Thought leadership. threat analysis, news and alerts.
2 Canadian Banks, BMO & CIBC’s Simplii Financial, Disclose Data Breaches
Two Canadian banks, Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce-owned Simplii Financial, have disclosed early this week that cyber criminals may have stolen sensitive data of their combined 90,000 customers.
BMO is Canada’s 4thlargest bank, while the Canadian Imperial Bank of Commerce (CIBC) is the country’s 5thlargest bank.
A spokesman for Bank of Montreal told Reutersthat nearly 50,000 of the bank’s 8 million customers across Canada were hacked.CIBC’s Simplii Financial, meanwhile, disclosed that fraudsters may have stolen certain personal and account information for nearly 40,000 of its customers.
According to CBC, a group of cyber criminals who claimed to have stolen sensitive data from the 2 banks sent an email to media outlets across Canada last Monday. The attackers said that stolen data would be sold to criminals if the banks don’t pay a $1-million ransom to be paid in the cryptocurrency Ripple by 11:59 p.m. Monday.
The attackers claimed that they’ve harvested personally identifiable information from customers of the 2 banks, including social insurance number, date of birth, address and phone number.
To prove the veracity of the email, the sender shared the identifying information of two Canadians, one for each bank. When CBC contacted those 2 individuals, they confirmed the veracity of the identifying information.
The ransom deadline has already passed. When contacted by CBC about whether any ransom had been paid, Bank of Montreal said, "Our practice is not to make payments to fraudsters."
Simplii, for its part, said that it’s "continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests."
The attacks on BMO and Simplii are noteworthy as both were disclosed on the same day by the 2 financial institutions and both were attacked by the same cyber criminals using the same method.
The email sent out by the group who claimed to have stolen data from BMO and Simplii Financial explained in detail how the data breaches on the 2 financial organizations were carried out.
According to the email sender, bank accounts from the BMO and Simplii Financial were breached by using the Luhn algorithm – a set of mathematical rules that’ll help to calculate an answer to a problem, in this case, generate the card numbers.
Using the generated card numbers, the attackers then posed as authentic customers who had forgotten their password. The group said the generated card numbers allowed them to reset the backup security questions and answers and reset the passwords.
“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said.
In Simplii Financial's official statement, the organization advised customers to always "use a complex password and pin (eg. not 12345)”. This statement is indicative that the bank isn’t using 2-factor authentication. BMO, meanwhile, offers 2-factor authentication.
A customer at Simplii Financial told The Globe and Mailthat he was unable to log in to his account and the safety questions to recover his password had been changed.
In a study, Newcastle Universityresearchers found that it only takes seconds to guess a bank account number by using the first six digits (which tell you the bank and card type) and the Luhn’s algorithm. One of the original purposes of the Luhn’s algorithm is for the websites to immediately identify invalid card numbers.
"As an example, suppose one's credit card number is 5377223617291234. Here, the ‘4’ is the check digit. This digit can be determined solely from the digits that precede it through what is called the Luhn Algorithm,” the Oxford Math Centerexplains Luhn Algorithm. “If when entering this credit card number, one accidentally types a ‘7’ where the right-most "1" should be (i.e., 5377223617297234), the check digit produced from the first 15 digits, in accordance with the Luhn Algorithm, will now disagree with ‘4’ on the end – flagging this as an invalid credit card number.”
If you’ve an account in either BMO or Simplii Financial, it’s important to monitor your account for signs of unusual activity. Both banks are offering free credit monitoring and guarantee a 100% reimbursement for any unauthorized transaction.
The recent data breaches at BMO and Simplii Financial could’ve prevented by data encryption. Organizations, especially those in the financial sector, are required to safeguard personally identifiable information of their clients.
One of the ways of safeguarding sensitive information is by encrypting the data. Encryption changes the data into something incomprehensible, rendering the data useless to the attackers without the secret code.
“The banks involved in claims of a potential data breach acted swiftly in response, launched full-scale investigations and took immediate action to enhance online security measures to protect customers," the Canadian Bankers Association told Bloomberg.
“When you’re dealing with financial information, you should have the highest level of privacy protection possible,” Dr. Ann Cavoukian, former privacy commissioner of Ontario and a distinguished expert-in-residence who leads Ryerson University’s Privacy by Design Centre, told the Financial Post. “This is a real eye-opener. The question that that begs is why weren’t you engaging in those measures all along?”
Steve E. Driz