Wednesday, August 7, 2019

Yes another data breach today. Lets fix this. When is enough...enough.

If I hear one more expert tell the people to monitor their credit I'm going to have an aneurism.

It is like people do not realize that being told you lost a kidney doesn't change the fact that you lost a kidney.  Are we all in kindergarten or do we actually want to improve the situation?

Do we all realize we have websites called

Not Data Breach Quarterly....  or data breach this month....  Data breach TODAY.

The Quebec Revenue Agency just "lost" 28,000 records, and in the meantime, after the provinces biggest series of data breaches, BMO decides that it is a good time to send off pre-authorized credit card applications.... via email...

Banks should not EVER send off anything asking you to click on something... but here we are.  BMO.... you are acting irresponsibly.    

Check out the email.....  Pre-authorized for $4000 awesome ! 


So what is the problem...  simple, it looks like a phishing email, but turns out to be legitimate.  So how do we train users now.  Don't click unless it looks legitimate !  The bad guys know how to make them look legitimate.

Banks (specifically Equifax) say they aren’t conformable enough to trust our physical address on file to alert us if a new credit entry is made to our file, but they are comfortable sending off clear text (unencrypted) emails across large population groups giving out pre-authorized credit cards and sending them to….. whatever address they have on file…..

Bare with me...

It will be worth it I promise....

A bright man once said that a mind expanded can never go back to it's original size.  So lets push to expand the minds of everyone who can make a difference.

Let's actually roadmap the fix to the ongoing identity theft & credit fiasco that is before us.

No more prolonging it because "there is money in taking our time".

The root of the problem is that birthdates and social insurance numbers still have huge value, mostly because actions that we do in our day to day lives still rely on this archaic form of "authentication"... and we allow it!

We hand out credit cards in airport lounges or department store waiting lines by someone paid a commission to process the most credit applications.  Do we really think the authentication process for these credit card application forms are going to be of high quality?


Digital Identity - Can be done, we have the technology.  If we can make little blue pills, I'm certain we ca put two smart guys on this and figure it out.  Some countries have been doing it for a long time.  In North America, specifically in the US, they want nothing to do with true digital ID because it would modulate the way they manipulate votes through hackable voting processes.  

In Canada, let's not be like our neighbours, because we have a real chance to make a difference since we have a limited amount of banks and could regulate all this with some basic legal changes.

First off, almost everyone has a cell phone, the small quantity that do not can be handled through a secondary process.  And since they are a small group compared to the masses, attackers don't flock to them.  Attackers like volume.

And everyone has to have a bank account somewhere at some financial institution.

Tighter Legal ControlsLets make "messing" with anyones identity a personally liable crime (you participate in any way, you pay significant personal penalties and if criminal intente, you go to jail).  Lets also make it illegal for a bank to NOT prosecute criminal behaviour within their employees.  Because you would fall off your chair if you knew how many employees get fired every year from any of the big banks, but the banks don't press charges because they don't want any bad press.  The people they fire go to work in the next bank with the added wisdom of how they got caught.

So now, with these new rules, when someone opens an account at a bank, how tight do you think that authentication process would now be....

Centralized data When someone opens a bank account and the data they are supplying to the clerk gets pushed up to a shared centralized Identity processing service... and any form of collision or error happens, you have a mandated manual investigation prior to account creation that involves the centralize service.

Not for profit Credit bureau Throw in a centralize credit bureau that is operated by the government (no more Equifax and TransUnion who are there to make money off of your information) and things are really starting to rock.

Subsidize this centralized service with credit inquiry fees paid directly by the banks.  They want to hand out credit cards in an airport lounge, they pay for every request to the central service.  

Add some alerting -  With a centralized and government run identity and credit bureau, you can easily add alerting.  Anyone pulls from your personal file, an alert can be sent to your phone or a letter can be mailed to your home or your employer.  This should already be a law and the current credit bureaus should be forced to do this.

Add some authorization to the alerting - Make it a legal requirement that any financial transaction that can damage ones life, say above a given threshold ( $1500?) gets pushed to your phone and requires you to confirm.  Anything above $15,000 requires multiple types of confirmations.   This could be as simple as having to pre-authorize the purchase with a well defined and controlled mechanism.  Don't get tied down by thinking these things are hugely complexe, they are not.  We have the technology, we lack the political desire. One of my credit cards messages me any transaction the instant it happens.  I haven't even grabbed the bag for my purchase and I get the SMS.

