Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce
Issue 25 - Evidence - March 11, 2015
OTTAWA, Wednesday, March 11, 2015
The Standing Senate Committee on Banking, Trade and Commerce met this day at 4:15 p.m. to study the use of digital currency; and to consider a draft budget.
Senator Irving Gerstein (Chair) in the chair.
[English]
The Chair: Good afternoon. Welcome to the Standing Senate Committee on Banking, Trade and Commerce. Today is the sixteenth meeting in our special study on the uses of digital currency, including the potential risks, threats and advantages of these electronic forms of exchange.
To date, the committee has received presentations from a wide range of witnesses, including government agencies, digital finance experts, academics and bitcoin companies. As we have all become aware, digital currency is indeed a complicated subject.
Today we will continue talking about one of the more complicated areas of our study, cybersecurity. To speak with us today, I am pleased to welcome, from TD Bank Financial Group, Paul Milkman, Senior Vice President and Head, Technology Risk Management and Information Security. Mr. Milkman and his team direct and support TD in the protection of its information assets through the implementation of information security policies, standards and procedures.
We will proceed with an opening statement from Mr. Milkman, to be followed by senators' questions. Following the meeting I would ask that senators remain for a few minutes to have a brief in-camera session.
Mr. Milkman, the floor is yours, sir.
Paul Milkman, Senior Vice President and Head, Technology Risk Management and Information Security, TD Bank Financial Group: Thank you. Mr. Chair, I appreciate the opportunity to be here today.
In my role as the head of Technology Risk Management and Information Technology Systems for TD, I have a broad but fairly simple mandate to ensure information security, both within the bank itself as well as in our interactions with customers and clients. On a daily basis, this role brings me face to face with the very, very challenging topic that this committee has taken on: digital currency and new digital forms of exchange.
Electronic transactions are a fast evolving space. To start with the right frame for this discussion, the central issue before us is electronic transfer of value. This can include the transfer of traditional forms of currency as well as digital currencies, but it also includes things like rewards, miles or points. It is important to frame this discussion this broadly because the technologies now in use allow a company to structure its business to do any or all of these things.
From a consumer's perspective, there are now a proliferation of options for storing their money and other forms of value, as well as technologies and companies they will employ to transfer that value. Traditional participants, such as banks, have evolved their services, but there are also a myriad of technology companies offering new payment service products that are collectively referred to as "payment service providers."
Digital currencies are another interesting development as they seek to establish a new form of value beyond the traditional currencies created by central banks. It is not surprising, therefore, that you have seen both policy-makers and central bankers take a more proactive role in digital currency issues in recent years, not only to ensure that users and holders of a currency understand the risks but also to ensure that a digital currency does not corrupt existing monetary systems.
There is a role for regulated entities. For the traditional players such as banks, massive new technology investments are made each year to continue making transactions as simple and safe as possible.
In terms of business evolution, this has been a rather lightning speed movement from a reliance on cheques as the most common way to transfer money between individuals to a world where any bank that didn't have a mobile application would be considered a serious laggard.
The reason is simple. Large, highly regulated banks are directly competing with each other and technology companies of all sizes, from start-ups through to large well-established technology companies. We all want to offer services that consumers want to use to execute transactions they want to make.
The business models of payment service providers differ widely, but their goal is the same — to attract customers who want to execute transactions through their service. It is important to note as we move toward a discussion of the public policy framework in this area that the policy goal of safety and soundness in the Canadian payment system still relies largely on the regulatory oversight of the traditional participants in the system, i.e. the regulated financial institutions.
There are a number of risks to consider. In my view, the Canadian policy framework for regulated entities is operating well. Regulated entities continue to confront challenges in the digital environment, such as cyberattacks, and policy evolution is required in some areas, but overall the system performs well.
As this committee continues its work, I would identify several areas where having unregulated payment service providers in market could potentially impact the Canadian market.
I will turn now to the subject of consumer protection. Unregulated payment service providers operate outside of the robust consumer protection framework that applies to regulated financial institutions. They are not required to provide standardized disclosure on key features and risks of a product or to establish a dispute resolution process for lost items, unauthorized transactions or errors. They are also not subject to rules that ensure a consumer can monitor transaction activity, which enables them to limit their liability for unauthorized transactions or errors.
