Sunday, September 30, 2018

Something is horribly wrong at PrestoCard

Update - Oct 1, 2018:  So, after several tweets, two emails, and a YouTube video, they patched the hole.

Original post is below this line.
----------------


Well, this isn't good.





I will post more to YouTube if new info comes to light. 

Wednesday, September 19, 2018

The increasing frequency of Scotiabank breaches and leaks is worrying

I've maintained for a few years now, that Scotiabank doesn't know what it's doing, and people get put at risk unnecessarily. I have a lot of evidence to back up this opinion.

As many people know, the scale of leaks and issues had previously gotten so bad, I literally got an automated system monitoring huge swathes of banking infrastructure, and keeping tabs on what's vulnerable and what isn't fixed, and on top of that, I tabulate the entire Schedule 1 banks in Canada, just so I can keep an idea of where in the pecking order everyone sits.  

I've not posted much about this for a while, because normally there's simply nothing to say other than "There's no change - it's still all broken and everything is still leaking".  However, I'm posting this article as something of note is apparent to me; The rate of leaks coming out of Scotiabank appears to be increasing rapidly, and the severity of each leak is going up considerably.  

Some context: Scotiabank usually leaks about once a month or thereabouts.  You normally see about 10-15 leaks from them annually.  

Six days ago, Scotiabank publicly published website code, along with database server credentials and the AES decryption key. 

Here's an example of that:

(Click for larger)

This is not a rare event - I've previously seen the keys for their entire SOA posted publicly and had to get the RCMP moving to take it down very quickly, but what was interesting was I noticed today that they just did the same with a Watson Assistant project.

   
(Click for larger)

This is a worrying trend.  I'm going to step up my observations of Scotiabank, because traditionally, when you see a crack like this, it will widen.

I'll post again when I have more to say on the matter.






Tuesday, July 17, 2018

Toronto Hydro Breach - The Update

If you read the last post, you'd know that Toronto Hydro looked to be breaching confidentiality by sending me predictions based on a smart meter for a house I previously sold.  This is an update to that post.

Today, I got this response from them.


Click for bigger.

So, there's no denying the problem wasn't there, but it does make me wonder how many other times they've breached trust by sending out the usage details of one family to members of another.


Monday, July 16, 2018

It looks like Toronto Hydro is breaching confidentiality...

It's no secret that I honestly don't trust Toronto Hydro's IT department one bit.  My history with them as a customer for many years imprinted on me a sense that they don't know what they're doing.  Whether it's leaving customers open to phishing, not securing their servers properly, sending out surveys using platforms where you can change the ID and see other survey questions to other people, installing Smart Meters where you can measure and infer what your neighbours are up to, and from time to time they screw up certificates or entire login processes.

My 2016 report to Toronto Hydro stated my position at both the top and bottom of the report, and it said Someone at Toronto Hydro doesn’t know what they are doing, and it’s putting the public at risk.:


Screenshot of the relevent part of the 2016 report. (Click for bigger.)


Now, I am no longer a customer of Toronto Hydro.  I sold a house on Holland Ave, Toronto, in the M4B postcode area, in June 2018.  I told Toronto Hydro that and Toronto Hydro even acknowledged that, as proven in this email from them (note the "Closing Date:" is in June).


Proof that Toronto Hydro knew the house was closed in June. (Click for bigger)

Logically, that should be the end of the matter.  You should get a final bill after they read the meter on the closing day, and you're done.

Except this is Toronto Hydro, and my experience with them is if there's a way to fudge this up, their IT will find it...

So, it's now half way through July, and remember that I don't own that particular house this month.  Toronto Hydro sent the estimate of what the new owners had used this month anyway.



Toronto Hydro Monthly Estimate (Click for bigger).

Now, I would say I was surprised that Toronto Hydro are now broadcasting usage figures to me for a house I don't own any longer, but I'm not surprised as this is totally congruent with my experiences of the past few years.

At this point, it'd be totally expected if they send me a bill for this period too.  



Friday, June 22, 2018

The Scotiabank Leak Problem - Part 3


For this third instalment on the Scotiabank Leak problem, I want to shift away from leaking customer data and corporate customer data, to leaking software.

The first part of this is not news, as it’s that the bank is still putting out unsecured Android apps in 2018.  I’ve covered this in depth in previous years, and even offered a solution.  I’m not going to rehash all that here, but only mention it for the sake of saying for the record that the bank has still done fuck all to resolve that problem.

The second part is more interesting.  The bank underwent a project to tie together many services into a single API called the SOA. It’s an API that everyone can talk to, from ATM’s to apps, to customer service screens, etc.  

