Wednesday, February 25, 2015

The CIBC Canary

Following on from my post last month where CIBC finally opened up a dialog, it's time to post a quick update on the results.

In short, the first item that I had raised (See here for backstory) has been addressed in that sort of way only a bank could deal with it:  Having raised a number of scenarios where it can be shown they've no idea who's on the phone system talking to their credit card system, they agreed to remove me from that system and put me back to paper.  Whilst that solves my problem, in my opinion it does nothing to address the problem for millions of other people.

The other issues I raised in my 7 page report to them (about runaway data, policy failures, etc) were "conveniently" ignored in the letter they sent me in response.  However, I did note today that some of the issues are being addressed in the form of a cleanup operation.  

Of particular note was an example of runaway data when accounts are compromised.  Because compromised accounts don't appear on CIBC's radar, they don't get cleared up.  One example I sent them was this (I've blocked out the cc number as I've no idea if CIBC replaced the card yet):

As you can see from the transit code, this is a Commerce Court based account that was compromised.    I've known for a long time it was compromised and used it as an example to CIBC in my report.

Today, that same information is removed.

This is superficially good news - at least Mr Donald J Steadman is now "safer" than he was.  

I say superficially, as some instances have not been cleaned up.  By not explicitly telling CIBC where all the accounts are, the public has a digital "canary".  When the other compromised accounts "die" and disappear from the Internet, we know CIBC has caught up on security and policy enough that they're actually scanning for this type of leak.  If they remain visible, we know that CIBC is still wrestling with the concept of runaway data.

For those with no idea about canary's, an excellent example was Apple's "Warrant Canary". Apple was forbidden with telling the public that it had been subpoenaed for information by the US Gov. So, what it did was put in it's transparency report that it had not been subpoenaed.  When that statement disappeared, it meant that they had been subpoenaed, without them actually saying it.

The same principal applies to CIBC in this instance.  When the cleanup is truly visible, you can infer that CIBC has a grasp on the data issue - but all the time the canary is visible, you know it's still a problem.

Monday, January 26, 2015

Visa Credit Card Security

It's becoming increasingly more common that when you ask people about the security policies and what they think is secure or not, everything security related becomes someone elses problem.  Last week, I posed a loaded security question to Visa Canada where I asked whether something was considered secure given a scenario where something clearly goes wrong in the hypothetical situation. 

Given what I was asking, I had an expectation that someone would either a) think, that maybe it was worth looking into the problem further to see if the hypothetical situation could be plugged, or b) go into a state of denial.  What actually happened was neither - instead, Visa tried to distance itself and put the onus on it's card issuers.  

After a little back and forth (them pushing for info and myself resisting), they issued a statement that said "Our Client financial institutions (the banks) issue cards and are responsible for all billing and account management issues. Visa has no access to or jurisdiction over accounts. Accounts are confidential and proprietary information between the issuing financial institution (the bank) and the cardholder."

This is interesting because it suggests the credit card company is not watching the card issuers (the banks), and at the same time the customer is invisible to the credit card company.  

Put another way, there's no safety net when the bank messes up as Visa puts all the onus on the banks, further there's a blind spot as Visa can't see you either. 

Wednesday, January 21, 2015

Thoughts On Canada Interest Rates at 0.75%

Today, the Bank of Canada dropped it's official rate from 1% to 0.75%.  This is just the day after Obama stepped up to the plate and announced "Tonight, we turn the page," and following on with "The shadow of crisis has passed, and the State of the Union is strong."

If the shadow of crisis has passed and the Bank is dropping it's rates, what's going on?  Quite simply, it's all a game of media posturing; There's an old Indian phrase that runs along the lines of "If everyone tells you that you're sick, go and lay down" this same psychology can be used to rally people into believing that "The economy is not sick, so get up and spend!".

So why is it Obama is saying everything is fine, yet the Bank of Canada is reducing rates, Europe is getting ready to inject more printed money, all the shops have been in permanent "Sale" mode for over six years and many North American car manufacturers are still pushing "employee pricing" to normal consumers?