A second risk is money laundering and terrorist financing. Banks have significant processes in place to identify individuals, to authenticate them before a transaction can take place, and to track transactions and report suspicious activity to FINTRAC. Many payment service providers are currently unregulated. Payment service providers could be subjected to AML/ATF requirements similar to the obligations that cover other financial services organizations, such as meeting basic screening criteria and holding client funds in segregated accounts.
There is also some systemic risk. With an increasing number of payment service providers operating in the Canadian market and corresponding increases in transaction volumes and transaction values, there is the potential for greater systemic risk unless the control functions within these payment service providers are required to meet the same standards as traditional, regulated companies.
Inevitably, there's a tension between the desire for an innovative, open digital economy with low barriers to entry and the need to ensure safety and soundness. I have identified some of those areas of tension.
We want to move away from a regime, however, where technologies have only the appearance of safety and soundness because of the underlying processes conducted by a regulated financial institution, and to move away from digital currencies that have only the appearance of the safety and soundness provided by central bank-backed currencies.
We need to have a strong consumer protection regime, a strong prudential regime, strong anti-money laundering and terrorist financing procedures and a strong regime protecting against systemic risk.
I look forward to your questions and an active dialogue.
The Chair: I read an article with interest this morning that says digital has overtaken regulation as the top priority for global banks. Would you agree with that? It says they spoke to 268 bank executives. I don't know if you were one of them or not.
Mr. Milkman: I was not. I would say that cybersecurity is listed as the top risk of the bank at TD on our managed risk list. We generally feel that, over the past few years in particular, we're generally fairly aligned with the regulators on importance of security, privacy and consumer protection, so we wouldn't treat it as a risk or top of mind. We would say we need to fix the real problems.
The Chair: Before I turn to my list of questioners, I know it is not an area that you are directly involved with, but I suspect indirectly, so would you like to comment at all on how you view the safety and soundness of block chain technology in terms of the ability to transfer funds?
Mr. Milkman: I don't know that I'm prepared to comment on it generally. I would say that I don't think the bank has taken a position from a business standpoint. As a security professional, I would say there's nothing that disqualifies it or rules it out completely if appropriate controls are in place.
The Chair: They did make the statement. Witnesses have said it has never been hacked.
Mr. Milkman: That's true of everything for a while. But eventually, given the potential for quantum computing and even human error, there's nothing un-hackable in the world.
The Chair: That's an interesting statement.
Senator Tannas: Thank you for being here. We heard testimony from a number of witnesses over the course of the last number of months about their inability to get a bank account if there is even a sniff or a whiff of the fact that they were involved in bitcoin. I assume that they didn't miss going and asking TD for a bank account, and so I assume that your bank is rejecting people at this stage who are in any way connected with bitcoin.
Correct me if I'm wrong, but if we provide the legislation that you talked about and that we're considering for making sure there is soundness around this activity, will your bank start accepting customers who are dealing with digital currencies?
Mr. Milkman: The short answer is yes. TD has no policy today against bitcoin and no formal procedure relating to it, but we don't have mature products to interact with it.
It is, to us, still an uncertain currency. Its value can shift. We do not have control nor do central banks have control of the forces that can make its value shift, so we don't perceive it as a significant instrument right now in consumer welfare, well-being or the delivery of financial services.
But TD does not have a policy against it and we are not, in general, against innovation in the space and have often adopted innovation in the space.
Senator Tannas: Our understanding is that if I am an operator of a business that is involved in the consultancy of people who want to do something in bitcoin, if I'm a lawyer who accepts bitcoin transactions, they're not asking the bank to take bitcoin. But if any portion of their business touches bitcoin, they are somehow a risk to the bank, AML/ ATF, Know Your Customer and that they are being refused the ability to open a simple chequing account in the name of their business.
Mr. Milkman: I can't speak to any such instance that I am aware of. However, we have 24 million customers; it is possible that something has happened but I would be willing to follow up.
Senator Tannas: You are not aware of any policy that would prevent people today, if I was a bitcoin exchange guy, from having my chequing account that I pay my staff with, pay bills and so on, at TD?
Mr. Milkman: Right. Fair banking practices actually would disallow that.
Senator Tannas: We always wondered about that.
Mr. Milkman: We have a set of basic requirements around Know Your Customer.
We do have to check a variety of lists that people might be on. But there is no such policy and I don't think we could legally justify one.