Do you really think someone is going to mind having to confirm that they are buying a car?  Transferring their mortgage?  Selling their property?   No, everyone would be fine with that.

TRANSFER RESPONSIBILITY TO THE BANKS -  You let a transaction through without the appropriate confirmation level, the bank is fully liable and they are not legally allowed to place it on a persons credit file.   No clean up required, they screwed up, their problem.

Address the easy credit trend -   You mess up someones credit, you become liable to clean it all up.  I'm not talking offering free credit monitoring services. 

I'm talking "you take charge". the victim doesn't have to do anything, you clean up the entire mess and have all traces of the mess you contributed towards sanitized.  And, you also have to pay a significant penalty to the victim.   If this becomes law, no banks would hand out credit applications in waiting lines.  

Isn't that a good thing...  as a society don't we actually all want this? 

Now in Canada, we only have two handfuls of banks to deal with, so putting laws or regulations in place that would row the boat in these directions is actually very attainable.  No single bank is going to do it, because they all love handing out credit cards to anyone who wants one.  It is their business model because it is allowed.  Change the rules, and all the banks have to adapt their business model.  

Some of these things the banks would benefit from, for instance enhanced authentication and autorisation for large transactions would reduce losses (fraud).  Anyone looking at the big picture and looking at long term goals is going to love having these discussions.  

The problem is we are plagued by many senior position individuals who favour short term goals because their short term bottom line is directly impacted. 

Keep giving out bonuses based on short term objectives....  and you will continue to get these terrible results. 

As a society, we are the problem.  We tolerate things that clearly should not be tolerated.  We will flip out if someone messes up our fries at McDonalds, but sit idle for items of significantly more importance.

So one last thing -   Personal liability to senior executives when the enterprise they manage is negligent.  This is a complex one that lawyers will absolutely love.  But who cares how complexe it is if it sets the bar higher than what it is today.  

Realize that today, a CEO making 20 million in salary does not actually care all that much.  When large penalties are imposed, it is the shareholders that take the hit.  Two months later, the share price has re-stabilized and business goes on.  On a very very rare occasion, the CEO gets swapped out but still gets a golden parachute and life is actually awesome because after a few weeks in the Bahamas, they move on to the next gig and don't even have to clean up the previous mess. 

Start taking money out of the pockets of the senior executives and watch how fast things change and security gets placed on the short list.  

We as a society do not seem to realize the sad joke when banks call us their clients.  We are an ingredient in a money making scheme, very far from what the essence of the title "client" is meant to mean.  Even Equifax refers to us as their clients when it is absurdly clear that we are their product!

We must stop trying to address the symptoms and start tackling the root causes.   If we do this, DOB and SIN numbers become worthless.  And that would be a great win since they have all been leaked so many times.  

The leaks will also continue since we cannot possibly secure all the places that this information resides.  We don't even know all the places that "hold" our sensitive data.  And there will always be legitimate users that can access our data, and if they choose to act criminally, they can.

Lets start putting pressure on our governments to take concrete actions to change our current posture, which is in dire need of a chiropractic adjustment.


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Wednesday, July 31, 2019

Planes are in danger ! Not this false news again.... U.S. Issues Hacking Security Alert for Small Planes

U.S. Issues Hacking Security Alert for Small Planes

Attention all shoppers.  A plane left unattended can be sabotaged!  

Hide your children, the Germans are coming!

These stories are such bullshit!

Sure... someone could develop an attack that involves flashing the memory of my Garmin 430.  Aside from the fact that it takes a special dongle, is a royal pain in the ass to do legitimately, takes a seriously long time when you are waiting under the cover of the night trying not to get caught..... and since you would have to do it to many many planes for this to become an overnight issue.......not really likely unless you're part of a "dumb" terrorist group.

Keep in mind that if one such event happens it would spark an entire investigation and countermeasures would be dictated.

Even if you are trying to off your ex-wife it would be an extremely complexe endeavour with seriously uncertain outcomes mostly falling back to you going to jail to enjoy a stainless steal potty.

Lets look at the countermeasures in place.

As I mentioned many times, planes (especially small ones) have a nervous pilot sitting in that seat that is constantly checking numerous instruments and mentally correlating data from numerous sources, looking for.... you guessed it....anomalies!  Pilots also perform preflight checks:  Brake lines=dry (check),  oil level=check, avionics=check, altimeter calibration=check....

