Scotiabank slammed for unreliable security after internal credentials are leaked
Scotiabank has inadvertently, allowed the online leakage of a lot of its internal source code, along with some of its private login keys to backend systems.
According to a report on the Register, Jason Coulls, an IT pro, based in the Great White North, had discovered the data sitting out in the open on the internet. Coulls had then tipped off the Register about the security blunder. The informant said some of this data, had been exposed for months before it was discovered. The Register had then alerted Scotiabank, GitHub, and all payment and card processors integrated with the bank, before publishing the information.
As soon as the News media alerted Scotiabank, the Canadian financial giant tore down the GitHub repositories, containing sensitive information that had been exposed. These repositories contained software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances, among other important information. Basically, the repository was a prospective gold mine of susceptibilities for criminals and hackers to exploit and also.
“Among the hundreds of files of documentation and code, which appear to have been created by developers working on versions of Scotiabank's mobile apps for Central and South America, were credentials and keys to access some of the bank's backend systems and services dotted around the world. Among the more sensitive blueprints was code and login details for what appeared to be an SQL database system of foreign exchange rates.” The report said.
It is believed that the GitHub repositories, had been inadvertently misconfigured by Scotiabank's tech team, and it has since been hidden or removed.
The bank appeared to have been busy trying to fix the screw-up and their spokesperson was unable to comment on the matter, they, however, acknowledged that the bank’s security team is probing the matter.
"They have a foreign exchange (FX) rate SQL Server database that has had its credentials and public-private keys in the open for months," Coulls told El Reg. "Knowing that there is a known potential for someone to tweak FX rate data, the integrity of the bank is diminished accordingly."
According to Coulls, this is not the first time Scotiabank has leaked its internal data online.
"In my experience, this muppet-grade security is perfectly normal for Scotiabank, as they usually leak information once every three weeks on average," Coullssaid.
"Scotiabank had [IBM] AS/400 and DB2 instances where the credentials and connection information is public. They regularly leak source code for everything, from customer-facing mobile apps to server-side REST APIs. They also leak customer data. If they ever claimed that security is a top priority, I would dread to see how they handle low priority things."
In 2017, Coulls had found that Scotiabank's digital banking unit, was not only using security certificates that had expired five months earlier, but a good number of its code had not been carefully audited or debugged.