To understand what's actually going on, we need to take a step back and look at the bigger picture by getting above the viewpoints of Canada and the USA, and looking at it through neutral eyes of someone like the BIS.

If you've no idea who the BIS is, a quick history recap follows:

In layman's terms (not 100% accurate, but good enough for the purposes of this article), the BIS was a bank that was setup to deal with Germany's reparation debts after WWI.  It was a central bank to a number of nations that made sure payments went where they needed to go, and because of Switzerland's neutrality in most international affairs, it was located there in a place called Basel.  

As time went by, the BIS superseded that initial role and now it has more member countries and it still tries to keep everyone's money in check between nations - not just the original members money.  This groups largely keeps quiet, but on occasion it will notice that the banking systems in the world are getting a bit screwy, and it makes a recommendation.  These recommendations are not law - they're just impartial advice to banks on how to avoid trouble that doesn't take into account politics.  It's pure economics.

The first recommendation was after the 1974 liquidation of the Herstatt Bank in Cologne, and it was known as the "Basel Accord".  It basically stipulated that in the same way you need to keep money in your account to cover your mortgage whilst your latest pay check clears, banks need to keep a certain amount to cover time differences like when dealing with New York as the counterparty banks still need to be paid on time during the settlement processes if the money hasn't arrived at it's destination yet.  As you can guess, this was before the Internet and we still had to stuff big bags of money on planes and trains, hence the delays.

Then the BIS went quiet again.

The second recommendation was in 2004.  The BIS knew what was coming with the reckless lending that was happening, and basically told banks to shore up reserves to make sure they didn't go under.  This was known as "Basel II" - a term I'm sure you've seen mentioned in the news.  Many banks had trouble meeting this goal, and then the crash of 2008 put the wind up these banks so fast that they quickly locked down all lending and magically "found" the money needed to not go under.  The money was so locked up in this fear, that governments had to print new money to get liquidity going again.

The third recommendation was in 2010-11 as a response to what had happened with the deficiencies found in the financial crisis.  Known as "Basel III", the timeline to implement this started in January 2013.  It's purpose was to increase how much the banks need to hold onto, and to make sure they stand up to a stress-test.

So, now you've got a bit of history explaining how we got to where we are, let's go back to the Bank of Canada.

If we have a low interest rate, this should spur people into borrowing more money.  If people borrow money, they spend it on goods and services, generating income for people, and they owe it back to the lender with interest, generating income there too. This much is common sense.  However, we've had several years of cheaper cars (remember the additional gov rebate to get you to ditch your old cars and get a new one to stop the auto industry collapsing?), and several years of cheaper electronics, and several years of perpetual retail sales.  And many people have moved and got new mortgages using these lower rates. 

In other words - people have bought pretty much everything they want - this leaves very few items (food being a major one) whose prices have not come down as demand has not gone away.

There's one thing missing from the picture so far:  Oil.  

Whilst Alberta makes money from Oil, everyone else buys it.  However, they buy it well in advance of when they need it by locking in a price that they think will reflect the market when it comes time to deliver the oil - this is known as a "futures contract".  So, now everyone in places like Ontario is manufacturing with Oil bought a year ago or 6 months ago at higher prices, and is making things that are coming down in price to try and get demand going again.

And that strategy is just not working - and it hasn't worked for the past 7 years.

So, given that the economy isn't generating the revenue it needs, someone has to do something.  Unfortunately, the only two things they can do is:
1) Print money to devalue the dollar, in the hope that we can export more stuff to other countries because it looks cheaper....
2) Lower interest rates to spur people into borrowing money to cover this slump.

Out of those two options, #1 is not really an option as the dollar is already quite low compared to the US Dollar which international trade is most often done in.  This leaves option #2.