Second countermeasure lies in the hands of our dear friends at ATC (Air Traffic Control) who would let you know.... trust me.... if you are off track or at the wrong altitude.  

Third risk reduction factor goes back to the pilot, who looks out the windows.  If your flight computer (for lack of a better term) tells you that you are at 5500 feet and your physical altimeter indicates 1000 feet....  you would notice.  Same goes for when you glance out the window.

Novices will argue that the attacker could also hack the physical altimeter, which simply indicates they have no clue how one works since making the readings match on both the physical altimeter and the flight computer simply is not attainable without swapping the entire unit out which involves partial disassembly of the planes dashboard and a replacement that would have to communicate with the onboard basically not achievable. 

Also most pilots of small planes use a flight application like ForeFlight on their iPads... well guess what.... the iPad also indicates your altitude and the screen turns red when the terrain becomes dangerously low.

So all in all, this news story is meant to grab headlines, but is mostly meaningless.

Where it is not meaningless is for the security industry.  We (along with the aviation industry) must continuously stay alert and be aware of these short comings and ensure that they do not translate into "safety" issues.  Doing research like this helps understand the complex interactions between aviation systems and helps build roadmaps for better technology.

That is the big difference between news articles and real life.  Does it really matter in context?

In the aviation world, security issues are common, however mitigation mechanisms exists to bring these risks to acceptable levels and in ensuring they do not become "safety" issues.  

In the business world for many cases this is true, and in equally many cases, this is not true.  Because business is about making money not safety.

In the aviation world, aside from a clear screw up by the FAA & Boeing with their questionnable certification of the 737 MAX 8, safety remains paramount and all involve do a superb job at keeping passengers and pilots "safe". 

Cyber Security as a whole can learn a lot from the aviation industry in that respect.

So to my nervous friends who thinks little planes will start falling out of the sky... relax....  it just isn't going to happen.

My airplane is parked at a low security field near Montreal.  I have absolutely ZERO stress about my avionics safety even with my frequent speeches about how powerful people are failing society.

News like this, one week before the worlds largest security conferences, reminds me of the year that someone reported that planes had been hacked to fly sideways.   Yes, folks the laws of physiques can be hacked (just kidding....).  Always be cautious and curious about news headlines as they rarely reflect true facts.

To any curious security friends, please join me at the DefCon Aviation Village next week where we can have a long discussion about context and safety in aviation.

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Tuesday, July 9, 2019

Desjardins part deux: Wow.... do we actually want to fix this problem?

We are not scoring high on the smart scale this month.  

On the right track ?   Sadly... no...

The problem is that banks practically hand out credit blindly and senior executives have ZERO accountability or personal liability when they screw up your credit file.  They then team up with their "buddies" at the credit bureau to make you feel like they are helping you while you are left with a nightmare to solve that can take years.


New laws fall from the sky, always missing the point.  New York, now has a new disclosure law that is aiming to ensure that we are told when our data is breached.  But what about when our data is used ?  Nothing yet.  We are way too busy making ourselves look good because we are putting in very strict laws to tell you when your data has walked out the door.  Silly data.  Data that has walked out repeatedly over time.  

Hey, heads up, it is too late.

When your information is used to create ANY form of credit application, you should be advised.

And when a bank gives credit to the wrong "you", you should be fully protected.

Since big banks have all the power, you, the "customer" have no such protection nor will you anytime soon.  

The banks have all power, and they have the last say.  They also really want to hand out credit because well... they are kinda loan sharkish, and sharks like fresh meat.

Every bank to ever exist...

So it is totally normal for banks to hand out credit cards and loans like cotton candy at a county fair.

How crazy is this:  Credit applications handed out while you wait in line to pay at a department store.  Offering you (or anyone who says they are you) instant credit and a generous 10% discount on all todays purchases if you sign up for a new credit card that will be approved on the spot ! How is this legal...

And, lets face it, someone who is hired to get credit applications filled out and whose salary is directly attached to how many credit applications they push out.... is most certainly the highest quality of authentication. 

The fact is these credit applications all rely on using identification data, never really authenticating the person since our current credit system has no digital ID or other modern means to do so.  So, granting someone credit is easy, charging their current purchases to this new credit card is common, and out the door they go because the banks do not care, and will not be held liable past the fraudulent transactions.   Two weeks later, the real person gets their new credit card along with a welcome letter and a $3000 bill for things they never bought and they are left with a near impossible task.... clearing their credit file of this mess, and not paying the $3000....which can take a very very long time.

