Thursday, July 27, 2017

See you on the flip side...

TL;DR - I'm pausing this blog and now I'm found over here:
https://www.youtube.com/c/JasonCoulls



As regular readers of this blog will know, this blog has been around for a lot of years.  A lot of work has been put into it, and I'm happy with what it has achieved over time.  It has grown from a tiny seed where it would get 10 to 15 views a month, to where it is in summer 2017, with about 10,000 views a month. It has covered everything from humour to technology, to banks and parenthood.  However, some issues crept in along the way, and I had to take a long hard look at why I continue to do this, and what I'm now trying to achieve.

Originally, this was supposed to be one man's personal blog about the random things that interest him. Somehow, it predominantly became a blog about Canadian banks, and yet there is so much more that still interests me personally - but having documented all the crazy banking stuff here, there's not much time left for anything else.  

Additionally, this blog feels dry and "ranty" whilst anyone that knows me personally knows I'm actually a relatively fun person, but this never comes across in this blog.  

Times have changed, and so have I.  I started this blog as a younger carefree guy, and now I'm a dad with kids and such... I started this blog when blogs were a thing, and now YouTube is the defacto place where people vlog instead of blogging here.  

I have other goals and aspirations, and one of those goals is to spend more time doing video and less time doing typing.  I simply enjoy it more.  Additionally, there is the added benefit that with videos, I can more accurately portray who I am as a person - and make this fun again.  This is supposed to be fun for you as well as me - and as things stand with this being a predominantly bank-related blog, it's simply not fun any more.  

If you're arriving from one of the banks, or any government agency, the YouTube channel will have videos grouped into Playlists, so you can find just the banking videos that you're probably looking for. 

So, I'm now over here - feel free to pop over and subscribe:
https://www.youtube.com/c/JasonCoulls

I will keep this blog up, as I may come back to it in the future when I find a good reason to add stuff here, but for now, the regular future posts are over on the youtube channel where I can put more context into things and make this fun again.

Wednesday, July 26, 2017

Banking Silliness

Just when you think the ScotiaBank/Interac debacle is over...  Day 26 and things go wrong... again.

Still experimenting with the idea of migrating the blog to the vlog. 





Whataboutism, Skewed Logic and Invisible Dinosaurs.

I'm experimenting with the idea of moving this blog to the VLOG.  

A) it's quicker for me to knock out 5 minutes of video, than type for 15 minutes.  
B) It gives me a chance to get across things like tone (so it's not so dry), as well as emotion and other things that are sometimes missing in the written blog.
C) Also, it gives me a chance to practice my FCPX skills.

Here's yesterday's entry on Whataboutism, and what you need to apply a rational mind to the amount of BS that we're bombarded with these days.... oh, and invisible dinosaurs.



Sunday, July 23, 2017

A lazy Saturday

Had a lazy Saturday.  Wife and twins went to Wonderland, so I got a day at home by myself (that's not happened in a long while).




Thursday, July 20, 2017

This made me chuckle...

Just ran across this...  It made me chuckle.


The Scotiabank & Interac Debacle - Day 20 - A Result

So, the President's office at Scotiabank just called me (10:15am).

They've apologised and will refund the dollar.  They're also offering an extra monetary goodwill gesture for my troubles.

The thing I'm most happy about was finally speaking to a person who actually listened and didn't deflect my frustration at the bank.

Whereas when things get tough with CIBC they can assemble a room of senior people to hear me out, Scotiabank said this was not possible with them.  They are therefore going to read through some documentation I'm going to send them to see if there's anything else that can be resolved.

I've had years of pain with Scotiabank, and this quote always comes to mind.

The Scotiabank & Interac Debacle - Day 20

It's been nearly 24 hours since I sent in my formal complaint to Scotiabank and CC'ed the OBSI and Interac.  Neither Scotiabank or Interac had the courtesy to acknowledge receipt of the email in the 22 hours since, but I know someone at least is looking into what I've publicly said previously.

The reason I know it's being looked into is someone's case management system went through 22 pages of the blog yesterday.