Senator Tannas: Could you confirm that at this stage, TD would be willing to accept commercial customers who are engaged in the digital currency business? Could you clarify one way or another and let the clerk of the committee know?
Mr. Milkman: I will.
Senator Massicotte: Are you aware that any of your clients are bitcoin exchangers or traders? Do you have clients currently?
Mr. Milkman: I don't know that I would be aware. I am a security professional. I'm more living in the realm of protecting clients. I have not come across, in my daily routine, people who are significant traders of bitcoin, although I know the child of at least two employees who have worked on mining bitcoin and have actually set up processing stations and that didn't seem to bother anyone.
Senator Massicotte: Are they clients of TD?
Mr. Milkman: They're TD employees and also clients of TD.
Senator Massicotte: The information we have is that the banking system seems to refuse these types of firms. I presume, given your expertise, that if that kind of client came into their office, they would possibly ask you what you think of the risk from a security standpoint in dealing with these people. Is that accurate? Is that probable?
Mr. Milkman: If it didn't involve their transactions with us, which opening a chequing account wouldn't, out of curiosity we might be interested to see how the proliferation of bitcoin is going. But we don't have a position for or against it at this time.
Senator Massicotte: You don't have a position for or against, but you are not aware you have any one client among your million clients.
Mr. Milkman: I would say mathematically it is highly probable that we have many clients who work with bitcoin. I don't think we could identify them. Even if we could identify them, we could not legally disclose that we knew that information about them.
Senator Massicotte: Have you heard of the technology, as we heard recently from a witness, called Ripple? Does that mean anything to you? What are your thoughts on that? Maybe you can explain what it is and your thoughts on that technology.
Mr. Milkman: Think of it as similar to bitcoin. It is a different model, algorithm, a different way of calculating value, but it is the same idea. It is a currency that is not connected to the exchange with any particular central bank, so it has a supply and demand element to it, just like bitcoin has. I don't think it is significantly different from bitcoin.
Senator Massicotte: Is there a fluctuation of the Ripple value?
Mr. Milkman: There is fluctuation of all of the crypto-currency values. It's inherent to the fact that they're not locked to any central currency.
Senator Massicotte: A witness told us that's not the case for Ripple. Given the structure in place, there's no value from owning the currency within the structure. As you know, it is a centralized clearinghouse, as opposed to being crypto-currency. It was also interesting to me, and relative to technology, that many banks in the world are basically clients of that technology and using it as a settlement system. That basically told me, "Wow, that's immediate confirmation of the adequacy, security and usefulness, in a technology sense, for at least the major banks in the world."
Mr. Milkman: I won't venture into the statistics, but I think you would find that Ripple is smaller than bitcoin, and even bitcoin is insignificant in terms of global transactions. There is some experimentation going on between a number of banks as it relates to exchange. I have heard of the Ripple experiment and I know that there are people at TD looking at it although I don't know that we have undertaken it.
We don't have any religious or philosophical issue with any of these new technologies. I believe that we look at each one on their merits and their risks. Just as we used to pay everything by cheque, Interac was a significant innovation, as were Visa, MasterCard and AMEX. Chip and pin technology was an innovation. We look at them on their merits. A couple of factors have to be in place. First, we need to see how we can have an ability to protect our customers who use a particular financial instrument. And second, we need to know that there is significance to the instrument. If both of those bars are passed, generally speaking, banks have been pretty good about uptake. If either of those bars is not passed, if something isn't big enough yet to know how to deal with it or we think there's something inherently unsafe about it, then we would not be involved.
Senator Massicotte: You are a technology expert in security. Do you see the chain block technology, either centralized or not? Is there a probability that it is effectively doable at little cost? Does that threaten your type of system that this new technology may change the way you do business? The competition would increase dramatically in the resettlement payment system. Maybe you should force the whole bank to use it better. If you have a new competitor, maybe you should be more competitive or maybe you should hurry up and adapt the technology to be competitive to what is coming.
Mr. Milkman: Unlike the payment service providers, where there might be a little bit more competition for revenue, I would say, in that particular case, that settlement is an expense to a bank. We would welcome cheaper secure forms of settlement, because that would actually lower our operational costs and it might improve our business model. I don't know that we would see ourselves as competitive against things like that. We wouldn't see ourselves as competitive relative to the digital currencies either. They don't hurt us or help us.