Desjardins pointed 2.7 million souls to a disfunctional service called Equifax who predictably failed.  In the meantime, no one thought it would be a good idea to freeze the credit files for all 2.7 million until they figure this out.  Once again, push the problem down the road.

Equifax is a "for profit" organisation.  So are banks.  They shouldn't be trusted with the information they have.  And all this is done unwillingly by citizens since the banks send all your sensitive information to these credit bureau's.  

So in short, as far as crisis management goes, it was written in stone that this wouldn't work, but crisis management calls for a Teflon™ approach and someone needs to appear to be doing something.

Well, big surprise, what is being done remains mostly wrong in the long run.

The difference between a cybersecurity professional and a Good cybersecurity professional is root cause analysis combined with taking actions that actually reduce the risk.  Not security theatre, or putting in place yet more alerting mechanisms when your data is exposed.  We know... that ship has sailed... repeatedly.

Society has all their panties in a bunch over a trusted employee leaving with what is essentially a client list.  This happens way more than you think.

Yes, this is terrible news.  Yes Desjardins shouldn't allow people to export entire segments of databases that include entire birthdays and entire social insurance numbers.....

But.....  we shouldn't rely on these meaningless artefacts that date back to the Cold War in order to award credit unless the issuer is willing to take full responsibility.

News agencies are hitting Desjardins again with news that another employee defrauded Desjardins of over $300,000.  This is almost business as usual for a bank.  Most banks fire someone every week because they did something unacceptable.  This doesn't mean they lose $300,000 every week, this case alone was spread over 8 years.  Employees who abuse their power in banks is way more common than most think.  It also has nothing to do with data exposure, so why are news agencies riding the bus and hitting Desjardins yet again with meaningless news stories.  Just to try and make them look bad?   All banks have this issue.  And while they are writing about this, they are not actually putting pressure on the right things.

So back to identity theft...

The reason this is so grave is directly attached to the fact that WHEN you get your identity stolen (used), you are left with a mess and no means to fix it without grave consequences and a task worst than assembling an IKEA kitchen in a dark room with no instructions and your wife and three kids asking "is it done yet" every 5 minutes.  

The problem is two fold.

#1 We have no concrete, modern and secure way of attaching obtained credit to a biological human being.

#2 We have no way to clean up the mess that is caused when someone creates falsified credit under your name (and this shouldn't happen in the first place).

Make banks accountable.  Make senior management accountable.

Accountable = penalties payed out of their pockets, not the share holders.

So I really wish we would stop referring to us as the banks clients, since we are not, and we simply pawns used as leverage to play a financial game for them.

I would ask our current government to make drastic changes to our banking regulations.  I would ask the privacy commissionner to be right behind this:

If ANY credit institution grants credit to someone who is not me and puts it on my file, they should be held FULLY liable and I should not only get my entire credit profile cleaned up, I should get a huge check in compensation for their error, and while we are at it, they should be fined significant penalties directly to their senior management, not the share holders.

Lets face it, ALL traded companies are in it for the cash, and ALL of management is focused on short term gains with short term objectives and short term bonus structures that work directly against protecting your credit.

HIPAA applied in US health care is a gold mine of wisdom in this area.  They wrote the law expecting people to lie and built in the penalties based on your level of competence versus honesty.

Three scales are applied when it comes to penalties (which can include jail time for executives).

Level 1:  You had no way of knowing (yes, you still get a fine)

Level 2:  You should have known if you did your job with reasonable competency (bigger fine).

Level 3:  You knew and didn't take action, or worst, you clearly covered it up, etc. (huge fine and potential jail time)

They wrote it right into the law !

So what gives with our privacy laws.

We need banks to take responsibilities for their interactions with their credit bureau's because these bureau's certainly are not "our" credit bureau's.

So here is the call to arms that we should all be forcing our government to impose in reverse order of importance:

3) Better digital ID (blockchain enabled, with mechanisms to prevent oppression, etc.)

2) Replacement of "for profit" enabled credit bureau's (an obvious and complete failure as it stands today)

1) Severe penalties including personal liabilities for senior management (including criminal penalties targeting executives when willfully blindness is in play) for any screw up to a persons credit file, including imposed clean up of such screw ups without the citizen having to suffer for months or years.