(Click for full size)


Wednesday, July 19, 2017

You couldn't make it up...

Something just happened that makes me want to bang my head on my desk.

Twitter followers will remember that I told ScotiaBank and Interac on the 14th July, that if things were not fixed by Monday, I'd be escalating.

(Click for full-size)


...naturally, nobody did anything with this. As of this morning, it was still unresolved.  It's now the 19th July and around 4 hours since I pulled the trigger to get this escalated by submitting a formal complaint.

So guess what happened?  Scotiabank's twitter team now responds... 

(Click for full-size)


Of course, I've no idea now if this is a result of someone higher up at the bank yelling at them to stop ignoring customers, or what...  Either way, it's a bit late now.

Seriously, you couldn't make this up. 


A TED Talk video just appeared

Most people know what I do (See here if you don't). I like doing work that makes the world a better place.

The TED talk people just released this 2014 talk on YouTube from their archives...   


It's a little bit dated as that scanner hardware was retired a few years ago, and the current generation scanner is a lot smaller and faster than the one shown... Also, the software is a lot different as I wrote new new apps in 2015 and added more in 2016.

Anyway, it's an interesting video that explains how this all got started. 



The ScotiaBank & Interac Debacle - Day 19

Just a quick update...

It's day 19, and a formal complaint has been submitted to Scotiabank.  I know we're only talking a single dollar here, but it's the principal of the matter.



Tuesday, July 18, 2017

The Scotiabank & Interac Debacle - Day 18

So we've reached day 18 without resolution on the Scotiabank and Interac silliness.  

Here's something to consider: 
Scotiabank read this blog 18 times last week.
 
Screen Shot of Analytics Log


Both Interac and Scotiabank were pinged on Twitter about the matter last week, and obviously Scotiabank is also aware of the issue through the blog given the number of times they're hitting the pages of this blog.

As of posting this, they've looked at this blog 4 times today already, too, so it's now looking bad that this hasn't been resolved.





Monday, July 17, 2017

The Interac Debacle Day 17 - An Interac Anecdote

I needed to test some lighting to see if it was viable for some chroma-key (aka "Green screen") work I want to do for another project, so recorded this little story that I wanted to share and save some typing at the same time... 


...and yes, I spotted the lighting problem, too.  That needs fixing before I try this again. 


The Interac Debacle - Day 17

Just a quick update...

As you know, both Interac and Scotiabank are aware of the issue....

...but nothing has been communicated back to me in the way of a resolution.

As I'd not heard anything, I just went online to see if Scotiabank had quietly sneaked anything back into the account without writing to me.

I was just greeted with this.



(Click for full-size)


Seriously.    

Thursday, July 13, 2017

The Interac Debacle Continues - Day 13.

A quick recap:
1) We had a problem in Canada with Interac (Link) where I predicted that ScotiaBank would likely be dishonest and double-dip on fees.
2) When the money finally showed up, sure enough they double-dipped (Link) on fees.

Where we are at now (Day 13):
I just got off the phone with Scotiabank and the lady I spoke to is claiming that although Scotiabank charged me the Interac fee twice, I need to ask Interac and not Scotiabank to refund the $1 that was charged for the transaction that never completed.

I know we're only talking about $1, but it's the damn principle of the matter at this point.  


Tuesday, July 11, 2017

How do you fix mobile banking in Canada - Part 4

Some years ago now, I found myself looking at a SQL backup file. It was for a Caribbean arm of CIBC bank, and contained competition entries from one of their Caribbean websites. It displayed names, email addresses and phone numbers, but not banking info.  Someone thought it was perfectly fine to backup those competition entries and then just upload the entire backup to the web server....  Back in those days, I was a bit wet behind the ears with bank security and so I reported the problem directly to the bank, thinking that it would be expeditiously rectified.  From what I remember, it stayed up for what seemed like an eternity.  I guess that the problem rattled around inside the bank for a bit, until it was finally removed later, when the entire Caribbean site platform was pulled down and re-done as part of a global re-working of all their websites.

