
Two Canadian banks say accounts compromised: CIBC 40,000 and BMO 50,000 - t1o5
http://www.cbc.ca/news/business/simplii-data-hack-1.4680575
======
moltar
Recently tried to login into PC Financial MasterCard online account. And got
“your password is too long” error. What? Right! Password length validation on
the login form!

I called CS and explained that this is impossible as I use a password manager
and it worked just not long ago. They assured me that this was always the case
and that I’m an idiot for forgetting my password.

They sent me to password reset procedure page.

The password procedure emails plain text temporary password, which then let’s
you pick a new password.

When picking a new password, I tried to enter my old password that was too
long, just for the heck of it, to see if it’d go thru.

Lo and behold, the system answered that I “cannot reuse the same password as
previous 6 passwords”.

That’s banking-grade security right there.

~~~
mikeash
My bank has a password length limit of 8 characters.

Do they throw up an error? No, they _silently truncate it_.

The cherry on top is that it’s also case insensitive.

I stick with them because they’re good otherwise and they make it clear that
they take responsibility for any losses due to this nonsense. But holy crap,
“bank grade security” is definitely not a positive thing in my eyes.

~~~
p0rks
I feel the term "bank grade security" used to mean something before we were
banking online. "Bank grade security" conjures images of actually having to
physically go to your bank and then having your money stored in a vault.

Def not the case anymore.

There is no cloud, just other people's computers.

------
ResearchAtPlay
I can confirm that Scotia Bank, another major Canadian bank, does not support
2FA. This has always bothered me and is especially concerning because Canadian
bank accounts can be used to log into Canada's immigration services (CIC).
That immigration account is protected only by one more layer of self-selected
security questions, after which the intruder potentially has access to a swath
of personal data, including passport numbers, and a very detailed personal
history section.

In my opinion, Canadian banks are way overdue to switch to 2FA.

~~~
verelo
Nor does TD. They don't even do phone notifications of logins.

Ironically i signed up with one of the local credit unions in Toronto to take
advantage of a high interest savings account for a future tax debt of which I
am sitting on the cash for, and found they supported SMS 2FA, and texts when
anyone (even me) logged into the account. I wish TD supported this, but then
again, as long as their money is backed by the government i don't really care
all that much.

~~~
kevin_nisbet
Actually I think TD just launched a SMS based two factor, I set it up on the
weekend (I got prompted when I logged into EasyWeb, and it's also in my
security settings). It's SMS based, and can be configured on how aggressive it
is (when you change IP/computer, or every time you log in).

I would much prefer to see a second factor like TOTP, U2F, etc as the problems
with SMS based second factor are well documented, but I'll take what I can
get.

~~~
ar0
Even TOTP is not a good 2fa system for a bank login, at least if that account
allows you to send money somewhere: TOTP codes do not differentiate by
transaction type, so if a fraudster has taken over your computer, it can wait
for you to login using TOTP and then send a wire transfer in the background
(using the same TOTP quickly enough if necessary or just asking you to log in
again, pretending your first code was wrong).

That’s why proper banks should use 2FA mechanisms that will ask the user to
confirm the transaction on a second device (e.g. photoTAN or similar).

Of course, this won’t help against attacks if both devices are compromised or
you are using the second factor device to access the system, but it’s still
better than TOTP.

And, of course, TOTP is still way better than SMS 2FA or no 2FA.

~~~
_hl_
If someone has hijacked your computer, they could simply steal your session
cookie and do whatever they want regardless of some TOTP secrets or being
quick enough. In fact at that point any 2FA becomes meaningless - it's already
game over.

Unless of course your bank does some proper, additional verification for large
volume transfers.

~~~
ar0
Of course, that‘s the point: with photoTAN et al. it will request a one-time
token for each wire transfer, and the token is based on the information
(amount and recipient) of the transfer, which the user needs to confirm on its
2FA device.

------
ficklepickle
I find CBC has a bad habit of writing corporate fluff pieces. They quote an
"expert" from SAS making some vague assurance that their security is good. SAS
is a vendor to CIBC[1], but the article fails to mention that conflict of
interest.

[1] [https://www.sas.com/en_ca/events/14/cibc-user-
group/home.htm...](https://www.sas.com/en_ca/events/14/cibc-user-
group/home.html)

~~~
zouhair
This is why CBC needs to go the BBC's road an go full ad free. The moment you
need ads to survive, everything start to work around making advertisers happy.

~~~
monkeynotes
This is all good, but as a Canadian I don't want to be forced to buy a TV
license to cover the CBC's budget.

The UK essentially taxes households with a TV in order to prop up the BBC.
When I was growing up in the UK in the early 2000s we didn't watch broadcast
TV but we had a TV. A couple of times a govt license officer came over and
demanded to be let in the house to inspect our TVs. I loved how my dad stood
up to him and told him to basically fuck off.

