Wednesday, June 14, 2017

A few thoughts on what happened this past week...

As you are no doubt aware, last week’s “part 2” article on how how to fix mobile banking in Canada hit a nerve, and there’s been plenty of press about it since.  It started in the UK, then went through India, the USA and as far south as Brazil. 

There have been a few questions as a result of all this, which I’ve been asked repeatedly, and I’d like to address those here.

Q1. Can I please provide the the contents of the GitHub repo?   
A1. No. Consider it cleaned up and gone.

Q2. Am I willing to name the specific Financial Institutions involved in the leak?    
A2. Not at this time.  If a suitable gov authority in one of the affected countries asks me, then obviously I’ll be more than happy to cooperate with them.

Q3. What did I learn that I didn’t already know?  
A3. Other than who else TCS has as customers?  As mentioned in “part 2” I already knew what my own bank was doing, so nothing new there.  However, I did learn what other banks are up to.

Q4. Was there really 6 Canadian banks in this leak?
A4.  No. My original blog post says 2 of the big 6 Canadian banks.  Throughout the later follow-up new articles, things got morphed by other reporters until it was being reported that this was all six big banks.  That’s their reporting, not me.  


The Longer answer...

This was a leak containing confidential documents from a number of large financial institutions.  Those documents were not ever intended for public consumption when it was written, leaked, reported, or when it was cleaned up.  The American FI that engaged with me and documented/confirmed the problem then coordinated the cleanup knows what was there, and both TCS and myself know what was there - that is more than enough eyeballs looking at it.

I did discuss the possibility of blogging about the cleanup operation with the American FI that helped clean up this mess, and it was agreed not name them.  When I work with someone, if they want it kept under wraps, then I’m fine with that.  

As for what I’ve learned, this is a bit more nuanced;  Yet again, I’ve found myself in a bit of a “lightning rod” situation, as people are offering up information left, right and centre, and I’m learning a lot through this new information channel.  After “Part 1” it was the banks’ customers passing information to me about their experiences with the bank customer service teams and security concerns, and now after this installment, a number of consultants who have previously worked in the banks, including my own banks, are doing the same.  

What I’ve really learned here, though, if I distill it down is as follows:  
When I said I wanted to kick-start a discussion about the problem in Canada, there were far more people than I originally would have estimated, who have a similar opinion.  I've learned that I’m really not alone on this train of thought.