Canadian banks look to in house hackers to improve and test cybersecurity

Hackers are targeting Toronto-Dominion Bank’s internal systems at all hours using cutting-edge techniques, but the bank’s head of cybersecurity isn’t losing sleep over them — they work for him, after all.

The bank established late last year an in-house “red team” of ethical hackers — cybersecurity professionals who attempt to hack a computer network to test or evaluate its security on the owners’ behalf — who conduct live attacks against its own networks continuously, said Alex Lovinger, TD Bank’s vice-president of cyber threat management.

“We’re doing it exactly how our adversaries would do it… So if we find a weakness or something like that, we can close it or address it before a real attacker,” he said.

Canada’s biggest banks are fortifying their defences by hiring their own ethical hackers to test their systems as the frequency and sophistication of cyberthreats increases.

A Senate report last month entitled “cyber.assault: It should keep you up at night” sounded the alarm about the potential consequences of major cyberattacks in Canada.

“While some progress has been made federally in the past year, there is much more that the federal government and Canadians must do to protect ourselves,” said the report of the Standing Senate Committee on Banking, Trade and Commerce. “We must take the appropriate steps now, or soon we will all be victims.”

Bank of Canada governor Stephen Poloz has also raised concerns about a cyberattack.

In 2017, 21 per cent of Canadian businesses reported that they were impacted by a cyber security incident which affected their operations, according to Statistics Canada. Banking institutions, not including investment banks, reported the highest level of incidents at 47 per cent, followed by universities and the pipeline transportation subsector, according to the agency.

New regulations that require Canadian businesses to alert their customers about privacy breaches or face hefty fines took effect at the beginning of this month.

In May, the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial digital banking brand said thousands of their customers may have had their personal and financial data compromised.

BMO said hackers contacted the bank claiming to be in possession of the personal data of fewer than 50,000 customers, and that the attack originated outside of Canada. At the same time, Simplii also warned that “fraudsters” may have accessed certain personal and account information for about 40,000 clients.

BMO’s chief executive Darryl White said he could not comment on the details of the privacy breach, as an ongoing investigation is underway, but noted there was a “very immaterial impact from a fraud perspective” and no material financial fallout.

“We are a lot smarter as every event goes on. And there are events every day, there are events every hour of every day… It’s a continual improvement exercise,” White told reporters after the bank’s recent investor day.

Meanwhile, BMO is also turning to in-house ethical hackers to test their systems. According to a recent job posting, BMO is seeking a senior manager with a certification in ethical hacking and whose responsibilities include managing a team of “network penetration testing” specialists.

CIBC did not respond to questions about whether it utilizes ethical hackers.

“We leverage internal and external expertise, and work closely with industry and government to enhance cyber security resilience, threat intelligence and best practices,” a spokeswoman said in a statement.

Alberta-based bank ATB Financial in a recent job post said it was recruiting a “Senior Penetration Tester” with ethical hacking experience. An ATB spokeswoman said the posting is to fill a recently vacated role.

The Bank of Nova Scotia also established its own in-house “red team” of hackers to test its defences, said its chief information security officer Steve Hawkins.

“Scotiabank has used and continues to use third-parties to handle this penetration testing. However, because the volume of global cyber threats has significantly risen, the Bank wanted to have its own capabilities in-house and created its own red team this year,” he said.

With the string of data breaches in recent years, what does worry TD’s Lovinger is the cumulative amount of data that has been exposed.

“Hackers now sit on a wealth of information… That they can now leverage to do more targeted attacks,” he said.

Royal Bank of Canada has had in-house ethical hacking capabilities for a few years now, as part of its cybersecurity program, said Adam Evans, the bank’s vice-president of cyber operations and chief information officer.

“We want to make sure that we are testing our defences to make sure they stay relevant,” he said.

RBC has been upping its cybersecurity budget and adding to its team annually. It now has roughly 400 cybersecurity professionals, up 50 per cent from three years ago, but a talent gap looms, Evans said.

Demand for talent in Canada is climbing by seven per cent annually and there will be more than 5,000 roles to fill between 2018 and 2021, according to Deloitte. By 2022, the cybersecurity workforce gap is expected to reach 1.8 million, it said.

