Hacking attacks at BMO and CIBC's Simplii highlight why cybersecurity cannot be a patchwork job: Don Pittis

News that fraudsters had broken through security at two of Canada's biggest banks and were threatening to release the account information of 90,000 Canadians is somewhat like an old-fashioned bank robbery. But in our digital age, it is many times worse.

Complex passwords and PINs are no substitute for building a more secure banking system

The Toronto trading floor of the Bank of Montreal is shown. Billions of dollars flow across these screens, but all the cash, in bits and bytes, depends on a secure banking system. (Mark Blinch/Reuters)

News that fraudsters had broken through security at two of Canada's biggest banks and were threatening to release the account information of 90,000 Canadians is somewhat like an old-fashioned bank robbery — only in our digital age, it is many times worse.

Except for a few bills in your wallet and the odd coin tucked away in a safety deposit box, almost every nickel you possess, and every nickel you owe, is nothing more than digits in a computer.

For most, those digits are kept by our banks — and the recent attacks show those digits are not always kept safe. 

The fact that two of Canada's biggest banks were compromised by what appears to be foreign criminal hackers running their fingers through our digital cash — and maybe even helping themselves to our personal information — concerns every Canadian.

That includes our politicians, our business community and even those who worry about Canada's national security.

National security concern

Canadian bankers recognize this is a serious issue. Both of the affected banks, BMO and CIBC-owned Simplii, as well as others who weren't hit by the attacks, were quick to respond to reporters covering the security lapse.

"We will fully reimburse customers for any financial impact of unauthorized transactions," BMO confirmed yesterday.

When almost all money is digital, cybersecurity is the modern equivalent of a bank vault. (Denis Balibouse/Reuters)

That may not be enough to assuage the concerns of those affected.

Canadian banking has been a licence to print money, as profits continue to climb. Canadian banks have special rights and status in this country; their senior executives are modern-day princes.

But in the wake of a number of high-profile data breaches over the past few years, Canadians might start to question why they're receiving such rewards while failing to protect our data: If Canada's rich and powerful banks cannot afford to lead the world in digital security, how can they still afford to pay enormous salaries to their chief executives?

Victim distress

Canadians are already increasingly worried about their money.

"I'm very distressed," one victim told CBC News. "How could this happen? I barely slept last night, I'm so worried."

CBC reporters have found a list circulating online that includes microscopic detail of customers' lives, each with columns of data, including names, phone numbers, addresses, occupations, and even Air Miles accounts.

But beyond the pain of having your personal data stolen and the individual losses that may go along with that, the risk is even greater to the entire banking system — and ultimately to the country's security.

The fact that our money is simply digits is nothing new. 

The origin of banking, in part, was the moment when we turned our copper and silver coins over to money lenders, who would in turn let others use those deposits, keeping the numbers recorded on paper ledgers.

Our money was already digital; the only difference now is that the digits are in computers.

And just as the job of a good bank in the Wild West was to keep safe bags of cash, held in vaults away from robbers, the job of a modern bank is to keep safe those digits held in its computers.

Black vs. white hats

It is by no means an easy job. And it is not a job you do just once.

So-called black hat — or malicious — hackers are always getting better. And white hat — or ethical — hackers, including those who work for our banks, are in a constant battle to predict and fend off the next attack.

Systems that were secure 20 years ago would be child's play for today's computer whizzes. Systems that are secure today will be equally porous in the future.

BMO has pledged to fully reimburse customers for any financial impact of unauthorized transactions. But that may not be enough to assuage the concerns of those affected. (Aaron Vincent Elkaim/Canadian Press)

Attacks may be unavoidable. 

But in an industry as crucial as banking, Canada's financial institutions must constantly be improving security efforts and have crack teams in place, ready to instantly respond in the event of the breach before important information is lost.

An email from the purported hackers, outlining how they used a common mathematical algorithm to access account numbers, indicates that was not the case.

A note from Simplii to its clients earlier this week urged them to "always use" a complex password or PIN. The FBI, meanwhile, is warning us to reboot our home Wi-Fi routers after a recent foreign malware attack.

Simplii, a banking brand owned by CIBC, sent out warning letters to customers.

But such warnings are not a substitute to our banks building systems that are secure against the latest cyberattacks.

According to a recent report from consulting firm Ernst & Young, a majority of companies say they know they need to spend more on security. But until companies face the public humiliation of seeing their customers' data splashed across the internet, it is likely easy for those watching the bottom line to see security as excess spending.

But repairing such damage could prove costly. There may be class-action suits. And until they feel secure, customers may choose to avoid keeping all their business at a single bank — especially one that has shown itself to be vulnerable.

Given the choice, banks would prefer to keep their security flaws hush-hush. So, in some ways, the black hats that broke into BMO and CIBC-owned Simplii did us all a favour.

Because without a strong, defensive wall around Canada's banking system, the whole country is at risk. If this is what criminal hackers can do, imagine the damage possible from paid professionals from enemy governments.

To ensure our money is safe, Canadian banks must be prepared to spend the money — and regulators, like the Bank of Canada, should be called on to help.

As Ernst & Young has warned, "at present, there is a real skill set shortage in cybersecurity."

And that is something tangible that banks can tackle, perhaps by hiring the smart kids back from Silicon Valley — or by paying the white hats enough to stay home and defend Canada from foreign invaders.

Follow Don on Twitter @don_pittis


Don Pittis

Business columnist

Based in Toronto, Don Pittis is a business columnist and senior producer for CBC News. Previously, he was a forest firefighter, and a ranger in Canada's High Arctic islands. After moving into journalism, he was principal business reporter for Radio Television Hong Kong before the handover to China. He has produced and reported for the CBC in Saskatchewan and Toronto and the BBC in London.