If there was a way to secure them and they were appropriately regulated and controlled and a reasonable transfer of value, we would use them like anything else. Again it would neither hurt us nor help us. It might lower our cost of business because it would be a simpler currency but I don't think it would be something we would perceive as competitive.
Senator Black: Mr. Milkman, thank you very much for being here. This is very helpful. I have a today question and a tomorrow question.
My today question is: You have correctly identified what we have heard from many witnesses — that the risks are around consumer protection and potential money laundering and terrorist financing. We have also heard — and this is what I would like your comment on — that generally speaking the state of the law in Canada on both those issues now, the tools are likely there to deal with any issues that may exist. Would you agree with that?
Mr. Milkman: The tools exist within the players that are regulated. The tools frequently do not exist for some of the new players who don't face the same regulatory standards. The overhead of a large bank as it relates to security and privacy is high. At TD we have publicly said that we spend somewhere between $175 million and $200 million a year just on that. That's not money laundering. That's not anti-terrorist. That's not compliance. And that's not regulatory. That's just security. And it's not spending just for the sake of spending. That's tools and hardware and software, people monitoring transactions, people testing us, testing our software and other things. That doesn't happen by accident. It happens after years of maturity. In places where the new players in the game are tightly partnered with banks, there's very often a greater degree of maturity and security in places where you have sort of much more independent innovation. You may get great innovation, but then it takes us a while as a society to figure out how to use it safely.
I would say that those risks are very real but not everyone is applying the same level of effort to protect the consumer and to protect the assets of the financial market.
Senator Black: You would say to us that we should be alert to those two questions in this forum.
Mr. Milkman: I believe that's at the heart of the question for this forum.
Senator Black: My tomorrow question relates to a comment I read in today's Financial Times. Have you seen today's Financial Times, March 11?
Mr. Milkman: No. I saw the Globe.
Senator Black: I want to read you a quote and I want your comment. It's on the front page of the business section of today's Financial Times. It's a quote from a woman called Blythe Masters, the former head of global commodities at JP Morgan, who has been appointed chief executive of a crypto-currency start-up in which she's also investing. She's responding to the libertarian concerns that this is why bitcoin exists, because people want to avoid big business and big government. She dismisses that and she says:
They say they want the world to change, but the world will change by adopting new technology to do a better job. Reducing the frictional costs of financial transactions is one of the great challenges of our time.
Would you comment on that?
Mr. Milkman: I don't know from a business standpoint if I can. As a security professional, I would say it's an interesting comment. I would say that anonymity and independence as a specific goal for a currency is interesting and it may have some value, but it has continuously first been used by those who would like to be anonymous for a reason.
Money laundering and terrorist financing are as old as the hills and won't go away, yet the friction does not come from the currencies. Any currency that she might be supporting will not solve the friction problem, because the friction problem comes from the desire to assure value for individuals and to assure a degree of transparency to what happens to money globally.
Senator Black: Thank you very much, Mr. Milkman. That's very helpful.
The Chair: Perhaps, Mr. Milkman, you could describe to the committee just some of the work that you do, obviously, or a person in your position — I don't want to relate it solely to TD — and how you deal with the whole issue of crypto-currencies and security. You've got a lot of responsibility on your head.
One of our earlier witnesses provided a cartoon that I thought summed up the situation very well for us. It showed an individual standing in front of a bank teller with a hood over their face, holding a gun, and the caption underneath it from the teller was: "Have you tried going on line?" I think that appeared after the weekend in which close to half a billion dollars had been taken out of accounts from very reputable banks by some type of cybersecurity breach.
Is yours a proactive business or a reactive business? Can you just share with us a little about what you do? How many times do you get attacked? Is it a daily affair or a multi-day affair?
Mr. Milkman: Organized crime and individuals attempt to attack us, probe us and figure out weaknesses in our defences many thousands of times a day.
The Chair: A day.
Mr. Milkman: That is why, when I talk about what we spend, you begin to understand how difficult it might be. If you have 24 million customers, thousands of business partners and many suppliers, we have to separate what they want to do, which is generally pursue their own self-interest and either use our services or partner with us for services from the bad people who are attempting to look just like them. That has gotten very difficult.
To use TD as an example, I arrived at TD about five and a half years ago. We had between 40 and 45 people in security in the core team, and we probably spent $8 million, or something like that, a year. The core team in security is now between 250 and 275 people, and we have hundreds more that do other types of infrastructure work to protect the bank. So we have people monitoring the underground economy. We have people working with threat intel experts in China, experts in the Ukraine, experts dealing with Putin's nephews in Russia, and experts dealing with the sort of growing threat of cyberterrorists that we've seen around the board.
