Bad Security Practices Pushing the Citizenry into the Arms of Bad Actors (GC)

Over the last few weeks, my wife and I have been helping complete a Canadian tourist visa application for a family member.

It’s long and it’s tedious but we expected that.

We get to a point in the application process where we need to upload four most recent bank statements. This is annoying, but it shouldn’t be difficult and we understand why they are asking. So, we go and get the bank statements — four different PDFs from the bank to be exact. Easy.

We’re ready to upload these 4 statements, but the Government of Canada will only give us the option to upload a single file on the website.  “Single file? What the? But, the requirement is to send 4 statements?”

I work in tech and my mind is always thinking about systems, process, and how things will fit together. I’m a solutions architect consultant and security is always at the top of my mind.

In my head, I already know exactly how to solve this. I have a SaaS subscription to Adobe Acrobat CC that I use for business that I could borrow to combine these documents into a single file. This is easy for me or for someone who knows what they are doing and who has the available tools.

The Government of Canada also gave us a link to help us understand how to combine files if we have to upload more than one file. So, we click the link see what the Government of Canada’s official guidance is.

Here’s the guidance from the Government of Canada:

The Government of Canada is pointing people to Adobe’s website where they’ll need to sign up for a monthly or yearly SaaS license @ $30/month.  People don’t want to do that and most won’t do that.   Instead they’ll look for a website that combines these files for free.

They will look for and find a free website that allows them to upload their bank statements and other official personal documents in order to create a single file. Seriously. They’ll do it because the Government mentioned this is a way to do it. They’ll gleefully provide the following information to these websites via document uploads:

• Bank account numbers, balances, transaction details
• Name, address
• Passport and drivers license photo
• Social insurance number

Ok – back up.  This is sketchy.  The government is asking for very personal information and they cannot provide a way for people to easily and securely upload that information without using a third party intermediary at their own risk.

The best they came up with is, to put it bluntly, “Pay for Adobe — a tool you may not even understand how to use”… or … “use some website at your own risk”

It makes me wonder about the millions of people who go through this process every year. How many of them are computer savvy? Even if they are computer savvy, how many of them are going to decide to pay for Adobe to combine files over utilizing some random (and sketchy) website to do it for free?

Right off the bat, people are being set up to be exploited by bad actors. Specifically, this could lead people into two types of security exploits:

Phishing: Uploading personal information to sketchy websites that could be exploited by bad actors opens up the possibility that your personal information will be exploited and even sold to other bad actors.

Advanced Persistent Threats: The personal information that is mined from the data collected from your personal documents can be used to impersonate you as part of a social engineering campaign that combines your personal information with additional intrusion techniques to unlawfully gain access to your accounts, including bank accounts.

How is this situation allowed to exist?

• There is no doubt that somewhere along the line there was a business requirement to allow users to upload multiple documents to the Government of Canada Visa Application website.
• This likely got de-scoped to a future enhancement (maybe) or removed from scope entirely because the project team felt it was “good enough” and removing this from scope allows them to better meet their timelines and please their program sponsors.
• It’s very likely that security governance was not specifically involved in this decision and it’s very likely that the potential impact as I’ve legitimately described it here was not sufficiently understood by the project team or relayed to security governance. … Or it was and nobody cared.
• The pervasive mantra of “it’s just security. It’s not a big deal and we’ve always done it this way”.

From an overall security perspective, this alone may not appear to compromise the Government of Canada’s website. The people involved with security governance for the Canadian Visa Application website may believe that what users do is outside their influence or control, and therefore they are not responsible for it because their website is safe – I don’t buy it. Expecting users to upload personal and sensitive information to “websites” at their own risk as a requirement for the Visa application is questionable at best and negligent at worst.

I believe it’s negligent because it’s pushing people towards very bad security and privacy practices with their very personal and sensitive information — the very same information that could be used to exploit people’s personal accounts within Banks and Government of Canada apps and websites. The government appears to be condoning it while at the same time asking people to “use at their own risk” as if this disclaimer is enough to absolve them from accountability.

“We can’t accept information in it’s current state (which is a standard state), so ‘use a (sketchy website) at your own risk’ to get it in the format we need” is NOT something I would expect a government to tell the citizenry regarding how to handle sensitive information. This violates the core principals of good privacy and security practices. This is particularly egregious coming from Government who have a vested interest in ensuring the security and privacy of personal sensitive information of it’s citizenry.

How to Prevent This From Happening

• Everyone on a project needs to be thinking “security first”. Security cannot be an afterthought like it used to be back in the early 2000’s.
• Security first doesn’t mean — ‘we talked to security team and they told us we’ll run some scans and if they pass then we’re ok’. No. No. No.
• Do not push your users or customers into a corner where they’ll likely employ bad security practices because the system you are implementing is incapable of providing a secure mechanism to handle what you are requesting of your customers.
• Security architects and security engineers need to be engaged and active throughout the entire program lifecycle
• Every person on the team has to understand that they have a duty to help recognize security attack vectors in their implementation and raise it as an issue accordingly.
• Understand that attack vectors are not just systems intrusion or HTML injection. Your users are your customers, and asking them to do something that opens them up to a potential phishing attack is wrong, and that’s a security attack vector.
• The needs of being security compliant go above the needs to please your sponsors with progress updates and statistics. In fact, your sponsors need to understand this more than anything,

Lastly, I employ the Government to take this seriously and fix this. Allow your users to easily upload multiple files as it’s very clear that in order to complete the Visa application, multiple files containing sensitive information are required to be combined, at our own risk, in order to meet your requirements.

For anyone going through such a process, spend the $30 to buy Adobe and do it safely. You can cancel your subscription at the end of one month. Sorry – but I don’t condone sketchy apps and websites for this purpose.

For all organizations, understand that asking your users to employ sketchy practices at their own risk with their personal and sensitive information is negligent and must be avoided even if that means additional costs to do so.