Later, about six years ago, I sold one house and bought a new house. I logged into CIBC and changed my address and entered my new postcode.  Some time later, having not received any statements and such in the mail, I checked my details and saw that someone at the bank had entered that I'd moved somewhere else.  Again, I changed my address back to the correct one, and reentered the correct postcode.  Then I checked the site every day to see if it changed.  Sure enough, it soon changed back to the wrong address and wrong postcode.  Perplexed as I know where I lived whilst the bank seemed to think I was living somewhere that I wasn’t, this time I took screen shots and recorded the times that I made my changes, documented what I was entering, and then when it changed the next day, I raised the alarm at the bank that someone was deliberately tampering with my personal details behind my back.  This was one of two straws that broke the camels back of trust with me and that bank for a many years (the other being some transaction stupidity similar to what I’m going through with ScotiaBank right now), and so an internal investigation was opened up at CIBC. Whilst I never did find out anything more than someone had repeatedly edited my details for no reason, and the bank had confirmed that, it reinforced a viewpoint that I’ve held for some time; that sometimes people do some really ridiculous things when they've got access to server side data that they really don’t need access to. 

These two issues are partly how my interest in server side security at the banks got started.  Wherever I looked, I saw something that was wrong. Other people, especially criminals, might be interested in working out how to get to the underlying data and services these servers provide, but the big question I was personally interested in answering (because I’m into technology) was not finding out what the data was, but looking at how the servers themselves could be grouped by administrative problems, errors or cutting corners.  I you can spot a pattern, you can "read" how a bank prioritises issues. If a bank fixes something that affects its brand quicker than something that affects customers, you can draw conclusions from that about bigger issues.

Each bank in Canada has it’s strengths and weaknesses as you’d expect.  You can tell a lot about how a bank operates from it’s servers and how things are deployed publicly.  Some banks like TD or RBC will secure the servers well, but then allow phishing on their websites, or undermine efforts in some other fashion.  Banks like Scotiabank have a litany of issues, far too many to mention in detail, and in many cases stuff has just been left unsecured for years. Kids can just use simple "Google Dork" queries to access stuff that’s broken or incorrectly secured, as Google indexed it years ago (for example, https://www.google.ca/#q=inurl:scotiabank.com+intitle:secured, or https://www.google.ca/#q=%22default+Vortex+script%22+inurl:scotiabank.com, and so on) and that’s before we get to the bigger problems they have with server code sprayed all over the internet unauthorized code making it to production, etc.  Some banks like CIBC will do things like leave servers sitting on the default Microsoft IIS welcome pages, which always makes me wonder a lot about what’s going on, because if the IIS page is the default, are the firewall rules also default? What about other protection if the default is none? Are these forgotten servers that never get patched and yet still sit connected to the bank with a public facing server end point?  Many of these servers have disappeared over the years, so it’s nowhere as near as bad as it was before.  I’ve spoken to CIBC at some length about those problems and many others over the years, and one day they might even fix these things…  Then there’s Desjardins... At first glance, you'd think they have BMO's technical team working with them - they appear very similar (technically conservative, and straight forward architecturally).  However, there's a one thing Desjardin did that when I noticed it, it blew my mind and changed my perception of the bank entirely. I don't bank with Desjardins and have no history with them, so for now, just know that they make me scratch my head. 

I've not made it a secret that from my viewpoint, banks in Canada also leak like collanders.  If you look for it, there are many gigabytes of source code available to the public on the web, covering everything from mobile apps to entire bank web sites, as well as source for specific processes, microservices frameworks, prototype systems, security, as well as code for scam tools used against the banks and their customers…. and that’s before they have their staff out doing technical presentations and then posting on the web PowerPoints that explain how security is done, what tools they’re using, and so forth.  