This can go two ways:  It works, which is highly unlikely in my mind because the demand slump problem doesn't go away.  Or, it fails.  This failure is what I think will happen.  We'll see some investment in new facilities, new economic action plan items, etc, but all this does is create more debt that has to be paid back - stretching what little money is available to start with.  

It's basically adding to the problem and then kicking that problem down the road a little bit.  That is dangerous.  There's a pretty good explanation as to why.

The one thing that we don't hear about these days that used to be common sense is the idea of the business cycle.  About every 7 to 8 years we see a slump in the economy, then it rebounds.  We crashed in 2008 - we should have recovered by now but haven't.  

2015 is the next dip in the cycle.  What is the worst that could happen?  Well, here it is in a nutshell.  With the oil so cheap, many nations don't generate income, which means they can't repay their debts - which means other nations go without too.  If everyone tightens their belts, the USA is the biggest victim in a downturn of global spending.  

In Canada, we're highly influenced by what goes on next door (As the joke goes, "the USA sneezes and Canada catches a cold"), but this time around it's quite a lot worse - like orders of magnitude worse.

I'm not going to be surprised if we see a zero interest rate in Canada, and possibly a negative one before this is over. 

Friday, January 16, 2015

The CIBC dialogue opens up.

Most people who read my blog know that I have traditionally had a horrible time dealing with CIBC. It does appear however that after the recent issue with the IVR system raising it's head again, we finally have a form of ongoing dialogue.  This past week I dropped them a 7 page PDF of issues, and followed that up with an email containing some more items to do with server issues, footholds and such.  Already, I've had confirmation that these more recent items will be corrected.  That's good news.

The flip side is that in looking into these issues and documenting them again, I discovered some things that really didn't sit well.  In showing CIBC that I could prove my hypothesis with concrete examples that would understand, something became apparent to me as I did more thought experiments; CIBC and Bell Canada have similar issues.

In the case of Bell Canada, I'd shown Sheilagh Malloy (Bell's privacy person) that there's a security problem back in May 2013.  When I handed them evidence that there was a problem, they sent me a note saying not to "hack" into their systems and closed off the dialogue.  Ironically, this left Bell's customers in a security loophole because restricting me from showing Bell that a key works in a keyhole does nothing to address where Bell is losing the keys.  Naturally, Bell Canada customer accounts are still being compromised some two years later.

In the case of CIBC, a similar issue has come to light, where no amount of intrusion detection or technology can fix what I've found.  I'm not going to document what I've found here, to give CIBC the chance to evaluate and fix what I've shown to be problematic, but I do appear to have uncovered a sort of negative feedback loop - the more things I prove to be an issue, the more I see things are broken and in proving those items, new items come to light, and so it goes on.

I'm not a security expert, but I do have an interest in maintaining my own security and I have an interest in making sure my banks maintain my security.  This comes with the added benefit that it also improves everyone elses security too.

Whilst I'm traditionally the type of customer that CIBC would have put on a dartboard, it may well turn out that my constant harping on about things could improve CIBC in ways that no amount of firewalls and filters ever could.

It will be interesting to see how this pans out, but ultimately it depends on dialogue being maintained.

Saturday, December 13, 2014

More Bell Canada Madness

As people know, I'm not Bell Canada's biggest fan.  If there's a right way and a wrong way to accomplish something, my opinion is Bell Canada normally takes the wrong way.

This past week, my elderly in-laws moved into their new home.  The day came for Bell to hook up their new phone line, and the technician left with the phone not working.  After a complaint was put in that the first guy had just one job to do and hadn't done it, a second technician came the next day to visit and he also left with the phone not working.  This repeats until we escalated complaints, got stuff in writing in emails (this was highly useful when the next technician failed to appear on the promised day) and eventually after hang-ups by incompetent operators and support staff, escalation and further escalation, we found a manager who called a technician and got him to drop everything on his list and deal with the matter immediately.

This is just to hook up a home phone.

