Tuesday, July 9, 2019

Desjardins part deux: Wow.... do we actually want to fix this problem?

We are not scoring high on the smart scale this month.  

On the right track ?   Sadly... no...

The problem is that banks practically hand out credit blindly and senior executives have ZERO accountability or personal liability when they screw up your credit file.  They then team up with their "buddies" at the credit bureau to make you feel like they are helping you while you are left with a nightmare to solve that can take years.


New laws fall from the sky, always missing the point.  New York, now has a new disclosure law that is aiming to ensure that we are told when our data is breached.  But what about when our data is used ?  Nothing yet.  We are way too busy making ourselves look good because we are putting in very strict laws to tell you when your data has walked out the door.  Silly data.  Data that has walked out repeatedly over time.  

Hey, heads up, it is too late.

When your information is used to create ANY form of credit application, you should be advised.

And when a bank gives credit to the wrong "you", you should be fully protected.

Since big banks have all the power, you, the "customer" have no such protection nor will you anytime soon.  

The banks have all power, and they have the last say.  They also really want to hand out credit because well... they are kinda loan sharkish, and sharks like fresh meat.

Every bank to ever exist...

So it is totally normal for banks to hand out credit cards and loans like cotton candy at a county fair.

How crazy is this:  Credit applications handed out while you wait in line to pay at a department store.  Offering you (or anyone who says they are you) instant credit and a generous 10% discount on all todays purchases if you sign up for a new credit card that will be approved on the spot ! How is this legal...

And, lets face it, someone who is hired to get credit applications filled out and whose salary is directly attached to how many credit applications they push out.... is most certainly the highest quality of authentication. 

The fact is these credit applications all rely on using identification data, never really authenticating the person since our current credit system has no digital ID or other modern means to do so.  So, granting someone credit is easy, charging their current purchases to this new credit card is common, and out the door they go because the banks do not care, and will not be held liable past the fraudulent transactions.   Two weeks later, the real person gets their new credit card along with a welcome letter and a $3000 bill for things they never bought and they are left with a near impossible task.... clearing their credit file of this mess, and not paying the $3000....which can take a very very long time.

Desjardins pointed 2.7 million souls to a disfunctional service called Equifax who predictably failed.  In the meantime, no one thought it would be a good idea to freeze the credit files for all 2.7 million until they figure this out.  Once again, push the problem down the road.

Equifax is a "for profit" organisation.  So are banks.  They shouldn't be trusted with the information they have.  And all this is done unwillingly by citizens since the banks send all your sensitive information to these credit bureau's.  

So in short, as far as crisis management goes, it was written in stone that this wouldn't work, but crisis management calls for a Teflon™ approach and someone needs to appear to be doing something.

Well, big surprise, what is being done remains mostly wrong in the long run.

The difference between a cybersecurity professional and a Good cybersecurity professional is root cause analysis combined with taking actions that actually reduce the risk.  Not security theatre, or putting in place yet more alerting mechanisms when your data is exposed.  We know... that ship has sailed... repeatedly.

Society has all their panties in a bunch over a trusted employee leaving with what is essentially a client list.  This happens way more than you think.

Yes, this is terrible news.  Yes Desjardins shouldn't allow people to export entire segments of databases that include entire birthdays and entire social insurance numbers.....

But.....  we shouldn't rely on these meaningless artefacts that date back to the Cold War in order to award credit unless the issuer is willing to take full responsibility.

News agencies are hitting Desjardins again with news that another employee defrauded Desjardins of over $300,000.  This is almost business as usual for a bank.  Most banks fire someone every week because they did something unacceptable.  This doesn't mean they lose $300,000 every week, this case alone was spread over 8 years.  Employees who abuse their power in banks is way more common than most think.  It also has nothing to do with data exposure, so why are news agencies riding the bus and hitting Desjardins yet again with meaningless news stories.  Just to try and make them look bad?   All banks have this issue.  And while they are writing about this, they are not actually putting pressure on the right things.

So back to identity theft...

The reason this is so grave is directly attached to the fact that WHEN you get your identity stolen (used), you are left with a mess and no means to fix it without grave consequences and a task worst than assembling an IKEA kitchen in a dark room with no instructions and your wife and three kids asking "is it done yet" every 5 minutes.  

The problem is two fold.

#1 We have no concrete, modern and secure way of attaching obtained credit to a biological human being.

#2 We have no way to clean up the mess that is caused when someone creates falsified credit under your name (and this shouldn't happen in the first place).

Make banks accountable.  Make senior management accountable.

Accountable = penalties payed out of their pockets, not the share holders.

So I really wish we would stop referring to us as the banks clients, since we are not, and we simply pawns used as leverage to play a financial game for them.

I would ask our current government to make drastic changes to our banking regulations.  I would ask the privacy commissionner to be right behind this:

If ANY credit institution grants credit to someone who is not me and puts it on my file, they should be held FULLY liable and I should not only get my entire credit profile cleaned up, I should get a huge check in compensation for their error, and while we are at it, they should be fined significant penalties directly to their senior management, not the share holders.

Lets face it, ALL traded companies are in it for the cash, and ALL of management is focused on short term gains with short term objectives and short term bonus structures that work directly against protecting your credit.

HIPAA applied in US health care is a gold mine of wisdom in this area.  They wrote the law expecting people to lie and built in the penalties based on your level of competence versus honesty.

Three scales are applied when it comes to penalties (which can include jail time for executives).

Level 1:  You had no way of knowing (yes, you still get a fine)

Level 2:  You should have known if you did your job with reasonable competency (bigger fine).

Level 3:  You knew and didn't take action, or worst, you clearly covered it up, etc. (huge fine and potential jail time)

They wrote it right into the law !

So what gives with our privacy laws.

We need banks to take responsibilities for their interactions with their credit bureau's because these bureau's certainly are not "our" credit bureau's.

So here is the call to arms that we should all be forcing our government to impose in reverse order of importance:

3) Better digital ID (blockchain enabled, with mechanisms to prevent oppression, etc.)

2) Replacement of "for profit" enabled credit bureau's (an obvious and complete failure as it stands today)

1) Severe penalties including personal liabilities for senior management (including criminal penalties targeting executives when willfully blindness is in play) for any screw up to a persons credit file, including imposed clean up of such screw ups without the citizen having to suffer for months or years.

So dear media, dear government, and dear privacy commissioner, stop talking about Desjardins and their evil malicious employee (they got the memo), start talking about the real issues and start addressing them.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...