Given all of this bank code is freely available, you have to ask why is it freely available?  For example, a programmer with a simple php question at ScotiaBank only needed to upload a line or two of code to illustrate a PHP programming problem they needed help with, and didn't need to upload the their entire smurf report emailing process, but they did it anyway.  Banks like CIBC have consultants who upload prototype code to public places where everyone can see what they're researching, and then you have the multiple chunks of Scotiabank's Java backend floating around the web because their programmers had an awesome lapse of common sense to upload huge chunks, too… (and I use the word “awesome” in the original sense of “truly frightening”)

Contrary to the bank's reality that anyone with access to a search engine can see, my personal view is that banks should properly secure the backend server code that drives Canadian online banking and mobile banking from getting out in the first place.  We covered the mobile bit in Part 1 of this series, where I showed that it’s common in Canada to just put out a mobile app with no security, but the same applies to the server side. Banks need to secure this code properly.  Once a bank uploads its server code to a public place, it's a free-for-all and leads to problems.  

Once criminals know how a bank is structured they can target it in an equally structured way.  

In April of 2017 this was evident when someone clearly thought it was worth targeting the Scotiabank UAT staff using TrickBot.  Whilst I mentioned in the last installment about how Scotiabank's customers were targeted, I didn't mention that two further campaigns had been spotted that targeted staff on non-customer facing systems.  

And how do you think everyone knows where those systems are? The banks already let this stuff out.

So, let's tie this knowledge back to mobile.  

The servers that your mobile banking apps talk to are connected to the bank. Many other servers also connected to the bank leave doubt that they are setup properly, as kids can navigate their way around the Google cache of server areas that are supposed to be securely protected, getting to see what’s inside the bank without ever entering the bank systems themselves…  When you think about the possibility of a hacker jumping from one of these other servers to your mobile banking server, how comfortable do you feel?  

When the bank is testing a new version of it’s digital banking, and we know that TrickBot operators have been targeting the bank testing staff on the same website, we could hypothesise that these criminals are doing the same thing - testing their code on the new website against the bank UAT staff, so that they can then later go out and do a proper campaign on the public.  How do you feel now?

If a bank has leaked a server side username/password and you know the username is a 5 character combination of letters and numbers and they only used one letter and one number repeatedly, how would you feel about that Canadian bank’s security?  Now if I told you they used the same 5 character phrase for the password too, how comfortable are you feeling now?  

Conclusion
Obviously, the server side of Canadian bank security is a huge topic.  There could be many posts on this topic alone, but I’m trying to just educate people here on the high level items.  In a post like this, it’s important to not broadcast what certain issues are, because doing so would actually cause more problems.  I wanted to paint the reader a picture that reflects a reality that is closer to how I see it, than how bank marketing departments want you to see it.  When you think about the implications of the above items which are common in Canada, you can’t help but agree with the recent report (Link) that came out here.

So, to recap this series so far:
Part 1 (Mobile) - Don't be lazy with mobile app security, and check the code being pushed into production for unauthorized additions.
Part 2 (Staff) - Stop people doing dumb things like posting confidential documents in public by training them with proper rules and protocols.
Part 3 (Policy) - Stop treating mobile banking as a second rate privacy area.
Part 4 (Servers) - Secure the back end servers.  Don’t leave restricted server areas open to search engine crawling, stop posting server code, don’t hardcode your server credentials into URLs between systems, and basically use some common sense.




Monday, July 10, 2017

Update on the ScotiaBank Interac problem - As expected, they double-dipped.

So, ScotiaBank finally found my mortgage money after the Interace debacle.  Even though I've gotten written confirmation that it was deposited in the destination account, the money showed up in the originating account again.

Now, you'll remember in the last sentence of my original post, that I was fully expecting the bank to be dishonest and try to screw me by double-dipping on bank charges. Predictably, Scotiabank followed through.

This is now my bank transaction trail.

(Click for full size)

As you can see, they charged a dollar to transfer the money, never completed the transfer, refunded the transaction without refunding the transfer fee and then charged yet another dollar to resend it.

I know it's only one dollar, but when you expect dishonesty from the bank and then they follow through with that dishonesty, it aggravates me immensely.