As of October, there were 1,024 cybersecurity vacancies for every million Canadian job postings, up five per cent over the past year, according to Indeed Canada. That’s up 73 per cent since the beginning of 2015, said Brendon Bernard, an economist for the job search platform.

Meanwhile, several Canadian banks have made recent investments in research or capabilities abroad or in universities at home to tap cybersecurity talent. For example, TD opened a cybersecurity-focused office in Tel Aviv, Scotiabank announced a partnership with an Israeli cybersecurity company and RBC made an investment in research at Ben-Gurion University.

“With the talent gap in cyber, it’s something that organizations are going to have to address,” said Evans. “Because there is just not enough qualified people out there.”

Privacy concerns over credit card use for legal online pot purchases

Canada’s privacy commissioner is planning to issue guidance for buyers and sellers of legal cannabis amid ongoing concern about potential fallout, such as being barred from the United States, if transactions become known by third parties.

The concern has been heightened in provinces where anonymously paying cash in-store is not possible in light of a controversial Statistics Canada initiative to obtain detailed bank records from all Canadians.

“Our office recognizes the sensitive nature of cannabis-related transactions _ particularly if information about those transactions is processed in a jurisdiction where cannabis consumption is not legal,” said Tobi Cohen, a spokeswoman for the federal privacy commissioner. “Organizations need to make it plain to individuals that their information may be processed in a foreign country, and that it may be accessible to law enforcement and national security authorities of that jurisdiction.”

British Columbia has already issued its own guidance and privacy-protection tips. For example, it notes that online sellers collect personal information such as name, date of birth, home address, credit card number, purchase history and email address.

“Providing personal information, especially through online formats, creates additional security risks,” the document by B.C.’s privacy commissioner notes. “Cannabis is illegal in most jurisdictions outside of Canada; the personal information of cannabis users is therefore very sensitive.”

Legal online purchases across Canada show up on bank statements in a variety of ways, depending on the retailer.

In Manitoba, for example, an order from the outlet Delta 9 shows up as “D9-2 -8675309 Winnipeg MB,” while purchases in British Columbia appear as `”BCS Online Vancouver.” Those in Nova Scotia are recorded as coming from the provincial liquor corporation _ “NSLC #2098/e-commerce Halifax.” Similarly, in Newfoundland and Labrador, orders register as NLC #700 St. John’s N.L.

In Ontario, where the only way to buy marijuana legally is online through the Ontario Cannabis Store using a credit card, transactions show up as “OCS/SOC.”

Jesse, 39, of Toronto, who’s in marketing and who asked his last name not be used, said he has mixed feelings about “OCS/SOC” appearing on his credit-card statement.

“I’m not crazy about being potentially profiled at the U.S. border because of a purchase that’s thrown up in my credit history,” Jesse said. “At the same time, I’m not losing sleep over it because there’s no precedent (for that) yet.”

In the pre-legal era, online outlets usually masked credit-card purchases, perhaps by using a generic notation such as “Organics,” and some still do so now. However, a spokeswoman for the Ontario Cannabis Store said such an approach doesn’t fly.

“As a legal business operating in Ontario, it is required that we operate with transparency,” Amanda Winton said. “This includes using our registered business name for payment services.”

Ontario’s privacy commissioner, Brian Beamish, said his office recommends redacting sensitive information in a case where, for example, a landlord might ask a prospective tenant for a credit card statement. Beamish also said a generic name used to record cannabis transactions could become widely known.

“The key issue here is the protection of bank information, whether it’s related to legal cannabis transactions or any other personal banking decision,” Beamish said.

Troy Patterson, who works with a licensed cannabis producer in Kincardine, Ont., said pot is legal and he wasn’t particularly worried about purchases showing up on credit card or similar statements.

“Now, if that info were to be weaponized against people, say for insurance or other purposes, that would be a huge issue,” Patterson said.

Feds take aim at terrorist use of cryptocurrencies, prepaid cards

By Jim Bronskill

THE CANADIAN PRESS

OTTAWA _ The federal government is proposing measures that take aim at shadowy payments made by terrorists and money launderers using virtual currencies and prepaid credit cards.

