Submitted via IRC for Bytram
The team behind Scotiabank's Digital Banking Unit isn't impressing some customers, after forgetting to renew the security certificates for their own website.
The DBU was set up last year to sell "world class digital solutions" to electronic banking customers around the world. But Jason Coulls, CTO of food safety testing company Tellspec and a former banking software developer, tipped off The Register that the bank's hipster factory certificates had expired nearly five months ago.
"Tuesday next week is the five month anniversary of the certificate expiring and no one has noticed," he said. "This from a group supposed to showcase how smart the bank's IT people are. The irony is strong in this one."
[...] In 2016 he spotted that the bank's mobile app had some rather unusual features – notably that the programmers had laden the code with f‑bombs. He informed the bank in April and got no response, so let the regulators know. Scotiabank fixed the code within 24 hours.
Source: Scotiabank internet whizzkids screw up their HTTPS security certs
(Score: 3, Interesting) by Whoever on Sunday September 10 2017, @08:26AM (1 child)
The certificates have expired, but they are issued to "webflow.io" not Scotiabank.com.
Using certs for the wrong domain is surely a bigger issue.
(Score: 3, Interesting) by Anonymous Coward on Sunday September 10 2017, @04:19PM
It may just be that their web host has improperly configured *:443 in the vhost file for webflow.io. That could make every https request use the webflow.io config including their SSL cert.
I think the bigger bigger issue is that they are not running their site on their own VPS.
(Score: 2) by maxwell demon on Sunday September 10 2017, @08:55AM
Don't confuse smartness with competence. They were clearly smart enough to hide their incompetence for long enough to get into this position.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0, Insightful) by Anonymous Coward on Sunday September 10 2017, @09:02AM
Only uncool old Luddites use certs. Hip hippy hipsters use apps! Appy appers apping apps. Apps, apps, and moar apps!
Because apps, amirite?
(Score: 2) by hendrikboom on Sunday September 10 2017, @02:04PM (1 child)
My Scotiabank login, using https, has worked all the time. So is the security setup in my browser broken? did it fail to check certificates? I've been using firefox.
Or is that digital banking unit not the one I've been using for my online access to my ordinary consumer-grade accounts?
(Score: 1, Interesting) by Anonymous Coward on Sunday September 10 2017, @04:22PM
Check the actual FQDN that you use to login to Scotiabank. Chances are it's not their main website (probably a subdomain which has a valid cert).
(Score: 5, Informative) by Appalbarry on Sunday September 10 2017, @04:28PM (2 children)
Scotiabank still does not allow customers to use upper case or special characters in passwords, arguing that it would confuse some customers.
Rather than putting resources into security, Scotiabank has been prioritising the disposal of long time employees and the centralisation of all decisions at head office in Toronto.
The days when you knew your branch manager, and they would bend the rules in an emergency, are long, long gone.
But hey! Scotiabank is still the industry leader in exorbitant service charges!
(Score: 0) by Anonymous Coward on Sunday September 10 2017, @09:29PM (1 child)
IT's good policy. By limiting the number of characters to only a..z and 0..9 you can enforce real security by having the customer use LONGER passwords. The Tr0ub4d0r style passwords are known to be weak anyways.
Good policy should include a biometric identifier and a 6 to 9 digit PIN
(Score: 2) by hendrikboom on Monday September 11 2017, @12:11AM
But they use a four-digit PIN.
(Score: 4, Interesting) by krishnoid on Sunday September 10 2017, @10:47PM
Could this be a safer avenue of responsible disclosure?