Scotiabank slammed for 'muppet-grade security' after internal source code and credentials spill onto open internet

Morons

Why would you put credentials for anything anywhere online in the first place? Private or public, its a bad idea.

called it

Oh man, I was counting the days until this happened ever since reading this story:

https://www.theglobeandmail.com/business/article-brian-porter-is-making-big-changes-at-scotiabank-but-will-investors/

as I wrote in the comments there:

"As someone who works in IT and was previously considering switching to Scotia...the above has convinced me definitely not to do that, ever, or to invest in them."

You see Dev's

This is why your IT guys and gals are "being obstructive" when they make sure you follow procedures. But hey don't bother with them, just use 'the cloud", far easier.

Sorry I'm late to the party...

If anyone has any questions, I'll try to answer.

Hi grandma, may I use your fax machine?

I have bad experiences with them and technology. Did you have to notify them via signed fax, courier, or registered mail?

I would never attempt to configure critical services myself but, if I did, I would try hitting them with my cellphone to see if anything was world visible before loading up the data. (no, not your flip phone)

Whilst...

Yes, whilst this is totally idiotic and obviously Scotiabanks problem to resolve, I do wonder if this is a fuckup caused by in-house resources or by the cheap and inexperienced offshore labour in India being so remote from the business that they don't properly understand the implications, or perhaps give a f**k.

Either way, you do have to smirk (a bit)...

Totally off topic, another Canadian bank (ANC) keeps sending account info to one of my gmail addresses. Clearly there's no verification going on there. Additionally, I've tried to get them to stop, but any email I send seems to go unnoticed.

Sadly, the account owner keeps going overdrawn, and it's not a lovely thing to see.

I did some development work for a UK bank back in the nineties. The restrictions, rules and regulations were strict, and were strictly enforced. After all, it was people's money that was at stake.

Clearly. times have changed.

Former Scotiabanker

"By the time you read this, the GitHub repositories, which presumably were accidentally misconfigured by Scotiabank's techies, should be hidden or removed."

As a former developer at Scotiabank, I can tell you they were not "accidentially misconfigured"; the proper adverb is "incompetently". There are good coders at Scotiabank. Too bad their entire day is spent trying to stem the tide of the legions of horrid typers (they aren't coders because a coder makes code, not just keystrokers).

huh?

what is all this GitHub billix about?

I'm seeing it all over the shop.

Security mindset from way back

Back in the 80s, I accidentally left my Scotiabank credit card behind at a Business Depot (but did not realise it until a week later). The first fraudulent purchase was at a gas-station just down the road. Then came a string of fraudulent purchases at one store over the course of a few weeks. Scotiabank's grunt-and-poke security talked to me, asking if a relative or friend has visited before the theft. Security angle: my first name is a very common Anglo-Saxon name, the fradulent purchaser was a female, and I learnt that the person signing for the purchase need not be the card owner. (And no, they never bothered to visit the store in question.)

What amazes me...

Is that more than 12 hours after this story was posted, not a single Canadian news outlet seems to have picked up the story.

Apparently our half-wit PM wearing black face at a party 20 years ago, is far more important...

Surprised? Hardly.

It's only been a year since Scotia Bank finally relented and made passwords case sensitive and allowed special characters.

Lately though they forced mobile customers to "upgrade" to a new improved app that lacks several heavily used features, and which is inarguably harder to use for everyday tasks.

For instance, instead of tapping a button to confirm an action you now need to drag a slider across the screen.

What the...

I would ensure that the Cheif Risk Officer, CISO (who I knew well when I was there), CTO and the CEO are all held accountable for the dreadful manner in which they handle information assets. I'm almost ashamed to say I worked for Scotiabank. Makes you leary of how they handle other facets of the business. On another note their stock is up today. Incredible.

Muppet grade security

Almost lost my drink out of my nose.

Best headline ever lol

A security breach, even when tens of millions have been exposed to possible exploitation, seems to not move the shock meter a single click any more. The known damage and the potential damage is treated as a mere notification. We have been numbed of our senses.

Canadians think highly of their banks, so I am not expecting front page headlines giving Scotiabank the WTF treatment or a run on the bank by its business clients and private account holders. The corporate suits are counting on this and they will spew out the usual PR to cover it. This complacency, if not checked now, will end in a world of hurt for the bank's customers. If the leaked data has been collected, it will be appraised and sold to miscreants, i.e. organised crime and rogue states. The grim reality is that the bank will probably escape with a small fine by the regulators. They can also keep lawsuits in the courts for decades. They accept responsibility for causing the leak, but they are never held absolutely accountable.