How do you know if 1 online bank is more secure than another?

Really you can't judge an companies security by how big or nice looking they are. At the end of the day your sort of stuck trusting blindly. With that being said companies like banks really really try to invest in security, cost of getting breached is much higher then just making things as secure as possible. Personally I in canada the only banks I would be concerned about are maybe small new ones that may or may not have invested as heavy as they should (new guys sometimes miss the little thing that matter, and need time to add them in). But to be fair newer companies may have the latest and greatest security so it pretty much comes down to do you trust this company. Alternatively if you go to any banks website log in and it is not a secure connection that is a red flag. Really I don't think as a customer it is unreasonable to ask how are you keeping our money/data safe and getting a decent answer, if your educated on topic enough that response may even mean something to you.

Sometimes there are obvious failings: 1q-bank-easy-20-20mins-open-2-accounts- ... st25569695

However you can't just measure the security of a bank from its website (although it is a good indicator), and certainly not from its "look and feel". You can find out who its backers are, for example Zagbank is owned and run by Desjardins, so you should be pretty safe.

As Someone who works in the industry, you can't. Even I can't.

After a certain business size they are all governed by the same rules and guidelines so you can try to check for past hacks but other than that, I usually assume that the bigger you are, the bigger target you have on your back.
Keep in mind that nothing is unbreakable.

flafson wrote: ↑As Someone who works in the industry, you can't. Even I can't.

After a certain business size they are all governed by the same rules and guidelines so you can try to check for past hacks but other than that, I usually assume that the bigger you are, the bigger target you have on your back.
Keep in mind that nothing is unbreakable.

Based on this is it correct to assume that all the big online banks have the same level of government-mandated online security? And that they are all equally safe/vulnerable?

scoper wrote: ↑Based on this is it correct to assume that all the big online banks have the same level of government-mandated online security? And that they are all equally safe/vulnerable?

They are probably equally governed but not equally safe.
I'll give you an example from the PCI world, which is basically the rules around credit card security.

New vulnerability was found which forced everyone to switch from SSL 3.0 to TLS 1.0 and quickly after TLS 1.2.
The switch is so difficult to execute that they pushed the initial deadline from 6 months to 2 years. The company that I work for (very small company) made the switch in about 3-4 months. A larger entity like a big bank is more likely to take his time.
My wife happens to work in IT for BMO and a change that we do in 1 week, takes them 3-6 months.
You may say we are small and they are large but that 1 week change is in a code base of ~1 million lines of code and ~1 million database records with tens of thousands of database tables.
Reality is, large entities are very slow at adapting to change.

Then there is another example, who decides what's ok and what's not ok? There are PCI rules but the people who sign on those changes and decide if you are ok or not are human beings and the rules are not black and white sometimes, there is room for interpretation.
One QSA may decide that situation A is secure and B is not secure and a second QSA may decide that situation A is not secure and B is also not secure. It's very similar to law and precedents.

Based on that, it's really hard to tell what is safer, if one entity has a better reputation at accepting change, then they are more likely to have the latest patches than other big entities but otherwise it's nearly impossible to tell.

Another point to note, if there was a known hack against a company, it becomes harder for that company to get their compliance papers signed, the people who govern would take extra looks at them.

flafson wrote: ↑They are probably equally governed but not equally safe.
I'll give you an example from the PCI world, which is basically the rules around credit card security.

New vulnerability was found which forced everyone to switch from SSL 3.0 to TLS 1.0 and quickly after TLS 1.2.
The switch is so difficult to execute that they pushed the initial deadline from 6 months to 2 years. The company that I work for (very small company) made the switch in about 3-4 months. A larger entity like a big bank is more likely to take his time.
My wife happens to work in IT for BMO and a change that we do in 1 week, takes them 3-6 months.
You may say we are small and they are large but that 1 week change is in a code base of ~1 million lines of code and ~1 million database records with tens of thousands of database tables.
Reality is, large entities are very slow at adapting to change.

Then there is another example, who decides what's ok and what's not ok? There are PCI rules but the people who sign on those changes and decide if you are ok or not are human beings and the rules are not black and white sometimes, there is room for interpretation.
One QSA may decide that situation A is secure and B is not secure and a second QSA may decide that situation A is not secure and B is also not secure. It's very similar to law and precedents.

Based on that, it's really hard to tell what is safer, if one entity has a better reputation at accepting change, then they are more likely to have the latest patches than other big entities but otherwise it's nearly impossible to tell.

Another point to note, if there was a known hack against a company, it becomes harder for that company to get their compliance papers signed, the people who govern would take extra looks at them.

Really interesting insights, thanks for the post. I will say having worked for both small and large firms in IT, the reason that large firms tend to have issues adapting to change quickly is because of their legacy infrastructure and governance. There's nothing inherently stopping them from being nimble and faster from a technical perspective aside from the fact that they are large, have multiple stakeholder groups that consume or touch certain systems, and a lot of politics. Then you need to get a project team together, build your business case, have it approved at all levels of the bureaucracy, then get them to fund the project.

I worked on a PCI compliance project last year and the amount of people we had to get together to talk about how we'd implement this blew my mind away (coming from a small firm).