The planned regulations would help close loopholes in Canada’s anti-money laundering regime and address shortcomings pointed out by an international watchdog.

Virtual currencies, such as Bitcoin, are increasingly being used to commit fraud and cybercrime and to buy illicit goods and services in the darker corners of the internet, notes a federal summary accompanying the proposed changes.

“They allow for the rapid transfer of funds within or across borders, oftentimes without any intermediary, are generally characterized by non-face-to-face customer relationships, and can circumvent the physical ‘brick and mortar’ financial system entirely.”

The measures would impose new reporting obligations on people and businesses dealing in such cryptocurrencies.

Like more traditional money service businesses, they would have to register with Fintrac, Canada’s anti-money laundering agency, as well as keep track of virtual currency transactions of $10,000 or more.

Prepaid credit cards can be abused because it is difficult to trace the origins of money loaded to them, the government says.

Under the changes, prepaid cards would be treated like bank accounts, meaning issuers would need to verify the card purchaser’s identity, keep records and report any suspicious dealings.

The measures would not apply to gift cards tied to specific retailers or shopping centres.

The planned changes represent an attempt by regulators to keep up with the dawn of new financial technologies to deliver services more conveniently.

“While providing benefits to consumers, the new business models can complicate monitoring as well as make it more difficult for authorities to follow the money trail,” the federal summary says.

The overall goal is to ensure banks, money service businesses and others who provide access to the financial system know their customers and keep good records, the summary adds.

“Such information could assist in the investigation, apprehension and prosecution of money launderers and terrorist financiers.”

The proposals come as the RCMP makes the fight against money laundering “a key strategic priority” for its federal policing branch by “elevating the priority” of the crime, according to an internal memo released under the Access to Information Act.

Other proposed changes would:

_Require foreign money service businesses to report suspicious transactions to Fintrac, ensuring a level playing field with domestic businesses;

_ Force financial institutions to confirm the accuracy of any new ownership information about companies as it comes in, a measure intended to prevent firms from hiding the identities of their true proprietors;

_ Impose stricter record-keeping and reporting requirements on the life insurance sector, which has begun issuing mortgages and loans against the amount of a policy.

The government is accepting public comment on the planned measures until early September.

Bank breaches highlight rise of cyber threats as new exploitation strategies emerge

Apparent attempts to extort two major Canadian banks highlight the increasing threat and variety of cyberattacks against major companies.

Attacks against BMO and CIBC-owned Simplii _ that compromised the information of up to a combined 90,000 Canadians _ made public Monday, appear to be the latest in a number of high-profile ransom attacks. The attacks have the banks in damage control mode, prompting them to assuage client concern about the safety of Canadian accounts.

CBC reported that it received a letter from someone who said they demanded a $1-million ransom from the targeted banks.

The banks would not confirm the CBC report Tuesday. BMO said only that a `”threat” was made, but it has a policy of not making payments to fraudsters, while Simplii was similarly cryptic, saying only that fraudsters may have electronically accessed some data, but that its practice is not to pay ransom demands.

Both banks said they both took additional security measures after learning of the potential breach and would be directly contacting customers whose accounts may have been compromised. Royal Bank, Scotiabank and Toronto-Dominion Bank have said they have no indication they have been affected.

The apparent extortion attempt against BMO and CIBC’s direct-banking brand Simplii comes after a string of other high-profile pay-for-data attempts.

Recent examples include a failed attempt at Uber to pay off hackers _ only for the company to later reveal that some 815,000 Canadians had their information compromised as part of a global attack, and the infamous cyberattack on cheating website Ashley Madison, which did not comply with hackers’ demands to close the website, resulting in the exposure of personal information of millions of users.

Smaller organizations are also falling victim to hacking payment scams, including the University of Calgary, which paid $20,000 to have its computer systems unlocked after a ransomware attack in 2016.

The risks are clearly on the rise, said cybersecurity expert Satyamoorthy Kabilan at the Conference Board of Canada.