As you can guess, having created such a key part of the bank, where it’d be catastrophic if details about how it works got out, Scotiabank promptly leaked some Windows applications in 2017 that talked to the SOA through this library.   

Click for bigger

Knowing now what this library was called, I checked to see if the bank was publishing the source code for that, too….  

Of course they were…

Click for bigger


The icing on this turd cake was that not only were they leaking the security library source code, but they also posted the Triple-DES key and AES key, along with a text file containing the username/password in plain text…. and then uploaded the entire thing to a public GitHub repository.

Click for bigger

But we’re not done.  How could this get any worse? 

I discovered the leak in October 2017.  It was uploaded by the bank in November 2015.  That means for nearly two years, Scotiabank had put its own API (with keys and everything) in plain view of any criminal that wanted to look at it. 

Now, this was probably the quickest I’ve seen the Canadian authorities move on anything bank related.  The RCMP’s CCIRC department had this cleaned up within hours.

Of course, there’s a very real chance that the bank never changed the keys, or credentials for that API anyway.  It’s a very sobering thought that these repositories may well have been downloaded many tens or hundreds of times by various people and they’re still getting into Scotiabank through the front door using those keys and credentials.

Anyway, that’s it for this instalment.

To recap the series so far:
Part 1 - We proved that consumer data has leaked.
Part 2 - We proved that commercial data has leaked.
Part 3 - We proved that keys, credentials and security for their central API leaked. 



An Update on The Scotiabank Leaks

Previously, during Part 1 of my series of articles that document just how ridiculous the digital security has become at Scotiabank, I mentioned that Next Pathway had been leaking Scotiabank's technical details and customer data for a number of years.  Whilst Next Pathway didn't take me up on my original suggestion that we sit down with Law Enforcement and go over some of the problems, I have now confirmed that Next Pathway have cleaned up behind all three of those employees I mentioned on Twitter earlier in the week.  

That's a vast improvement in security for all Scotiabank customers.

Outside of not adequately enforcing to their developers about what should/shouldn't be posted publicly, and outside of failing to notice that staff was leaking for a few years (kinda ironic, don't you think?), I don't actually have any beef with Next Pathway.  

That aside, I will likely check back in on Next Pathway in a few weeks, just to see if this cleanup goes any further than with just the three employees I mentioned. 

Thursday, June 21, 2018

The Scotiabank Leak Problem - Part 2

For those just joining, this is the second installment in a series of short articles proving how off-the-scale things can get at Scotiabank where bank security is concerned.  

Previously, for part 1, I proved that despite what the bank claims about being secure, customer data has leaked by showing an example of leaked data, and I also showed that all and sundry can still read up on how various services can be spoken to within the bank because the same people leaking the customer data have also been leaking technical data.  

This time, I'm going to jump from consumer security to commercial security.  As you can guess, this side of the bank is just as pooched as the consumer side of things.  


Scotiabank does leak commercial transactions.  That's an axiom.

The leaks usually happen due to a bad combination of factors - where a lack of common sense and a lack of oversight combine to create these conditions where instead of testing systems with fake data, they often annex real customer data and then feed that real data into their new systems.  

This means that two things happen, which should never have been allowed to happen:
  • First, employees with no business looking at your real commercial transactions are getting to see your real commercial transactions. 
  • Second, when the underlying project code inevitably leaks, the real commercial transactions leak along with it.  Given this is Scotiabank, and they regularly publish to ideone.com, pastebin, GitHub, etc, these transactions then get hoovered up by search engine crawlers and that shit will stick around for years as the bank rarely cleans up any breach that does occur.
Anyone with a shred of intelligence would know that's a bad situation for the bank to put it's customers in. 

(Click for bigger)


Above is an example of a construction company that had its transaction data leaked out of Scotiabank in 2017, proving that the bank leaks commercial data as well as consumer data.

One of the more interesting commercial breaches out of Scotiabank was last year, and it involved a mining and manufacturing company out of the USA that had a Mexican subsidiary.  They were registered with various governments and the military.  The fact that Scotiabank was leaking transactions for a DOD Form 2345 registered company hit close to home.  The reason it hit close to home, was because I have a company that is also registered the US DOD, and I'd noticed Scotiabank was doing something funky with Interac payments out of my company - and despite my insistence that something was breaching within Scotiabank, they did fuck all to address the problem.  