Last night, my wife's iPhone 4 finally gave up and stopped charging.  After speaking to Bell, we find out that given it's age, she's eligible for a free replacement if she goes to a Bell store.  By "free replacement", what they meant was that it's not free as the store wanted $49.  Not a problem, the $49 will be paid.  Except the Bell Store doesn't take cash or a debit card, only a credit card.  The wife doesn't have that on her.

Now, when I say the store doesn't take cash or debit cards, what this really means is they do, because you can buy a phone case, or any other product and pay cash or debit, but not for the $49 for an iPhone.  The suggestion from Bell is to go to Shoppers Drug Mart and purchase a $50 preloaded credit card, come back and then all is well.

The icing on this idiotically bureaucratic cake is the laughable logic that the store staff member then tries to "inform" my wife with...  Apparently, this rule exists because if you pay by debit card, they won't get the money for three days.

I don't know why Bell would train their store staff to tell lies, but for anyone that doesn't understand how a debit card and a credit card works, here's a quick primer:

  • When you pay by credit card, first the issuing bank issues an authorisation on the spot.  Second, when the bank is ready to settle the payment (in this case, being a Saturday, we're looking at Monday night), the money that is forwarded to the merchant. So in Bell's case, they're getting the money three days later.
  • When you pay by debit card, first the issuing bank withdraws the money from your account on the spot.  Second, when the bank is ready to settle the payment (in this case, being a Saturday, we're looking at Monday night), that money is forwarded to the merchant. So in Bell's case, they're getting the money three days later.
Yes, if you're sharp eyed and have a brain, you'll have noticed it's actually the same delay regardless of what you used, and Bell Canada was being incredibly stupid by arbitrarily blocking one method and accepting another.

So what is the difference in payment methods?  

Quite simply that when you pay by debit, that settlement process comes straight out of your account, into a pool at the bank and then from there into the merchants, whereas with a credit card, that settlement comes out of the credit card issuers account and into the merchants, which then creates a debt on your behalf that you must repay when you get your credit card bill.

Now, if we were to be really picky about Bell's ridiculous red tape, we can accurately postulate that Bell Canada has actually enforced the worst possible payment rule out of the available options because we can challenge the items on the credit card statement easier than we can on a debit transaction or using cash. 

Obviously, my wife left the store without a working phone, so naturally Bell is now losing further money from having another phone not working on their network.

Saturday, November 22, 2014

Making Yogurt From Whey

Quite some time ago, I posted an entry on this blog about making homemade yogurt.  Given that we get through a lot of yogurt in our house, what with it being added to cooking or the twins having it for many of their desserts, it made sense for me to look into making our own.  It's now been a few years and obviously, I've had some ideas in my head that I wanted to try and experiment with.

The first was really simple:  Would microwaving the milk make any difference to the yogurt I make?  In short, the answer is it made no difference.  On the plus side, I didn't have to stir it to stop it burning the pan.  On the bad side, I had to put up with the noise of the microwave going for about 10 minutes.

The second idea was to see if the whey that I always strain off my yogurt could be used to create more yogurt?  More often than not, we just throw our whey down the sink.  We just don't use it that often, and this was something I want to change.  

I see whey as another one of those subjects where if you go back 100 years, everyone had common knowledge of what it is, where it comes from and what it's good for.  The problem, as I quickly found out is that just like straight razors where the knowledge died out in the general population since the introduction of disposable blades (most people wouldn't know a "strop" from a "fools pass"), the same can be said of whey since the invention of the refrigerator.

If you've never seen whey before, here is a pint glass filled with the stuff:

To bring you up to speed, this liquid is one of the major portions of milk.  You pretty much have three big things in milk:  Fat, Casein and Whey.  The fat is often removed out of milk for health reasons (skimmed, semi-skimmed, etc), leaving casein (the calcium, proteins, carbs and phosphorous) and then there's the whey.  

In the case of yogurt making, you can take none of it out (runny yogurt), some of it out (normal yogurt) or lots of it out (greek style yogurt), but then you have the problem of what to do with it next?