For me it's gone from being what many people imagine as being a cybersecurity professional, fighting one-on-one against a hacker, to a big corporate department with all of the same scale and spend that you would expect in any big corporate department. The difference is the urgency in what we attempt to solve for is very high. My cellphone is off right now. It wouldn't be ringing, but at any given moment I would be seeing a flow on potential incidents all day long.
The reality is that we have done reasonably well to keep fraud limited and we have done reasonably well not to be a vehicle for money laundering, but not because there aren't people trying. If you have been watching what 2014 looked like, more than a billion credit card numbers were stolen in 2014, but not from banks. They were stolen from merchants. That causes us to create new investments, to start to work with the merchants to try to bring them up to speed, because the risk in many cases is not coming from the bank itself. It's been coming from business partners or people doing bank-like activities. That sort of brings us back to why we get a little nervous when people who don't have big, strong security organizations want to do banking activities, because we end up often holding the bag. We end up very often paying the guarantees to consumers. We feel like we're paying twice because we're building the protections and it's in many cases our partners, or third parties, or merchants, who are the ones getting hacked and compromised.
The Chair: Well, we've asked you a lot of questions about what you see today. Now we'll make it difficult for you. We're going to ask you to look into your crystal ball, which is always difficult. I don't know if it will be five years, 10 years or 15 years out, but are we going to see credit cards, a plastic card, come to the end, the concept of transferring on a card? With what we're seeing now with Apple Pay and PayPal, the whole concept of transferring off of cellphones, 20 years from today, in your crystal ball, will there still be credit cards around?
Mr. Milkman: I wouldn't think so. I think a cellphone is potentially a more secure item. We talk a lot about identification and authentication. You probably will have heard bits of this, but when you want to do a transaction in banking or a transfer of money, you first ask somebody who they are. That's your ID. The second thing you do is now that they say who they are, how do you verify that? This is authentication. How do you know they are who they say they are? You can do three things. You can ask them for something they know, for a password, for their mother's maiden name, something that's replicable. You can then store it and they can give it to you. It's something. It's better than nothing but it's not necessarily that strong. Somebody could steal a password.
The other thing we talk about in two-figure identification is something that you have. It's a physical thing that cannot be replicated. A cellphone is a great example of that. Every cellphone has its own physical address and it has a relationship to a phone carrier. If you could capture that information, it's very hard for somebody to replicate that. That would be an example of what you have. Another one would be a key fob or an RSA token, if you've ever seen those.
The third is what you are. There is what you know, a password; what you have, a cellphone or a key fob; and what you are, which is biometrics, your DNA or your thumbprint if you use an iPhone. There is good news and bad news in that.
The reality is that a plastic card isn't terribly good because it can be replicated. A plastic card with a chip probably can't be replicated so it gets to that second level of authentication, which is good but it's inconvenient.
A chip in a cellphone, which everybody seems to want to carry anyway, is the more likely way we will be banking 10 years from now. That would be my expectation.
The bad part of the crystal ball is that globally the Internet has educated a lot of people, so we probably have more people with access to technology resources than we've ever seen. We also have a growingly evident disparity between rich and poor. That binodal social order, combined with more people being educated than ever before — who don't necessarily have access to wealth — and the ubiquity of the Internet and technology, creates a bit of a perfect storm. I'm not terribly comfortable with what the next 10 years will look like in terms of the fact that we're going to have a significant and probably growing amount of innovation from people who do not have access to a better life, but are aware of it.
I wouldn't say I have a dark view of the future. We're going to keep up as best we can, but we should realize that the forces that have gotten us to this place are still there.
The Chair: That completes round one. I have one senator's question on round two.
Senator Massicotte: Given that the chair took the initiative to go off subject a little bit, I find the subject very interesting and maybe what I'm looking for is comfort. We were in the United States recently and somebody said forget the four digit code, in a maximum of a half hour they'll find it.
I look at my own experience with one of your competitors. They won't allow the four digit code and they asked me, what is your mother's name? In Quebec, the women maintain their maiden name, so there's no secret there. It's going to take you two seconds to find out what my mother's maiden name is. It's no security whatsoever. Then they ask, what kind of car do you like? Well, if anyone knows what kind of car I drive, it's probably the one I like. You generally buy the car you like. It's not very good in my mind. I said, "Oh, boy, this is not very secure."