Here's what happened:  When you are under the "Militarily Critical Technical Data Agreement" (the full name of that DOD agreement), you have some pretty strong obligations.  The biggest is confidentiality.  You can't have people see what you do.  You often can't have people know what you do (Mine literally says "Mobile C4ISR research with ARCIC and Connecting Soldiers to Digital Applications").  This means that my personal account at Scotiabank and my Business account at Scotiabank should never know about each other. 

We ran into a situation in June of 2017, that is still not resolved in June 2018 where there is cross contamination between accounts.  I can send an Interac payment from my business account to my personal account (from a corporate email address to a gmail address) and when depositing it, Scotiabank says you cannot deposit into the same email address you sent from.  This means that as I'm depositing into my gmail account, my work account is stamping the transaction under the hood as being from my gmail account.  For that to happen, there's been cross-contamination as the sender cannot pretend to be an address in a different account.  It's fucking impossible to screw this up as a customer because you register your email address in the sender's side, and the recipient is picked from a drop-down menu.

Naturally, a problem like that is going to require customer service to resolve, which is why a year later it's still not resolved, because if there's one thing worse than Security at Scotiabank, it's Customer Service.   Later, after the damage was done, Scotiabank said that an Ombudsman could look into it - which is typical, as they know an Ombudsman can do fuck all to stop a breach that's already occurred.  

Anyway, that's the end of this installment.

To recap this series so far:
Part 1 - I proved that consumer data leaks.
Part 2 - I proved that business data leaks.


        

Wednesday, June 20, 2018

The Scotiabank Leak Problem - Part 1


Next week, I will be starting to leave Scotiabank as a customer as I finally buy my freedom.  It's not a moment too soon, and I have nothing good to say about this bank, its people and its actions.  But as I leave Scotiabank, I want to do a quick series of articles on how much of a shit-show I think it really is, because I'm sure that some people just don't believe things can be as bad as I say they are.

Let's start off with this Visa credit card transaction.



(Click for full size)

You've probably guessed by now, that as my name is Jason and not Constantine, that's not my Visa credit card either.  So what's going on here?

I've maintained for a number of years that Scotiabank is dangerous as they don't know what they're doing.  The bank leaks.  Its vendors leak.  Its subsidiary banks leak.  For reasons I cannot fathom, Scotiabank was pressed a number of times to have me sit with appropriate people, and they wouldn't give me the audience I requested.  That's not the actions of a bank that understands security.  In my mind, that's just reckless disregard for the public's safety.

Whilst I've previously said that Scotiabank leaks customer data, I've always resisted posting proof, or posting where these leaks came from.  In the example above, this is data from Chile (Scotiabank has a big IT operation there), but the vector for the leak was Next Pathway in Toronto, who does some of the IT stuff for Scotiabank.  People often claim that unless you have customer data getting out, it's not really a problem. I disagree, but above is your proof that customer data does get out.  

The bigger problem in my mind, is not that the customer data often gets out, it's that the details of the underlying banking systems always gets out.  The whole marketing line about banks being secure is complete BS, and incongruous with reality when the details of how the bank works is public.

Here's an example of what I mean.  

There's another leak (also out of Next Pathway in Toronto - they've literally posted the bank API messages to a public GitHub repo for the past few years).  This one has all the WSDL's for the bank's SOAP services.  So if you want to know how something is done within the bank, it's published in a publicly accessible place and neither Scotiabank or Next Pathway ever audited their security... or they did and decided publishing this type of stuff to GitHub is not a security problem. 


(Click for bigger)


So, that's it for this installment.  


Monday, April 2, 2018

It's alive...

You will remember from my previous post, that I've been working for the past few months on a bank security related project.

It's now live...
https://www.howsafeismybank.com

Right now, we're only publishing the Canadian bank positions, but having said that, we've got all the major UK banks being checked and the major US banks too, and the data is pretty educational.  


Wednesday, March 28, 2018

The Digital Banking Security Index

So, if you are a bank or you have a bank account, you are going to want to keep your eyes on these two places for forthcoming announcements:

Twitter:  https://twitter.com/HowSafeIsMyBank
Facebook:  https://www.facebook.com/HowSafeIsMyBank

In a nutshell, the manual checks I used to do on my banks at CIBC and later ScotiaBank have now been automated and now the entire country of Canada has been onboarded.  By checking all the banks with the same tests, and augmenting these tests on a per-bank basis to take into account known vulnerabilities, billboard style charts have been running off for a few months, and now these billboard-style charts are being made public.

In addition, the big four banks in USA, UK and Australia were onboarded to allows us to see where Canadian banks sit when compared to foreign banks.  Charts for those countries are in the works as more banks are onboarded.

The website will be up shortly, which has the full chart each month.  Details to follow soon on social media.