Hacking attacks at BMO and CIBC's Simplii highlight why cybersecurity cannot be a patchwork job: Don Pittis - Action News
Home WebMail Tuesday, November 26, 2024, 04:01 AM | Calgary | -17.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
BusinessAnalysis

Hacking attacks at BMO and CIBC's Simplii highlight why cybersecurity cannot be a patchwork job: Don Pittis

News that fraudsters had broken through security at two of Canada's biggest banks and were threatening to release the account information of 90,000 Canadians is somewhat like an old-fashioned bank robbery. But in our digital age, it is many times worse.

Complex passwords and PINs are no substitute for building a more secure banking system

The Toronto trading floor of the Bank of Montreal is shown. Billions of dollars flow across these screens, but all the cash, in bits and bytes, depends on a secure banking system. (Mark Blinch/Reuters)

News that fraudstershad broken through security at twoof Canada's biggest banks and were threatening to release the account information of 90,000 Canadians is somewhat like an old-fashioned bank robberyonly in our digital age, it is many times worse.

Except for afew bills in your wallet and the odd coin tucked away in a safety deposit box, almost every nickel you possess, and every nickel you owe, isnothing more than digits in a computer.

For most, those digits are kept by our banksand the recent attacksshowthose digits are not always kept safe.

The fact that two of Canada's biggest banks were compromised by what appears to be foreign criminal hackersrunning their fingers through our digital cash andmaybe even helping themselvesto our personal information concernsevery Canadian.

That includes our politicians, our business community and even those who worry about Canada's national security.

National security concern

Canadian bankers recognize this is a serious issue. Both of theaffected banks, BMOand CIBC-ownedSimplii, as well as others who weren't hit by the attacks, were quick to respond to reporters covering the security lapse.

"We will fully reimburse customers for any financial impact of unauthorized transactions," BMOconfirmedyesterday.

When almost all money is digital, cybersecurity is the modern equivalent of a bank vault. (Denis Balibouse/Reuters)

That may not be enough to assuage the concerns of those affected.

Canadian banking has been a licence to print money, as profits continue to climb. Canadian banks have special rights and status in this country; their senior executives are modern-day princes.

But in the wake of a number of high-profile data breaches over the past few years, Canadians might start to question why they're receiving suchrewards while failing to protect our data:If Canada'srich and powerful banks cannot afford to lead the world in digital security, how can they still afford to payenormous salaries to their chief executives?

Victim distress

Canadians are already increasingly worriedabouttheir money.

"I'm very distressed," one victim told CBC News. "How could this happen? I barely slept last night, I'm so worried."

CBC reporters have found a listcirculating onlinethat includes microscopic detail of customers' lives, each with columns of data, including names, phone numbers, addresses, occupations, andeven Air Miles accounts.

But beyond the pain of having your personaldata stolen and the individual losses that may go along with that, the riskis even greater to the entire banking system andultimately to the country's security.

The fact that our money is simplydigits is nothing new.

The originof banking, in part, was the moment when we turned our copper and silvercoins over to money lenders, who wouldin turnlet others use those deposits,keeping the numbers recorded on paper ledgers.

Our money was already digital;the only difference now is that thedigits are in computers.

And justas the job of a good bankin the Wild West was to keep safe bags of cash, held in vaults away from robbers, the job of a modern bankis to keep safe those digits held in its computers.

Black vs.white hats

It is by no means an easy job.And it is not a job you do just once.

So-called black hat or malicious hackers are always getting better. And white hat or ethical hackers, includingthose who work forour banks,are in a constant battle to predict and fend off the next attack.

Systems that were secure 20 years ago would be child's play for today's computer whizzes. Systems that are secure today will beequally porous in the future.

BMO has pledged to fully reimburse customers for any financial impact of unauthorized transactions. But that may not be enough to assuage the concerns of those affected. (Aaron Vincent Elkaim/Canadian Press)

Attacks may beunavoidable.

But in an industry as crucial asbanking, Canada's financial institutionsmust constantly be improving security efforts and have crack teamsin place, ready to instantly respond in the event ofthe breach before important information islost.

An email from the purported hackers, outlining how they used a common mathematical algorithm to access account numbers,indicates that was not the case.

A note from Simplii to its clients earlier this week urged them to "always use" a complex password orPIN. The FBI, meanwhile,is warningus to reboot our home Wi-Fi routersaftera recentforeign malware attack.

Simplii, a banking brand owned by CIBC, sent out warning letters to customers.

But suchwarnings are not a substitutetoour banks building systems that are secure against the latest cyberattacks.

According to a recent report from consulting firmErnst & Young, a majority ofcompanies say they know they needto spend more on security. But until companies face the public humiliation of seeing their customers'data splashed across the internet, it is likely easy for those watching the bottom line to see security as excess spending.

Butrepairing suchdamage could prove costly. There may be class-action suits. And until theyfeel secure, customers may choose toavoid keeping all their business at a single bankespecially one that has shown itself to be vulnerable.

Given the choice, banks wouldprefer to keep their security flawshush-hush.So, in some ways, the black hats that broke into BMOand CIBC-owned Simpliidid us all a favour.

Because without a strong, defensive wall around Canada's banking system, the whole country is at risk. If this is what criminal hackers can do, imagine the damage possible from paid professionals from enemy governments.

To ensure our money is safe, Canadian banks must be prepared to spend the moneyandregulators, like the Bank of Canada, should be called on tohelp.

As Ernst & Young has warned,"at present, there is a real skill set shortage in cybersecurity."

And that is something tangible that banks cantackle,perhaps byhiringthe smart kids back from SiliconValley or by paying the white hatsenough to stay homeand defend Canada from foreign invaders.


Follow Don on Twitter @don_pittis