So dear media, dear government, and dear privacy commissioner, stop talking about Desjardins and their evil malicious employee (they got the memo), start talking about the real issues and start addressing them.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Wednesday, June 26, 2019

Desjardins: We are all missing the train.

The last week has been an interesting one from a socio-psychological angle.

I am very pleased with the lessons to be learned from this security event, and I can state firmly that the next classes I teach, and the next conferences I speak at, will include some of these juicy tidbits.

After the first round of press releases, news articles and "interviewed specialists" I can firmly say that we are missing the big picture.

Only a few hours after the week started, class action lawsuits already surfaced claiming 8 billion dollars in damages for the Desjardins members.

This is totally absurd.  It would be nice if everyone involved including the high quality bottom feeding lawyers would wait for the corpse to be carried out before circling above like a vulture tasting blood which will never drip out.

Desjardins was a victim of our failing government.  A government that focuses on doing what is popular and what gets them votes and keeps their "sponsors" sponsoring.

You read that right.

In 2019, birthdates and social insurance numbers are still the central nervous system used to buy property, mortgage a house, get a loan, or get a credit card.

This is a complete failure to understand security and understand risk.

We, as a society, allow government and banks to pawn off our most vital information to companies like Equifax without our consent yet when we consent to give our information to a bank, we take offense if an employee leaves with our birthdate.

Sure, Desjardins needs to review how they let staff extract data.  Why for example would a marketing person need your full birthdate.  Why not just a year, or a range of ages.  So certainly some things can be optimized IN ALL BANKS.  So before we raise or voices with Desjardins, remember that this can happen to any bank and any company.

The big picture remains that our financial ecosystem relies on a VERY broken system of authentication that leaves the citizen scrambling when something goes wrong.  

The system offers NO protection for the innocent, and the innocent must live with the painful consequences when something goes wrong with no wrong doings from their part.  Once their identities have been used to create false loans or mortgages, they live the nightmare with no support.  Unless they subscribe to a credit monitoring and alerting service from lets say... Equifax.  How insulting.  How completely absurd that we allow an entire ecosystem to milk us and treat us like this.  How absurd that the banks hold hands in supporting this sick ecosystem.

This should not be acceptable.

Equifax should not exist.  Minimally, it should be a government run service.  

Now I am chocking as I write this.  Saying the government should take charge of something is rarely my pitch.  Because to be frank, the government always runs things so well ;-)

In this case, the government should not only abolish Equifax and take charge of the credit bureau, but they should actually walk into the 21st century and put in place a digital ID.  They should replace the dependency on birthdates and social insurance numbers since these pieces of information have been leaked and exposed for decades.  Banks use your social insurance number as a primary index key in a slew of their systems because it was convenient 30 years ago when the systems came to life.  In other words, this piece of information is all over the place.

People even post their birthdates on Facebook for all there thousands of friends to see.  And by friends I also include scrapper bots from Russia and China that harvest everything you drop.

So what should be a digital ID.  Simple, a smart card that could include a digital certificate, be fully authenticated when produced (like when you get your passport created), include digital magic like your drivers license and medicare card on the same piece of plastic, and provide vetted identification when opening a bank account, when mortgaging your house, when contracting a loan.

Now do the banks want this..... actually probably not.   It is much easier to have a marketing group signing off new credit card applications in convention center lobbies or airport lounges and relying on paper applications that fall from the sky.

So who wants this?   The citizens want this.  Because it makes sense.

The question remains, why is our birthdate and social insurance number still a critical asset, and what are we going to do about it?


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Friday, June 21, 2019

Desjardins: Round two - The truth comes out, do banks really care?

This Friday post is all about commitment.  

I'm going to float an idea and commit to it for the next 72 hours.

FIRM STATEMENT:  The Desjardins data exposure was not performed by IT staff.

Lets review some facts.

  • The CEO stated clearly that he felt completely violated.  He didn't use words that sound more appalled, but used words that really showed he was vigorously violated. 
  • He states without doubt that the information is not for sale on the Dark Web....
  • He states without doubt that passwords, PIN numbers and secret questions have not been exposed...
  • And he stated that this was all performed by an EX employee.
  • The LAVAL police is investigating and not the Provincial Police....
  • The plot thickens....


So here is my stab at the million dollar question:  Who did it.

