipping on bank charges. Predictably, Scotiabank followed through.

This is now my bank transaction trail.

(Click for full size)

As you can see, they charged a dollar to transfer the money, never completed the transfer, refunded the transaction without refunding the transfer fee and then charged yet another dollar to resend it.

I know it's only one dollar, but when you expect dishonesty from the bank and then they follow through with that dishonesty, it aggravates me immensely.

Having said that, it underlines my everyday experiences with ScotiaBank.  

Friday, July 7, 2017

Day Seven of The Scotiabank Interac Problem

Today is the seventh day since I sent my mortgage through Interac from Scotiabank to a different Scotiabank card account.  Scotiabank said on Monday that this would be resolved by today.

Guess what?  It's not resolved.

Thursday, July 6, 2017

Day Six of the Scotiabank Interac Problem

A quick update...  

It's now day six and the interac problem is still not resolved at Scotiabank this morning when I checked my account.  I'm not going to call Scotiabank today as I don't think it's a fruitful use of my time and I anticipate getting a canned response anyway from some customer support person because they don't actually have the answers.

I posted a question on Twitter this morning to Interac (despite not having any faith that they'll actually answer it) where I asked Interac about the lack of apparent redundancy when this system failed.  Either it failed at the same time as the primary system, or it simply doesn't exist.  

Occams razor tells us which of the two scenarios likely happened, which begs the questions about what kind of operation is being run here anyway?  For all the infernal fees that banks charge customers for this service of sending two emails and writing a few records in a database, you'd expect someone to have invested even a tiny bit of that in keeping this system up with some form of redundancy.

I'll update if things change.

Wednesday, July 5, 2017

A quick update on the Interac issue at Scotiabank

You'll remember that last week we hit a problem with Interac in Canada.  This is just a quick update to follow up on that.

Despite getting the written confirmation on Friday that the money was deposited, I phoned Scotiabank on Monday morning as the money still wasn't showing up.  Naturally, the support lady in India put me on hold and then hung up.  I immediately called Scotiabank back and this time got someone that sounded Canadian, but with an attitude that sounded like he really wasn't interested in customers or helping them.  

So, I explained the money wasn't still wasn't there, and requested he put a note on my file as I know what's coming next (after the left hand of Scotiabank loses the money, the right hand of Scotiabank starts demanding to know why I've not paid my mortgage even though the money has been inside Scotiabank the entire time).  

I was told Monday morning that it may take 5 more days (making a total of 7 days) to find my mortgage payment.  

Five more days?  Whatever database index they have on their Interac transaction table clearly needs an urgent technical review if three days of e-transfer transactions builds such a volume that it takes seven days to find and fix my transaction.

Anyway, it's now Wednesday and so we're at five days total so far and the money is still not there. It looks like they may actually be correct that the system is actually that unfathomably slow.

I'll post another update if this ever gets fixed.

The bank shot itself in the foot.

Last night, after cocktails up in Canoe bar, I was treated to dinner in an upscale Toronto restaurant nearby, in the company of executives from an extremely large and very well known Asian company, who flew in for one night.  When I say large, they have more current customers (by a long shot) than exists in the entire population of Canada, and have more customers than all the Canadian banks combined.  As you may have guessed, we discussed the bank issue, my customer service experience and mobile security.

It transpires that the details of my customer service woes and technical concerns that I've made public on this blog so far, have become well known enough, that foreign companies are now discussing it as a modern day textbook case of what happens when an organisation fails it’s customers. 

In addition to now being invited back to Asia, I was surprised to hear that as an individual customer who the bank thought was of no real consequence and could be ignored for multiple years, I’m influencing decision making processes in very large foreign corporations to rule out this bank in the race for handling corporate accounts when this Asian company expands through acquisitions into Canada like it did the USA, based on how that bank handled the customer experience with me. The logic being that if the bank is unable to make me happy, how on earth would the bank handle a $85bn corporation, and they’re eager to find out when (or if) the bank is able to resolve this, and how. 

I never expected when I started documenting my experience on here and on Twitter, that I'd be cutting off many millions of dollars of potential revenue from one of my banks, and I doubt that the bank ever thought that by treating one customer this way, it would come to this either.  But, there you go; This ongoing festering mess that has inconvenienced me for years has now reached the point where the bank's actions are reflecting back onto the bank itself, and foreign corporations are now backing the little guy.  

Never a dull moment, eh...

Friday, June 30, 2017

ScotiaBank and Interac In Action

This article has been updated to reflect 
further communication with the bank,
as well as further examination by myself.

So today I had to deal with Scotiabank.  The idea was to Interac money from one account to another account.  Obviously, because this post exists, you can guess this simple process turned into a bit of a train wreck along the way.

If you're not experienced with Canada's "Interac" system, allow me to quickly get you up to speed on this boondoggle.  

In short, you have banks connected to the Internet, who can't send money between bank computers over the Internet. To resolve this silliness, another organisation was created called Axcsys and they have this service called Interac, where you send money between bank computers over the Internet and they then charge you a fee for this. With me so far?  Right... Somehow, instead of sending these money instructions immediately, like you'd send anything else over the internet, this takes about 30 minutes.  Compare this with the longest known time to get a signal to Mars (24 minutes), and you'll that instructions can reach Mars about 6 minutes faster than they can reach you in the same city.

First, I sent the money from Scotiabank (yes, it's also going into Scotiabank on a different account, which is likely held inside the very same physical computer).  This email arrives about 30 minutes later.  

So far, so good.   


(Click for full-size)

I clicked to deposit it and log into Scotiabank, at which point the transaction goes into some kind of Schroedinger's transaction state by being both "temporarily unavailable" and just plain "unavailable".  

(Click for full-size)

I interpret that to mean the transaction is unavailable - and as it suggests, I wait for a bit before trying again.

This is the beginning of the where things get weird...  

The money is debited from the sending account and is sitting in a pool account at the Bank to be settled between banks tonight whilst the promise of the money is sent immediately to the depositing bank (the same bank it just left).  As a customer, I don't expect the bank software to lose money at any point or not be able to tell me where it is, but let's follow this process through to its logical conclusion.

I waited a little bit and tried again, just as the previous screenshot has suggested...  Now, I got this error, telling me that the transfer cannot be deposited.  

(Click for full-size)

So if the transaction was previously unavailable, and is now unavailable forever, you'd think that the transaction was unavailable, right?  It's pretty clear that the bank is trying to tell me "This transaction will never go through", right?


I've seen this type of breakdown before where Interac transactions go into a weird state of quantum superposition.  We can see this breakdown of logic here, because this transaction has clearly been communicated to the customer as both a) unavailable previously, and b) no longer available going forward.  So, if the bank is saying this is "UNAVAILABLE", you should never then get an email from Interac like this:

(Click for full-size)

This email is written confirmation that the "unavailable" transfer has apparently gone through.  If you're not confused yet, you soon will be.  I gave it 30 more minutes and then checked the receiving account to see if the money ever arrived.  

Of course, despite having written confirmation the money arrived, the money never actually arrived.  

So, what does this mean?  

This means either:
a) The ScotiaBank online banking system was lying when it said the transaction was not available.
- or -
b) The Interac system was lying when it said the money was accepted on the receiving end.

As a programmer, it doesn't take many brain cells to realise that the Interac email couldn't have been sent out without some trigger from the bank telling it the money was received.  In the same way you can't move an object without applying overcoming forces, you can't have Interac tell you that the money was received without ScotiaBank telling Interac the money was received.... computers may be many things, but they're not psychic, so this has to have happened. 

To recap so far:  At this point, we know the customer has been led up the garden path and the bank has effectively lost track of my mortgage payment again.

So, I phoned Scotiabank and determined the following:

1) Apparently the system isn't working too well this morning and they are aware of this. 
2) It's going to take 48 hours to move the money from Scotiabank to Scotiabank to refund it.

Let's back this truck up a bit and look at things logically. 

1) Despite apparently knowing that things are broken, they're still allowing customers to initiate new transactions that will never succeed, instead of just being honest and transparent and saying "Hold off whilst we fix this mess".  That's wrong right there.

2) If Interac sent the email out that the amount had been accepted on the receiving end, this means ScotiaBank has told Interac that the amount was received - which is in contradiction to the online banking system that doesn't show the amount because it wasn't received.  This means that whilst the audit trail can be followed backwards to find out what really happened, they've effectively temporarily lost the transaction and my money in a gumbo of instructional baggage that's piling up somewhere because they haven't stopped accepting new transactions.

It's like there's some "common sense horizon" which when crossed, breaks down normal common sense and sensible logic. This should never have been allowed. It doesn't make sense to keep taking instructions if they're never going to work. Of course, now I'm waiting to get screwed when they don't refund the fee that I paid to send it.

I will do a second post when I get a resolution to this stupidity.