Update
Update: Rogers said no data got out. I’ve reached out to a Rogers customer whose data has not gotten out, explaining where it did not get out, and advising them to contact Rogers to discuss how it did not get out.
8 publicly visible posts • joined 19 Jan 2017
I keep a special eye on this bank. Originally, as a customer, I was concerned that they were putting me in danger. In 2016 I told friends and family to stop using their mobile products after I spotted the insult screen aimed at Kony Inc, hidden in the Android app (they only started Android java obfuscation in summer 2019). That told me right there that anyone could pull off an inside job, because if you can add an entire screen to the app and the bank doesn’t catch it, adding two lines to siphon bank credentials from the login process was going to be a walk in the park. That got me hooked on watching the stupid things they do. Until they disbanded the CCIRC, I would report the big things like that to them, practicing my observation skills along the way. Later, in 2018, Scotiabank and I got into a tussle where they showed a side of customer service that was reprehensible. Since then, I’ve upped the ante (including automation to keep tabs on stuff), and aim to document as much as possible to show orgs like OSFI and the Privacy Commission of Canada that these people don’t know what they’re doing.
...first it starts with them trying to ban screen scraping and next thing you know, they're going to be telling you that doing MITM attacks is no longer an acceptable way to get data out of a Financial Institution's source system and have it magically transformed for use in a previously incompatible destination system at the customer's end.
I wrote to the CCIRC in August of 2016 and pointed out a continuing problem where there's holes in their security, but Bell Canada denies it and nobody in their right mind wishes to help Bell Canada resolve it. My first and only attempt to help Bell Canada plug a Titanic sized hole of leaking data was in 2013. Everyone I spoke to, always denied there was a problem so I'd fight to get escalated. So, I eventually showed Sheilagh Malloy (after she refuted my claim as impossible), who was head of the Office of the Privacy Ombudsman that some username and password combos. She came down on me like a tonne of bricks, so I swore I'd never help Bell Canada again, and the holes in their security remained open. These days, nobody tells Bell Canada when there is a problem, for fear of reprisals, and that leads to an environment where Bell Canada customers are open to being hacked over and over.