Someone trusted by the enterprise, working in a department that could obtain this information.  To summarize, names and addresses, birthdates, social insurance numbers, purchasing habits and which products you have with Desjardins.

The social insurance number is often the unique database key used to represent the person, so this piece may even be irrelevant and is irrelevant for my scenario.

So someone trusted who worked with this type of information and someone we fired a few months ago.  So if we fired him, he must have done something wrong, perhaps he had already been loose with the data.

And when banks fire someone they have them sign an agreement that both parties do not talk about each other, and both parties move on.  Hence the reason why Desjardins is not naming him at this point.

So enter round two....   The now unemployed person (who kept a ton of sensitive information even though he declared in his exit interview that he would retain no such data), is now sitting at home starting a new business with this stolen data.  Perhaps something that could be used in conjunction with the type of data collected.   Purchasing habits, banking and insurance adherence data.  

Perhaps this not too wise person approached various people to leverage the data in some way, and eventually someone ratted them out.

This then becomes a breach of contract based on the employee having promised not to keep or use Desjardins data after they got themselves terminated.

It all makes sense with these variables.

Bottom line, Desjardins did not have controls in place to allow for the detection and the accumulation of vaste quantities of data and never knew that their data had left the building.  Or did they..... "but he promised he deleted it".

Wouldn't this scenario make you as the CEO feel violated.

After all, someone you paid to do a job didn't respect you or your semi-binding agreements and now you are faced with the angry public and the ever so inquisitive press.


When someone internally defrauds a bank, the bank is much more stressed about their reputation than the wrong that was done to them.

So if John (taken from a true fraud case I worked) defrauds the bank for $500,000, the banks gets John to sign an agreement, that John is fired and neither party talks about each other going forward and the bank doesn't owe John anything, etc.

So John, crosses the street and goes to work at the next bank and performs the same types of malicious actions, but this time... he does it even better based on the lessons learnt from his first dismissal.... or was it really his first....

Banks need to start pressing charges and publicly exposing these people so that they do not go on to the next victims.

Banks do not care about the big picture or the citizens, they care about their clients perception.

So back to Desjardins, they probably fired him because he was accessing systems without cause and he was exhibiting behaviour that violated policies, or he literally access tons of data and got caught months ago.  Then he promisses to not keep any data, and now we all know why the CEO feels violated.

Desjardins and Equiflop

Initially, Desjardins offered 1 year of credit monitoring but you had to agree to the disclaimer, which was the same disclaimer Equifax tried to push down peoples throats last year.  ** If you agree to the free credit monitoring service you agree not to sue us.

Maybe someone is reading my blog, because they moved the 1 year up to 5 now, and someone seems to have removed the disclaimer.  Guess we will see when the physical letter gets mailed out next week.

Banks, please commit to being a better digital citizen.  Impose strict rules, AND enforced strict penalties.  Don't let your shit employees go to work somewhere else doing the same thing they did to you.  I know your lawyers disagree, maybe they are part of the problem.

Happy long weekend to all my friends in Quebec, and remember the old security moto:



Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Thursday, June 20, 2019

When the banks drop the ball - Desjardins leaks all their clients data.

CBC NEWS - Personal data of 2.9 million people leaked from Desjardins

Often, so many things are wrong with these press releases that it is easy for me to critique them and sometimes laugh.  In fact it is almost a guilty pleasure for me.

The news headlines state that 2.9 million Desjardins clients have been exposed.  
It should simply say that all Desjardins clients have been exposed and remove the ambiguity since that is the actual fact.

Why is the number important?  It is not.  Desjardins is the biggest credit union type bank in North American, and a subset of all their client data has left the building.   This could happen to ANY bank, so I am not getting on the bandwagon that Desjardins did or does a poor job.  This is far from the truth as they are often a reference in cybersecurity practices.  Like everyone, they have weaknesses the can sometimes be leveraged.  A malicious employee is near impossible to totally contain.   But I can still poke fun at the news articles....

So... they also use the word SHARE, as in a former employee shared the data.  Who the hell did they share the data with!  They stole the data.  Stop using soft words that make it sound like they hit the wrong button on Facebook!  Also, at this point, it isn't someone they fired, I hope it is someone they are pushing for criminal charges for.

A big piece remains, I fail to see anything in these articles that tell the consumer what to expect as far as repercussions down the road.  I don't want to steal the punchline from them, but you may end up owning a mortgage or a credit card that you never asked for ;-)

Data Loss Prevention (DLP)

Enterprises are constantly faced with the desire to deploy a DLP.  In fact, since the cybersecurity industry has an acronym for it, this means that it is a big problem, and big money is involved.