“In terms of cyber incidents overall, whether it’s breaches, whether it’s these sorts of attacks, whether it’s standard ransomware, that’s skyrocketing.”

However, the incident involving BMO and Simplii varies from more standard efforts to either use the data itself to profit or to try and sell it to third parties _ which makes it harder for companies to set up defensive plans, said Kabilan.

“Understanding tactics actually gives us an advantage in terms of defending ourselves, but if those are constantly varying, it starts putting up a few more challenges.”

Companies, especially banks, need to keep improving security efforts but also plan for resiliency and being able to respond in the event of an attack, he said.

“Companies have to wake up to the fact that there is no such thing as 100 per cent security in the cyber world. It’s a question of when and how bad.”

BMO and Simplii did the right thing in being quick to assure customers that their money is safe and that they’re working diligently to improve security, said Barry Waite, chair of the communications department at Centennial College.

Both banks said they’d directly reach out to affected customers and are co-ordinating with officials to respond to the incident and protect clients.

Demonstrating the safety of banking services will become increasingly important as they roll out more digital products, said Waite.

“This is important for the whole banking industry, demonstrating that as they increase technology, they’re introducing new apps, that they have the best security in place.”

The whole banking sector is looking to improve digital security in light of such threats, Scotiabank CFO Sean McGuckin said on a media conference call discussing its quarterly results.

“There’s a very open dialogue amongst financial institutions around cyber threats. So we are all quite open and learning and sharing from each other.”

BMO and CIBC’s Simplii warn fraudsters may have accessed clients’ data

Two of Canada’s biggest banks warned Monday that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers.

The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.

“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster,” said spokesman Paul Gammal in an emailed statement Monday, May 28, 2018.

“A threat was made. Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers,” he said.

The bank said it believes the attack originated outside Canada, but did not elaborate on the type of data they accessed.

Gammal said the bank is conducting a thorough investigation and is working with the relevant authorities.

The disclosure followed a warning from CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.

Simplii said Monday it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring, adding it is working with the relevant authorities.

Gammal said the potential breach at BMO appears to be related to the CIBC issue. Royal Bank, Scotiabank and Toronto-Dominion Bank said they have no indication they were affected.

Both BMO and CIBC said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.

“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an emailed statement.

Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.

“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”

The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.

“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.

“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”

Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.

CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.

The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.

Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.

In November, ride-sharing company Uber said hackers stole names, email addresses and cellphone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.

New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.” Previously, companies that had been hacked had been alerting the public on their own timeline.

International probe shuts down cyberattack provider

By Mike Corder

THE ASSOCIATED PRESS

THE HAGUE, Netherlands _ In a major hit against cybercriminals, an international police operation has taken down what investigators called the world’s biggest provider of potentially crippling Distributed Denial of Service attacks.

On Wednesday, police hailed the success of the operation Wednesday, saying that a joint investigation led by Dutch and British experts and supported by European Union police agency Europol led to the arrest on Tuesday of the administrators of the website webstresser.org.

Europol said webstresser.org had more than 136,000 registered users and racked up 4 million attacks on banks, governments, police forces and the gaming industry. Distributed Denial of Service, or DDoS, attacks attempt to make online services unavailable by overwhelming them with traffic from multiple sources.

“It used to be that in order to launch a DDoS attack, one had to be pretty well versed in internet technology,” Europol said in a statement. “That is no longer the case.”

The agency said that registered users could pay a fee of as little as 15 euros ($18) per month to rent its services and launch cyberattacks.

Administrators of the service were arrested Tuesday in Britain, Croatia, Canada and Serbia, Europol said. The illegal service was shut down and computers and other infrastructure seized in the Netherlands, the United States and Germany.

Croatian police said that a 19-year-old Croat, whom they described as the owner of webstresser.org, was detained on charges of “serious criminal acts against computer systems, programs and data” that carry a possible sentence of one to eight years in prison.

Gert Ras, head of the Dutch police’s High Tech Crime unit, said the operation should send a clear warning to users of websites like webstresser.

“Don’t do it,” Ras said. “By tracking down the DDoS service you use, we strip you of your anonymity, hand you a criminal record and put your victims in a position to claim back damages from you.”

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest