Wednesday, May 17, 2017

Another Bank Source Code Breach In Canada

Last year, Scotiabank haemorrhaged source code multiple times.  Their Android code was available due to poor security practices, their own staff posted server code online and it spread to multiple sites, and their static web content was being leaked by what appears to be attributable to interns who worked at certain third party agencies that the bank uses. That latter code went on to fuel updates to "Scotty" (the Scotiabank scammers kit).  Whilst all that bolstered what I've been saying for some considerable time about how bad things are with Scotiabank, all this action meant that I'd taken my eye off the ball elsewhere at other banks.

All banks in Canada have leaks.  That’s just a fact of digital banking. So, my interest is just a question of quantifying how leaky each is and where those leaks originate. Scotiabank's leaks are normally through its staff for instance, CIBC's is through its infrastructure, RBC is through its customers and partially through infrastructure, and so on...  

So it was that yesterday some source code for one of Canada's big six banks landed on my desktop…  Like nearly 40MB of it. Then another 5MB, then another 7MB, and then more dribs and drabs.

The first step in handling a source code breach like this is identifying where it came from (Bank, department, and system), because obviously the authorities are going to need to know about this as soon as possible.  

Bank source code doesn't always have its name plastered all over it, so often you rely on which URLs it talks to.  Once you know which bank, you can date it by which frameworks are used as banks often flip-flop between competing architectures and systems every few years. 

The last step I usually perform is looking for the insults…  Insults might sound like a weird thing to identify, but they help refine things even more; For instance I have two banks in Canada that I use, and one is prone to insulting it's vendors whilst the other is prone to insulting its customers over the years. This usually adds to my distrust of banks - it's hard to swallow when a bank tells you that as a customer you're important when you're fully aware that you're simultaneously being insulted.   But I digress... Other banks in Canada usually appear to insult internal programmers who came before the programmer writing the current insult, or they insult other departments within the same bank (iOS team insults Android, Android insults iOS, etc).  You can tell a lot about the culture of a bank, it’s QA processes, and other attributes by who they insult and what is allowed to slip through, as well as further refining the dates to see how old the code is.  

Additionally, the longer an insult remains in the code, the longer it serves as an external canary (when the insult dies, you know someone finally went through that code) for the outside world.

So, back to this leak - once I had identified the bank and system, it was time to check another important thing; were any virtual banks this bank supports equally in trouble.  The answer was yes - there's a replication of failures across virtual brands within the same physical bank.  This means that when I go to the authorities with this, they'll also get a list of which other companies outside that bank need to be notified as well.

So, this week all the information will get packaged up and I'll start compiling a report to get this taken care of and cleaned up.

The biggest question left now is simply who to tell first? There's the big bank at the root of the problem, the brands of the virtual banks affected by the problem at the big bank, plus the CCIRC (a dept of the RCMP) at the government, and I usually copy the CAFC so they're able to get a feel of what's going on given they deal with the public who get compromised when bank security goes wrong.  I'll have that worked out in the coming week, and then this latest leak will hopefully get closed up.