I think what I've noticed is that at the working level there is much desire to move quickly on things... but its the upper levels of management and governance that causes the huge delays.

flafson wrote: ↑They are probably equally governed but not equally safe.
I'll give you an example from the PCI world, which is basically the rules around credit card security.

New vulnerability was found which forced everyone to switch from SSL 3.0 to TLS 1.0 and quickly after TLS 1.2.
The switch is so difficult to execute that they pushed the initial deadline from 6 months to 2 years. The company that I work for (very small company) made the switch in about 3-4 months. A larger entity like a big bank is more likely to take his time.
My wife happens to work in IT for BMO and a change that we do in 1 week, takes them 3-6 months.
You may say we are small and they are large but that 1 week change is in a code base of ~1 million lines of code and ~1 million database records with tens of thousands of database tables.
Reality is, large entities are very slow at adapting to change.

Then there is another example, who decides what's ok and what's not ok? There are PCI rules but the people who sign on those changes and decide if you are ok or not are human beings and the rules are not black and white sometimes, there is room for interpretation.
One QSA may decide that situation A is secure and B is not secure and a second QSA may decide that situation A is not secure and B is also not secure. It's very similar to law and precedents.

Based on that, it's really hard to tell what is safer, if one entity has a better reputation at accepting change, then they are more likely to have the latest patches than other big entities but otherwise it's nearly impossible to tell.

Another point to note, if there was a known hack against a company, it becomes harder for that company to get their compliance papers signed, the people who govern would take extra looks at them.

Interesting to read that there is a level of subjectivity in the protection approaches. So even if 1 bank decides to outspend others in online security budgets the people running their IT departments may choose protection strategy A vs B, C, D etc. That implies that the approach/es they choose will protect the data from many attacks but not all. And as long as there is no massive breach everyone assumes they are secure. Would the government or the banks themselves ever stress-test their choices of protection in a serious way? The way to make it truly credible might be to recruit top-tier hackers to try to stress-test a breach and see which banks pass and which fail although that sounds too Hollywood-inspired.

I suppose if a massive, organized and multi-layered cyber attack by a nation state focused on 1 CA bank it would be difficult if not impossible to prevent a breach.

gqbluez wrote: ↑Really interesting insights, thanks for the post. I will say having worked for both small and large firms in IT, the reason that large firms tend to have issues adapting to change quickly is because of their legacy infrastructure and governance. There's nothing inherently stopping them from being nimble and faster from a technical perspective aside from the fact that they are large, have multiple stakeholder groups that consume or touch certain systems, and a lot of politics. Then you need to get a project team together, build your business case, have it approved at all levels of the bureaucracy, then get them to fund the project.

I worked on a PCI compliance project last year and the amount of people we had to get together to talk about how we'd implement this blew my mind away (coming from a small firm).

I think what I've noticed is that at the working level there is much desire to move quickly on things... but its the upper levels of management and governance that causes the huge delays.

The implication being that, as inconceivable as it may sound, a new online bank like EQ with significantly less legacy infrastucture and (presumably) lower online security spend than other much bigger banks would be able to protect its data from a cyber-attack in a superior way than the big 5 for ex?

scoper wrote: ↑The implication being that, as inconceivable as it may sound, a new online bank like EQ with significantly less legacy infrastucture and (presumably) lower online security spend than other much bigger banks would be able to protect its data from a cyber-attack in a superior way than the big 5 for ex?

I am not implying that at all. What I am saying is that smaller firms do tend to be able to make changes to their systems and infrastructures more quickly than a big lumbering firm because of the upstream and downstream dependencies on said systems.

EQ bank, while a "new" bank likely leverages a lot of their backbone systems from equitable bank (the parent) which is unlikely to have nimble or streamlined systems either being that they are not new and probably have the same types of dependencies as other banks. I don't know this for a fact though, it's just a guess.

It's one thing to design a website that looks streamlined and fast, it's a whole other thing to look at what and how the UI layer is actually consuming from a services and database perspective.

Big banks stake their entire business and reputation on the ability to keep your money secure. They invest millions to do this and millions more to convince you that they are safe. Smaller banks can maybe get there more quickly but all banks should theoretically live at a industry standard level of compliance regardless of size.

scoper wrote: ↑Interesting to read that there is a level of subjectivity in the protection approaches. So even if 1 bank decides to outspend others in online security budgets the people running their IT departments may choose protection strategy A vs B, C, D etc. That implies that the approach/es they choose will protect the data from many attacks but not all. And as long as there is no massive breach everyone assumes they are secure. Would the government or the banks themselves ever stress-test their choices of protection in a serious way? The way to make it truly credible might be to recruit top-tier hackers to try to stress-test a breach and see which banks pass and which fail although that sounds too Hollywood-inspired.

I suppose if a massive, organized and multi-layered cyber attack by a nation state focused on 1 CA bank it would be difficult if not impossible to prevent a breach.

It's not only about a breach these days, they could just DDos you and prevent access to service even though they didn't breach anything. If everything is secure and there are no obvious ways in, the simplest way is to just prevent others from using the service.