Articles

The Scotiabank Security Talk – Part 4

June 26, 2019



hey there so this is part 4 of my Scotiabank talk the other excuse my voice is on going down with a cold now ok so for this part I want to quickly cover organized crime and customer service two things are not connected but I want to get this talk over and done with in as quick a time as possible there have been many instances in the past where you can see a scam being set up and you know the bank has these all week's worth of warning and then doesn't do anything about it it just fails to act it's not proactive so you can lead to see the SMS calls going out to the bank's customers with the call to action saying you know go to this scam website and people are complaining on Twitter about the scam texts and the whole thing was wholly preventable which is nuts when you think about it some time ago I walked the CC IRC through a Scotia Bank scam in real time the amount of time it takes to actually check for scam being set up and predicts this coming is about 2 minutes per day for one person in the entire bank so you don't need everybody who's looking for this stuff I was able to demonstrate the holy preventable scam can make it to the SMS stage before the bank reacts so traditionally the bank security model has been based around the sort capture-the-flag model there's one place we've ordered spoils of war in the case of a bank it c4 a database or it's a vault and a criminal just has to gain access to that you know it's just that the one thing they have to do however that is difficult in its time intensive and you could easily get caught so the more common way to do things these days is to change the attack surface away from the capture-the-flag where you've got one point d trying to get to any state just blanket the customers you know attack everybody so now we've got my android versions that are looking for the Scotiabank app you've got a trick bot that's trying to install itself on your computer and try and get between you and the bank and we've got fishing you know there's a tool called scotty which is frequently used to pretend that it's kosha bank and it logs information to a log file where if the criminal setting up has been lazy everybody knows where that log file is so once your information is in the log file from the Fisher what will then happen is somebody called a whaler will come along they will grab the log file that the Fisher was expecting to come and get now some of these whalers they get a bit lazy so they have software called an auto Whaler which just goes around all the fishing spots and picks up all of the the pots of data being left in place as the fishers are doing with the grunt work so of course where do these auto whalers come from well this is software written by another party quite often you know the people doing the crimes aren't normally technical this leads to an interesting twist in the story because you've got your information has been fished and in the whaler has tried to give out information then you've got a auto Whaler coming in but the auto Whalers written by somebody else so it's also uploading that same information to somebody else is totally out of the picture so you know by the time the the Fisher goes round to grab the data it's already been sold several times over by the auto Whaler authors so that's fishing and smishing so now I want to turn my attention to the customer service side of things putting aside the fact that I've probably been scotia banks angriest customer for several years now for what everybody thinks is a very very good reason and I personally believe that it's hard to find worse customer service in this country I'm going to focus on the cybersecurity part of customer service I've already proved that the social media team isn't ineffective route to report cyber security concerns to you know their thought about a number of problems in 2016 of which I believe none of them have been fixed in 2017 or at least to my knowledge none have been fixed as I'm recording this video there really needs to be a protocol in place to be able to handle submissions over social media I also prove that if you approach the president's office and report stuff there it will get delicated off into a black hole and you'll never hear from me again so I don't report cybersecurity now over to the top or the bottom because it's just ineffective going to the topple bottom has historically equally got me nowhere now if you go to Scotia banks website security is not sort of front and center big you know in your face instead you sitting in the breadcrumbs at the bottom which are likely to miss yeah there are some options in there for reporting things like fishing and scam emails and stuff like that but it's confusing trying to work out where you raise the alarm when the problem is inside the bank to me I yeah I'm no idiot and I can't find it so to conclude this four part series just like get it's over and done with now yeah cyber security and Scotiabank is in my mind is a shambles it personally beggars belief that I can read on Scotiabank calm how to set up a baby's room over HTTP but if I'm an immigrant coming to Canada and I am applying to the bank and they're asking for my immigration status and everything else that's done in plain text over HTTP makes no sense whatsoever over this serialization I've shown basically why I banned scotia banks digital products in my house in 2016 I haven't lifted that ban yet basically sits with everybody just don't use it it's it's unsafe and until I tell you otherwise assume that it's unsafe it's you know in my mind is crap security the logic that is displayed makes absolutely no sense to me I'll see if Scotiabank responds to this I don't that they will historically over the past couple of years you know they haven't done you know leopard doesn't change his spots so I don't expect to hear anything from them in the immediacy so anyway I'm gonna stop at this point I've deliberately left out some stuff for obvious reasons if there is one thing which I'm hoping that you take away from this four part talk that I've conveyed it's why I always look at scotia banks digital efforts with an air of mistrust in my mind it's not secured it's theater

You Might Also Like

No Comments

Leave a Reply