* Posts by JaseCoulls

8 publicly visible posts • joined 19 Jan 2017

No big deal, Rogers, your internal source code and keys are only on the open web. Don't hurry to take it down

JaseCoulls

Update

Update: Rogers said no data got out. I’ve reached out to a Rogers customer whose data has not gotten out, explaining where it did not get out, and advising them to contact Rogers to discuss how it did not get out.

Scotiabank slammed for 'muppet-grade security' after internal source code and credentials spill onto open internet

JaseCoulls

Re: Whilst...

It's definitely gotten worse since many more devs were brought on in Chile, Peru, and Mexico.

JaseCoulls

Re: Sorry I'm late to the party...

I keep a special eye on this bank. Originally, as a customer, I was concerned that they were putting me in danger. In 2016 I told friends and family to stop using their mobile products after I spotted the insult screen aimed at Kony Inc, hidden in the Android app (they only started Android java obfuscation in summer 2019). That told me right there that anyone could pull off an inside job, because if you can add an entire screen to the app and the bank doesn’t catch it, adding two lines to siphon bank credentials from the login process was going to be a walk in the park. That got me hooked on watching the stupid things they do. Until they disbanded the CCIRC, I would report the big things like that to them, practicing my observation skills along the way. Later, in 2018, Scotiabank and I got into a tussle where they showed a side of customer service that was reprehensible. Since then, I’ve upped the ante (including automation to keep tabs on stuff), and aim to document as much as possible to show orgs like OSFI and the Privacy Commission of Canada that these people don’t know what they’re doing.

JaseCoulls

Sorry I'm late to the party...

If anyone has any questions, I'll try to answer.

Lloyds Bank bans Bitcoin purchases by credit card customers

JaseCoulls

They did the same thing at Scotiabank in Canada last month. Lots of people were pretty annoyed about it.

Banking association calls for end of 'screen-scraping'

JaseCoulls

It's a slippery slope...

...first it starts with them trying to ban screen scraping and next thing you know, they're going to be telling you that doing MITM attacks is no longer an acceptable way to get data out of a Financial Institution's source system and have it magically transformed for use in a previously incompatible destination system at the customer's end.

Bell Canada hacked: 2m account details swiped by mystery miscreants

JaseCoulls

This happened before... and will happen again.

I wrote to the CCIRC in August of 2016 and pointed out a continuing problem where there's holes in their security, but Bell Canada denies it and nobody in their right mind wishes to help Bell Canada resolve it. My first and only attempt to help Bell Canada plug a Titanic sized hole of leaking data was in 2013. Everyone I spoke to, always denied there was a problem so I'd fight to get escalated. So, I eventually showed Sheilagh Malloy (after she refuted my claim as impossible), who was head of the Office of the Privacy Ombudsman that some username and password combos. She came down on me like a tonne of bricks, so I swore I'd never help Bell Canada again, and the holes in their security remained open. These days, nobody tells Bell Canada when there is a problem, for fear of reprisals, and that leads to an environment where Bell Canada customers are open to being hacked over and over.

I'll have Fabric, Crashlytics... Google crams Twitter mobile dev tools in trolley

JaseCoulls

I feel like they're just doing this to find out what everyone elses apps are doing. This doesn't feel right.