Scotiabank internet whizzkids screw up their HTTPS security certs

The team behind Scotiabank's Digital Banking Unit isn't impressing some customers, after forgetting to renew the security certificates for their own website.

The DBU was set up last year to sell "world class digital solutions" to electronic banking customers around the world. But Jason Coulls, CTO of food safety testing company Tellspec and a former banking software developer, tipped off The Register that the bank's hipster factory certificates had expired nearly five months ago.

"Tuesday next week is the five month anniversary of the certificate expiring and no one has noticed," he said. "This from a group supposed to showcase how smart the bank's IT people are. The irony is strong in this one."

Coulls said he tried to warn the team that their SSL certificates were out of order, but has received no response from them. Then again, that appears to be par for the course for the Canadian bank.

In 2016 he spotted that the bank's mobile app had some rather unusual features – notably that the programmers had laden the code with f‑bombs. He informed the bank in April and got no response, so let the regulators know. Scotiabank fixed the code within 24 hours.

The latter incident was particularly concerning, because under banking law – specifically PCI compliance rule 16.3.4 – banks are required to inspect their code carefully to make sure it is secure. It seems as though the DBU isn't the only group asleep at the switch.

The Register asked Scotiabank for a comment but no one was available at the time of publication. ®