~~~
vertex-four
They’re not Government, they’re employed by a private company contracted by
the BBC - they have no special enforcement powers. They have as much right to
be in your house as anyone else who turns up at your door i.e. none.

The whole TV licensing thing is basically based on the assumption that most
people want to follow the law most of the time, which it turns out is a true
assumption.

~~~
monkeynotes
> they have no special enforcement powers

I absolutely understand this, the problem at the time the officers were
notorious for presenting themselves as if they had a right to enter your
house. They would be particularly pushy and work on the assumption that you
were going to let them in. Myself, my father, and a friend all experienced
this; guy turns up, says he needs to come in to inspect the TV, when you
refuse to let him in says he will come back with some kind of legal paperwork
to allow him to enter, returns another day hoping someone else opens the door.

> The whole TV licensing thing is basically based on the assumption that most
> people want to follow the law most of the time

This is BS, they had infamous adverts on TV saying they would 'catch you out',
suspecting the public were stealing the airwaves.

[https://www.youtube.com/watch?v=EnnaPfAEISo](https://www.youtube.com/watch?v=EnnaPfAEISo)

[https://www.youtube.com/watch?v=1Q9CsRRhWQI](https://www.youtube.com/watch?v=1Q9CsRRhWQI)

[https://www.youtube.com/watch?v=8NmdUcmLFkw](https://www.youtube.com/watch?v=8NmdUcmLFkw)

^ Three decades of threatening the public. You tell me that those ads don't
make it look as if the officers are gov't employees and have a legal right to
inspect your home. In fact, from those ads it makes it look as if they can
tell from outside your home that you have broken the law, I am pretty
skeptical that any of that would stand up in court as conclusive evidence.

Fact is you can legitimately own a TV and not want to watch the BBC, but the
BBC insists that owning a TV is essentially the same as wanting to watch
BBCTV.

</rant>

------
bearcobra
This doesn't surprise me. My BMO credit card has a 6 character password limit.
Not minimum, limit!

~~~
xexers
Wow! That seemed so unbelievable I had to google it:

"Tangerine, much like BMO, also has a six character limit – numbers only, no
letters and no special symbols allowed."

[https://www.theglobeandmail.com/technology/digital-
culture/w...](https://www.theglobeandmail.com/technology/digital-culture/why-
canadas-banks-have-weaker-passwords-than-twitter-or-google/article18325257/)

~~~
ymlaree
This smells plain text password storage..

~~~
clord
A little bird told me it's because they still use cobol fixed width data and
are basically scared to change it. To fix, first they have to finish their
rewrite.

~~~
jeromegv
What I don’t get is that tangerine was originally ING Direct. Which was a new
bank that just started in Canada toward the end of 90s or early 2000s. How did
they end up with a COBOL system?

~~~
Scoundreller
ING Direct's parent, the dutch ING, fell on hard times during the 2009
recession.

So ING sold it off to The Bank of Nova Scotia (BNS).

Canada's bank-friendly anti-consumer policy meant that ING Direct had some
value, and BNS coughed up the most cash.

They were only allowed to use the orange ING branding for a few years, so they
changed it to something that was borderline familiar: an orange fruit.

BNS probably had to, or chose to, switch ING clients over from the Dutch back-
end to their Canadian one.

~~~
jeromegv
6 character limit was already there during ING Direct years. Possible they
were using the old Dutch systems but i find it a tad surprising, they would
have needed to set it up from scratch in Canada (as I don’t think anything was
stored in Netherlands). So they purposely setup an old-ass system in the 90s.
What a shit show

------
dade_
HSBC Canada requires 2FA with a token or their mobile bank app. It also isn't
possible to change account contact info, setup new Payees, transfer money to
another country, without generating a security code with a token PIN. The
contact centre agents are unable to access your account unless you can
correctly answer the security questions. This does mean an agent can lock out
your account though. It is a pain, but compared with the goofy BMO 6 character
passwords, or worse using CIBC at all, it was a welcome change. Legacy systems
galore: Scotiabank gave me a debit card once in a branch because I got angry
with them and also use mail extensively (though they have a much bigger
problem right now), TD Canada Trust and US TD Bank are integrated with mail
and fax, and RBC has 3 different domains (not AD) (East, Central and West) and
they are completely isolated which can be a nightmare when moving across the
country.

~~~
rb808
HSBC is the only bank I've seen do this properly with a dedicated device. In
the US at least you can log on a do a few basic things without the device.

