Thank you.
Evidence of meeting #155 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
Evidence of meeting #155 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Thank you. I'm going to follow up a bit on Mr. Dubé.
How secure is an app on a jailbroken phone?
5:20 p.m.
Chief Information Security Officer, Toronto Dominion Bank
How secure is an application on a jailbroken phone?
5:20 p.m.
Chief Information Security Officer, Toronto Dominion Bank
It's not very secure at all, which is why we have jailbreak detection in our applications. We will actually suspend services for that application if it is jailbroken.
The issue, obviously, is that malicious code could end up very easily on that phone. Also, we've talked about encryption from point to point. Data could potentially be exfiltrated as a result of malicious code running on the device.
5:20 p.m.
Liberal
The Chair Liberal John McKay
Mr. Graham, I'm sure there is somebody else on this committee who doesn't know what “jailbreak” means. Could you explain that?
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
I can explain it to you if you don't count it against my time.
5:20 p.m.
Liberal
The Chair Liberal John McKay
I'm not counting your time. I'm sure this is all for greater edification.
5:20 p.m.
Voices
Oh, oh!
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
How do I explain this in 10 seconds?
Do you want to explain what a change of jail is and what a jailbreak is?
5:20 p.m.
Chief Information Security Officer, Toronto Dominion Bank
The simplest way to explain jailbreaking is that when you get your phone from your provider, you can only load applications through their approved app store. Jailbreaking is essentially a hack that you can find on the Internet to allow you to sideload applications around what was already approved by your service provider.
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
It allows you to use your phone as a computer. It's much more usable, but much less secure, so it's a trade-off.
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
The reason I wanted to get to jailbreaking a little is that you talked earlier about PKI: public encryption, public key systems. If you have a jailbroken phone, your private key can be compromised, and therefore everything you are doing is very easily compromised. Is that a fair assessment?
5:20 p.m.
Chief Information Security Officer, Toronto Dominion Bank
It's not quite as easy as that. There is a risk there. The risk to that device actually increases, and then obviously we want to know if that phone is jailbroken so we can make risk-based decisions on that user or any transactions they're trying to perform.
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Okay.
I have a financial institution-specific question, fortunately, for you. Last fall, my wife lost her credit card, and of course it got used quite a bit. There was nothing we could do about it because they used the tap function, and there's absolutely—
5:20 p.m.
Voices
Oh, oh!
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
It took her two days to notice that she'd lost it, but anyhow.... We don't have to put that in our Hansard.
The point is that there is no security on these tap cards that I can see. What is the method to secure PayPass and payWave, the RFID technology that we're using now? Is there anything we can do to actually make it secure?
5:20 p.m.
Chief Information Security Officer, Toronto Dominion Bank
EMV payments are using fairly advanced cryptography. I wouldn't say they're insecure.
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
They're secure so long as you have them, but if you lose them, there's nothing to authenticate that the person using it is the person who's supposed to be using it, which there is with PINs and, to a certain extent, with the numbers on the back of card. There's none whatsoever for tap.
5:20 p.m.
Chief Information Security Officer, Toronto Dominion Bank
All I can say is that within the banks we have various fraud strategies and limits on EMV payments as a result of that. I'm sorry to hear about your wife's experience.
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
They didn't refund it because we hadn't reported it missing. We didn't know it was gone until we got about $200 in charges in that time. My point is only that this can happen and there's no practical system to stop it.
It depends on your goodwill as a bank to refund it, but it isn't ultimately your fault. I'm wondering if there's any way around that, but there doesn't seem to be.