Not a week goes by that someone isn't talking to me about deploying the latest and greatest DLP solution.

The fact is, these solutions reduce risks involving accidental exposure but hardly make a dent in someone internal wanting to actually steal your data.  These solutions rely on many factors and ingredients to yield benefits and almost every enterprise I visit is missing most of the required ingredients for a DLP project to be a success.

Now take Desjardins.  They are big (by Canadian standards), and they invest significant sums in everything relating to security.  They don't a a security person, they have security teams (with an S).

When a rogue technology person decides to pain outside of the lines, you are in for an enlightening and embarrassing experience.

In this case, it was not Desjardins that realized they had been violated.... the cops called Desjardins to tell them they had been had.  This is an upgrade from the more common scenario when a television crew or journalist calls you and tells you the bad news, so maybe this part is a positive.    However it is more of a negative for one simple reason, if the police are involved, chances are it is a much bigger deal than when a journalist calls you.  

You see, journalists call you when someone blows the whistle.  This someone generally isn't malicious, they just want something to change.  When the police call you..... well... you do the math.

Now Desjardins is falling into the trap that many fall into and they are trying to tell the public not to panic since PIN numbers, credit card numbers, and secret questions have not been exposed.

First of all, they cannot possibly know this with 100% certainty, but lets continue....

So all the information they have on their client, all the information that can expire and be changed... that information is secure.

However, all the information that you will die with such as your birthdate & Social Insurance Number... that was stolen.

But rest assured, we are working with Equifax, a household name in extremely mature and well rounded cybersecurity practices. That last part is sarcasm, so no hate mail please.  I wrote a series of blogs posts on Equifax and their subpar security (example:  HERE)

Equifax will provide 1 year of identity theft protection payed for by Desjardins! 

Wow.... we are still going with that?

The AMF ( says that they are happy with the approach that Desjardins is taking in resolving this matter.

Well, AMF.... and my many friends at the AMF.  In my opinion, you are falling short of your duty.

And once again, privacy commissioner of Canada, you are also at the precipice of failure.

You see, large corporations who end up having LARGE security exposures that can screw the lives of millions should own up to the magnitude of the issue.

This means that they should dedicate staff to operating an identity theft service and provide this service until you die since the information that was stolen cannot be changed and you will remain at risk of identity theft until you are dead.  In fact, some might argue that the risk may continue sometime afterwards ;-)

So why offer only one year of "oversight"... simple ... that is how long it takes for people to forget about the issue.  The general public should be made aware however, that identity theft can happen years down the road.

Also.... all the experts being interviewed so far are missing this one important fact....the information stolen included non matching data types.   What the hell is my purchasing history doing anywhere near my social insurance number and birthdate!  What the hell is going on at Desjardins.... will someone investigate this???  ZZzzzzz

When I go to negotiate a new mortgage, does the financial advisor "see" that I buy a lot of flowers ?

Can they then conclude that I apologize a lot to my wife hence the flowers !

Can they conclude that ANYONE who has to apologize three times a month by giving flowers MUST be a higher credit risk...

you get the picture....

As usual, these breaches end up opening the floor to more questions.. many many more questions.

So in closing, to the many enterprises that I have crossed and to all the enterprises that I will cross who have the attitude that their IT is the best, that they have no security exposures, that they are golden in this area... I leave you this thought to ponder:  Desjardins is at the top of the ladder and invests millions in a variety of security controls including non heterogeneous security teams... and they just got screwed over by an employee.  Sure you're 100% safe because your vaste experience in another unrelated domain tells you to feel that way.

Just like an anti-vaxer who reads a few facebook posts and will argue with a triple doctorat with 30 years of research under their belt.

Go in peace my friends and be realistic about your shortcomings and expectations. 

As for Desjardins, they remain a top bank, with top notch people and services.  Be cautious before throwing the first stone since any bank can be victim to this type of attack.  Just try and not keep all your data in a single bucket ;-)


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Disposerons-nous un jour d'une carte d'identité numérique provinciale qui sécurise réellement vos opérations bancaires ?

  J'ai fait une entrevue ce matin sur QUB Radio basée sur un article du Journal de Montréal qui a été publié aujourd'hui et qui disc...