In Australia they call whey "Milk Permeate", and because whey has so much good stuff in it like probiotics (the good bacteria for your gut), vitamins and proteins, the Australians actually hold on to it, then add it back into the milk at certain times of the year to keep it consistent throughout the year.  This is known as "Milk Standardization".  Of course, a few companies were then accused of adding in too much, causing the watering down of milk.

Scams will always appear where food can be adulterated.  
The whole yogurt industry to me seems like a scam, too, that plays on the ignorance of the masses though, as you're about to see.  When I make my yogurt, it costs about 1/3rd the price of store yogurt, is fresher, and has no additives.

So, as you can probably guess by now, given I remove a lot of whey, I'd been wondering for some time if I could just add some whey from one of my previous yogurt batches to some milk and get yogurt from that too.  

It turned out that, yes, you can make yogurt from whey, as equally well as from the previous yogurt. For me this is good news as we sometimes accidentally eat all the yogurt and have to go and buy some Activia or similar brand to get things going again.

Now here's where I start to get a bit annoyed.  To make yogurt, you need to ferment milk with the lactobacilli (the milk bacteria we hear now as "probiotics" or "live cultures"), then it's all taken out (probably to stop people making more yogurt from it).  Then sometime in the past ten years, someone marketing person thought "hey, lets leave some bacteria in and charge a premium for it and create an ad campaign where you have to eat it for 7 days straight to see if your digestive system improves", and now we have yogurt that you can make more yogurt with again... except everyone has forgotten about that as the knowledge has died out.

So, how did I do it?  Simple:

  • Heat a litre of milk to 180F.
  • Let it cool it to 120F.
  • Pour in about 1/4 cup of whey from a previous yogurt batch.
  • Leave it somewhere warm for 10 hours for the cultures to multiply and chew through the lactose. (I just pop mine in the oven and leave it overnight with just the light on to keep things "warm").

That gives me about $4 of yogurt for about $1.25.

Now, going back to that "milk standardization" procedure... Have you ever wondered where the recent proliferation of "Yogurt Drinks" came from?  

As a refresher, I'm talking about this expensive stuff.  You may have noticed that this is also probiotic, and by now starting to be suspicious about how these types of drinks suddenly sprang up?  Well, you too can make them:  

Yogurt Drink = 1 Part Yogurt + 1 Part Whey.

That's it.  That's all they did - take that whey that previously was thrown out, and add it to normal yogurt (then, obviously charge a premium for it).  

The final point I want to make is about this "L. Casei Danone" trademark and advertising (they all do this, I'm just using Danone as an example).

L. Casei refers to "Lactobacilli" (so, lactose chewing bacteria) and the "Casei" refers to "Casein", which is the milk protein.   The interesting thing is the "DN-114001"...  this is the normal yogurt bacteria and is a marketing stunt like selling an empty bottle with "Breathable Gas Danone" (Air) in it.

Now you see why I just think the whole yogurt thing just plays on people's ignorance. 

Saturday, November 15, 2014

Industry Standards

As you might guess, I spend a lot of time looking at specifications and requirements.  A phrase I see very frequently in these is "industry standards" - usually attached to requirements in sentences like "We would like security to meet industry standards" or "this widget needs to behave according to whatever the industry standards are".

There's something that bothers me about this:  People often think that Industry Standards are a good thing or that Industry Standards mean high quality.  I think this is actually a bad thing, and here's why... When we think of industry names that we can set the quality bar by, we think of the likes of big banks, big retail names and so on.  For instance, Home Depot, JP Morgan Chase, Ebay, Yahoo!, Sony, Apple, Dun & Bradstreet, TK Maxx, etc.

The astute readers will realise that I've just rattled off a quick list of organisations that have all suffered major data breaches.  To see a truly terrifying list, have a look at something like this...

Is that what people aspire to when they say they want something to be following "industry standards"?  If anything, "industry standards" are a minimum level of effort that has been proven to likely to leave millions of people as victims of data breaches, privacy scandals or worse.

That's not a good thing to aspire to.