Is Your Banking Information Accidentally On Ebay?

GraWil writes "The Toronto Star is reporting how two Bank of Montreal computers containing thousands, of sensitive customer files were sold to a student who fixes up machines and then resells them on eBay. It seems that the company responsible for scrubbing the disks (Rider Computer Services Ltd.) misfiled the machines in their warehouse and it was assumed they had been erased." It's not the first time this sort of thing has happened.

My matress won't talk.

[Rhinobird]

My bank is my matress and if it starts talking, then I have other issues to deal with.

Destroy, don't sell

[Ckwop]

Personally, i think that any hard-drive that has been used for that purpose should be securely destroyed instead of being sold. Simon.

PR Shills

[CaptainZapp]

"Our number one priority as an organization is the protection of customer information," said Dina Palozzi, chief privacy officer for the bank, which swiftly seized the computers' hard drives on Saturday afternoon within 24 hours of learning their whereabouts. "This kind of issue we take very, very seriously."

Don't you just love it? If protection of customer information indeed is your number one priority then why the fsck don't you have procedures is place, which make such a blunder outright impossible? And if you do have such procedures in place why don't you enforce them?

Are those PR liars (and what else could such a "chief privacy officer" making such an outragous statement actually be?) all cranked out by the Forked Tongue Institute for Marketing & PR, or what?

Encrypted HDs

[G4from128k]

Seems like this event makes the case for encrypted HDs -- schemes that render data unretrievable without the proper passwords/biometric signatures/magic hardware dongles. The idea that all our personal records are stored in clear text on thousands of HDs and backup tapes at a myriad of institutions is not too pleasant.

As a purchaser/fixer/collector of old computers, I have seen many a file that some prior owner would probably have prefered I not. Although I, personally, have seen nothing of a criminal nature (or of a nature that would allow me to perpetrate a crime) I know others who have found strange files on old computers. Psychotic diary entries that advocated violence, financial records, proprietary engineering data, etc. all have an odd way of being left on HDs of obsolete machines. If a old machine stops working, few people make the effort to fix it in order to erase data. Systems that automatically make the data inaccessible in all but valid/authorized machine states would ensure the protection of the data.

Although any encryption system can be broken, by social engineering at the very least, it would be better if there were at least some barriers between sensitive data and potentially prying eyes.

A good solid brick..

[m_dob]

A nice old lady I know who was in Britain's MI5 realised after throwing away her computer that it was not wise to leave a hard drive full of sensitive information. She and her son then drove back to the rubbish dump and pelted the hard drive with bricks until it gave in.

drive erasure

[ajs318]

Physical destruction of used disk drives is not necessary and could in fact engender a false sense of security. Think about it ..... a "secure disposal company" could bake a drive at curie temperature for 24 hours in an alternating magnetic field of varying frequency, strap a hand-grenade to it and drop it down a disused mineshaft, but how can you be sure it's the same drive, or that they haven't made a backup of its contents? If you wanted to get hold of stuff people wanted rid of, what would be a better front for getting it?

Overwriting the drive using software is more verifiable. You de-network the machine, boot it up from a CD, and can analyse the drive contents before starting a wipe cycle. You switch off and back on to prove there is no cheating. Then you can analyse the drive contents again and be sure they are different. The drive never left the machine, but you can be sure the data left the drive.

Whatever anyone may say, remember these "secure disposal companies" are after your money and don't mind playing on your most groundless fears to get hold of it ..... there are a lot of things they thought were impossible ..... what if someone finds a way ..... Hell, sooner or later someone is going to come up with a scheme for disposing of the air from meeting rooms where secret conversations have been held. The simple scientific fact is that it takes only one overwrite cycle to make data unreadable. You can prove this to yourself using a disk sector editor, but it should be obvious anyway. If the drive could tell a "1 that used to be a 0" from a "1 that has always been a 1", or a "0 that has always been a 0" from a "0 that used to be a 1" with any degree of reliability, someone would already have used that as a capacity-doubling mechanism! It's possible that there might be some difference detectable with a sensitive analogue circuit, since there is a hysteresis loop and there really are the four states I described above. Two overwrites of opposite polarity will force the magnetic media into a known state. Even so, just one overwrite will give someone a massive headache trying to recover the data, because the "used-to-be" data has an inherently high error rate. It's already hard to tell "X that used to be !X" from "X that always has been X" and if the overwriting data is random enough, then it's hard to work out what was ever meant to be what.

dd if=/dev/audio of=/dev/hda might conceivably do a good job on a used drive, if you make sure the gain is turned up nice and high and there is nothing plugged into the sound card. Filtered static and power hum are the nearest you're going to get to true randomness.

My drives are invariably thrashed for as long as they work, then get the magnets removed for use in experiments {and wiped a few times across the platters for good measure}.

Even then

[CaptainZapp]

I worked for a bank for a few years (in a country far away, where they have numbered accounts and you're actually looking at jail time for revealing customer data) and something like this was just unheard of.

The absolute main security issue was customer data. Not that they would have fancied embezzlement or theft but this was looked upon far less serious then compromising customer data, period.

In the data centers (which you had to physically access in order to query real customer data, safe for the front office and also there it was very restricted what you could look at) you had to go through multiple layers of security and where not permitted to even remove a printout.

Computers where dismanteled and disks shredded, they where never for resale. This was applicable for every last computer from every last branch and office

Now, I agree shit happens. Probably in their case it started with outsourcing such a critical tasks to "ACMEs chep disk blanking operation" in order to save a few bucks. This is not really excusable, but it happens.

But what really gets my blood boiling are statements like the one from that PR bimbo, which are just utter bullshit.

Maybe she should apply for a job at Microsoft to sell "trustworthy computing".

Copyright?

[Quixote]

Here's a question. Why is it that the RIAA can (with a straight face) claim that each of their songs that a person shares is worth $150K, and yet my private information with the bank is worth zilch? Why is it that the RIAA can get $12K from a 12-year old girl and yet the general public can get nothing from these companies that share our private information?

Shouldn't customers' private information have at least as much rights as some stupid Brittany Spears song?

use HD built in wipe

[j_dot_bomb]

Modern hard drives have commands "SECURITY ERASE" and "ENHANCED SECURITY ERASE". Search for those terms and hdparm on google. Also below is a link to the quality of the erasure. Note: these will erase even bad "mapped out" sectors. Enhanced erase will even go off track + and minus which erases the edges. atapwd.zip does regular erase (search).

http://www.tomcoughlin.com/Techpapers/Secure%20E ra se%20Article%20for%20IDEMA,%20042502.pdf

Happens all the time

[computerlady]

I was consulting at a community bank last spring, helping them getting ready for an IT audit by the FDIC. They were replacing some machines, and I persuaded them to donate the old ones to a local computer group who refurbishes them and places them in schools and non-profits. I could see that their IT policy manual contained nothing about even wiping drives let alone destroying them.

As soon as I got them to my office, I invited the CEO in to see how much customer info his IT department had "donated." He was, of course, shocked. The sad thing is, probably 30 people were involved in that transfer and not one of them had the slightest clue. Another said thing is that the donation fiasco was just one of hundreds of examples of failure to adequately protect the privacy of customer information.

The good news is that the FDIC is taking customer data security very serious and is coming down hard on breaches and potential problems during their IT audits and their Safety and Soundness audits. So maybe it will get better. Except we are talking about humans...