Having said that, it underlines my everyday experiences with ScotiaBank.  

Friday, July 7, 2017

Day Seven of The Scotiabank Interac Problem

Today is the seventh day since I sent my mortgage through Interac from Scotiabank to a different Scotiabank card account.  Scotiabank said on Monday that this would be resolved by today.

Guess what?  It's not resolved.


Thursday, July 6, 2017

Day Six of the Scotiabank Interac Problem

A quick update...  

It's now day six and the interac problem is still not resolved at Scotiabank this morning when I checked my account.  I'm not going to call Scotiabank today as I don't think it's a fruitful use of my time and I anticipate getting a canned response anyway from some customer support person because they don't actually have the answers.

I posted a question on Twitter this morning to Interac (despite not having any faith that they'll actually answer it) where I asked Interac about the lack of apparent redundancy when this system failed.  Either it failed at the same time as the primary system, or it simply doesn't exist.  

Occams razor tells us which of the two scenarios likely happened, which begs the questions about what kind of operation is being run here anyway?  For all the infernal fees that banks charge customers for this service of sending two emails and writing a few records in a database, you'd expect someone to have invested even a tiny bit of that in keeping this system up with some form of redundancy.

I'll update if things change.




Wednesday, July 5, 2017

A quick update on the Interac issue at Scotiabank

You'll remember that last week we hit a problem with Interac in Canada.  This is just a quick update to follow up on that.

Despite getting the written confirmation on Friday that the money was deposited, I phoned Scotiabank on Monday morning as the money still wasn't showing up.  Naturally, the support lady in India put me on hold and then hung up.  I immediately called Scotiabank back and this time got someone that sounded Canadian, but with an attitude that sounded like he really wasn't interested in customers or helping them.  

So, I explained the money wasn't still wasn't there, and requested he put a note on my file as I know what's coming next (after the left hand of Scotiabank loses the money, the right hand of Scotiabank starts demanding to know why I've not paid my mortgage even though the money has been inside Scotiabank the entire time).  

I was told Monday morning that it may take 5 more days (making a total of 7 days) to find my mortgage payment.  

Five more days?  Whatever database index they have on their Interac transaction table clearly needs an urgent technical review if three days of e-transfer transactions builds such a volume that it takes seven days to find and fix my transaction.

Anyway, it's now Wednesday and so we're at five days total so far and the money is still not there. It looks like they may actually be correct that the system is actually that unfathomably slow.

I'll post another update if this ever gets fixed.


The bank shot itself in the foot.

Last night, after cocktails up in Canoe bar, I was treated to dinner in an upscale Toronto restaurant nearby, in the company of executives from an extremely large and very well known Asian company, who flew in for one night.  When I say large, they have more current customers (by a long shot) than exists in the entire population of Canada, and have more customers than all the Canadian banks combined.  As you may have guessed, we discussed the bank issue, my customer service experience and mobile security.

It transpires that the details of my customer service woes and technical concerns that I've made public on this blog so far, have become well known enough, that foreign companies are now discussing it as a modern day textbook case of what happens when an organisation fails it’s customers. 

In addition to now being invited back to Asia, I was surprised to hear that as an individual customer who the bank thought was of no real consequence and could be ignored for multiple years, I’m influencing decision making processes in very large foreign corporations to rule out this bank in the race for handling corporate accounts when this Asian company expands through acquisitions into Canada like it did the USA, based on how that bank handled the customer experience with me. The logic being that if the bank is unable to make me happy, how on earth would the bank handle a $85bn corporation, and they’re eager to find out when (or if) the bank is able to resolve this, and how. 


I never expected when I started documenting my experience on here and on Twitter, that I'd be cutting off many millions of dollars of potential revenue from one of my banks, and I doubt that the bank ever thought that by treating one customer this way, it would come to this either.  But, there you go; This ongoing festering mess that has inconvenienced me for years has now reached the point where the bank's actions are reflecting back onto the bank itself, and foreign corporations are now backing the little guy.  

Never a dull moment, eh...