[https://www.hsbc.com.hk/help/security-
centre/device/](https://www.hsbc.com.hk/help/security-centre/device/)

~~~
Ntrails
Over in the UK NationWide started sending out the little pin/auth machines
10-ish years ago (from memory). They're pretty smart about requiring it for
anything "unusual" but allowing standard stuff (moving money between my own
accounts, paying my usual credit card bill) is fine based purely on password
login.

~~~
GordonS
Can confirm. I also got ones from RBS around the same time.

------
richjdsmith
Lovely. One can only hope that other would-be hackers don't start poking the
rest of the Canadian Bank's archaic systems or we'll soon see the rest of our
not-so-fantastic banks on the front page of HN.

For anyone not from Canada, our banks are at least a decade behind the rest of
the world in terms of IT - mostly due to strong government protectionism. I
was a mortgage broker before changing into IT, and up until the summer of
2015, to submit a mortgage application to Scotiabank, one of big 4, you had to
fax it. My buddy who works for Scotia said it wasn't until Q1 2016 before they
were able to submit a mortgage application without a fax internally.

~~~
manishsharan
>>For anyone not from Canada, our banks are at least a decade behind the rest
of the world in terms of IT

I would not agree with your assertion. I work at the bank with the "Green Sofa
" and I can assure you we are very competitive with the US banks as far as
technology goes.

------
dflock
As many people in this thread pointed out: lots/most banks suck ta this. Tiny
max length passwords, not 2fa, etc, etc...

Are there any Canadian banks which don't suck at this?

~~~
bonestamp2
Chase is awful too, their passwords aren't case sensitive! If you have an
account you can try it right now, type in your password and change the case of
a letter and it doesn't make a difference.

~~~
chatmasta
So chase is storing passwords in plaintext? Or maybe storing a hash of every
combination of case?

~~~
miguelrochefort
They probably lowercase passwords before hashing them.

------
mFixman
I have an account in BMO that I'm in the process of closing. Besides kicking
myself for opening an account in a 6-digit password site, what should I keep
in mind regarding my compromised data?

------
flyGuyOnTheSly
I have to say... I'm not at all surprised about Simplii financial's hacking...

I had a PC Financial bank account... and then PC Financial decided to merge
their points program with Shopper Drug Mart for some reason... and then I
started getting calls from Simplii financial asking me to verify my identity
and let's setup my new online bank account...

"What?" is all I could think...

I had never heard of Simplii financial before... nor was I aware that PC was
dissolving/selling their banking arm...

I logged into the account once, transferred all of my money out of that
account, and logged out forever...

The reason I say that I am not surprised that Simplii financial was hacked is
because it is hardly even a Bank imho... it was an afterthought.

~~~
giarc
They merged points because Loblaws bought Shoppers Drug Mart.

Simplii isn't "hardly a bank". It's a bank powered by the same software as
CIBC. It's like the Koodo of Telus.

~~~
flyGuyOnTheSly
I assumed that because I had never heard of them before... that they were just
a new name for the old PC Financial banking brand but I could be wrong.

~~~
ageektrapped
Loblaws sold their interest in PC Financial last year sometime. CIBC took it
over.

------
bitmapbrother
The security of these Canadian banks is very weak IMO. CIBC/Simplii, for
example, does not support 2FA, has no sign in or transfer email/SMS alerts and
their maximum password length, I believe, is 12 characters.

~~~
kjax
That beats the heck out of a certain Canadian credit union that has a
numerical password with a length limit of 7 digits...

~~~
miguelrochefort
Tangerine's limit is 6.

------
branchless
> Then later Monday morning, Bank of Montreal revealed that it, too, had
> received a tip that "fraudsters" had stolen data on up to 50,000 of the
> bank's customers, "and a threat was made to make it public," BMO
> spokesperson Paul Gammal said.

> In BMO's case, at least, the tipsters were the hackers themselves.

> "We took steps immediately when the incident occurred and we are confident
> that exposures identified related to customer data have been closed off,"
> BMO said.

Which "incident"? The theft or the data or being informed they were selling
their own ass back to them?

The only fraudsters here are the banks, claiming they are secure.

Will CIBC and BMO be paying higher interest rates for the elevated risk of
banking with them?

------
paulsutter
I was visiting friends in Canada and I asked “is it true that Canadians don’t
lock their doors?” And they responded “oh no, Steve right? Yeah we know a guy,
he locks his door”. Always polite, trying to make me feel OK for being from a
place where everyone locks their door.

~~~
richjdsmith
I grew up in a town of around 25,000 people. My family never locked its doors.
When I moved to Calgary (pop ~1.2mm), I still rarely locked them.

I pay for home insurance for a reason.

~~~
ehonda
I don't know if home insurance covers theft if you don't take basic steps to
protect your property (ie locking your door).

