Tuesday, May 23, 2017

The reaction to my mobile banking post on Saturday...

On Saturday, I posted an article that had been brewing in my head for a long time.  The response to it has been unbelievably positive, and the feedback and ongoing dialog about this type of mobile banking problem is great.  

The general response has been this:
  1. What I said is basic common sense to other programmers and security people, and many people were disbelieving at what I was saying, until they went and checked it for themselves - and then disbelief turned to shock. 
  2. Some people claim that what I posted is a good start, but it's not enough.
First off, I know this is not enough.  This was just a start.   

Just incase it's not obvious, I don't work for the banks.  I have a full time CTO commitment to something totally not bank related. I'm just a customer of the banks who's trying to protect the general public from the awful reality that is Canadian mobile banking.  Also, I don't make it a habit of giving the banks free security consulting, so I don't tell all. If something's serious enough, it'll go to the CCIRC.  

Though, what I pointed out on Saturday was a way to highlight and address a massive problem, it's not the only problem, and it's still up to each individual bank to take what I said and go implement it properly - not just copy/paste from this blog.  Also, I wasn't setting out to show banks how to certificate pin, or check it's not been altered from the version delivered to the app store.  That's down to the banks to do.  Maybe if they don't do that, we can cover that in a later post down the road, but arguably the next major issue to address is the shoddy server security.

Another great thing that happened as a result of Saturday's post, was the usual readers (the big six banks in Canada and various individual readers across the world) were suddenly joined by other big banks across the USA and Europe, various cybersecurity people from other banks and telcos, and Canadian law enforcement and a tonne of government viewers in Ottawa.  

This is great news.  I welcome these new readers, and I hope you all stick around.

Finally a quick update on last week's bank breach of source code;
A full responsible disclosure report was submitted to the CCIRC over the long weekend.  After the CCIRC has looked over it and digested it (it's significantly smaller than my usual tomes to them, as this weighs in at a paltry six pages), it's likely going to be disseminated down to the affect big bank later this week. The virtual banks this big bank runs have been made aware of the problem, too. So, in short, everyone that needs to know will know.  

What's next?

I'm going to wait and see what other dialog arises from Saturday's article.  There's a lot of good points being made on Social media, and I'd like to hear all of that before doing anything else.  Also, I have to now wait for the CCIRC to do their thing, and measure how long it takes for the bank to plug the holes.