How do we make sure we don't find ourselves with a major problem, and then we'll argue with the bank on whose fault it is? Will they reimburse us, not reimburse us? It's pretty scary stuff.
Mr. Milkman: It is, and it's how I spend my days. I think increasingly with the types of historical questions that get asked, there's been more advancement in the U.S. because there's a greater standardization around the credit reporting bureaus and the data they can collect. That comes at the cost of privacy, so there's a little bit of a balance there between security and privacy.
I think we will get to what we call out-of-band authentication, which is something that will combine what you know, some of those questions they might ask, with something that you have such as a text to a number that they know to be you.
That is actually pretty good. It would be hard for a bad guy to have your cellphone in hand and know what car you drive.
We have to get away from this idea that it's either safe or not safe. The reality is we're looking for 99 per cent and then you're usually okay, and there will be a limited number of fraudulent transactions. I think you will see that all of the banks will continue to up the bar little by little. And we're all working with different technologies and options to continue to get ahead of the people who would defraud you.
Senator Massicotte: Do you want to comment on the American system? I also have an account at the Bank of America, yet when I deal with the bank, if you go withdraw cash from the teller, they will ask for your passport or they now have debit cards with your picture on it, otherwise you can't withdraw. When I go to the bank online, they have photos, a good system of checks. You have to identify the photo, enter a six-digit number.
If you look at a credit card, they don't have the chip system yet. They have very strong security as far as the accounts, but they still have the old credit cards. Now they're finally getting caught up because they're getting caught, effectively. Why do you see this amazing variation of security?
Mr. Milkman: Having worked extensively on both sides of the border, I would say the U.S. reticence to adopt chip and pin baffles everyone. Even now, it's chip and signature, which is not quite as good. I think there was a perception that the cost to small merchants of strengthening the merchant systems that would protect card transactions would just be too high. The banks that end up paying most of the guarantees in the U.S., as they do in Canada, would probably have gone for it quite a bit earlier, although there were some lobbying efforts against it.
I don't think there's a rationale to why the U.S. operates the way it does in this particular space. There isn't an answer. They will adopt chip and pin. They're beginning to phase it in. I think by 2017 all but the smallest merchants will have it. The small merchants probably won't have it until 2020, but the retail providers will move to it. They've had enough evidence this year that it's probably not a good idea to operate without it.
In the meantime, the organized crime units that were skimming from, let's say, Canadian ATMs, basically all moved south of the border to do as much damage as they can before the chip becomes prevalent. You're seeing American banks dramatically increase their protections on their ATM and direct account transactions, but they can do nothing about the card because the merchants don't have the ability to read the chip.
Senator Massicotte: Would you make a comment on the thumb technology? Is that very secure? You referred earlier to your —
Mr. Milkman: My iPhone.
Senator Massicotte: Is that very good?
Mr. Milkman: Yes, it is. You asked about the day-to-day life of someone in cybersecurity. We, like many other banks, had to take a strong look at Apple Pay, and at TD in the U.S., our Visa cards actually work with Apple Pay. They are a partner of ours in the U.S. In doing that, we had to evaluate every inch of the security with that partnership, because it included many parts that have nothing to do with banking.
The actual thumb authentication in Apple made us nervous not because we were not sure if it was good— we knew it was good — but we were worried that all of those patterns of thumbs were going back to Apple into a single collected database. That scared us, because if ever stolen — and everything eventually gets stolen — somebody would have that type of information on hundreds of millions of people globally. We thought that was very dangerous.
We had to verify with Apple's security team exactly where that data went and where it didn't go. In fact, it never leaves the individual device. If we found out the other, we would not have done business with them in the U.S.
Senator Massicotte: Being an individual device, is it secure? Can it be easily hacked by somebody?
Mr. Milkman: It is not easily hacked. There will be instances over the next few years where some are hacked, but through a number of simple techniques that are not electronic, they're physical techniques.
Senator Massicotte: Is it highly dependable relative to use?
Mr. Milkman: I believe so, in our experience. We, as a bank, won't speak for any piece of technology, but I would say we had to do quite a bit of testing to consider whether we would have anything to do with it in the U.S. Generally, we didn't see significant weaknesses.
Senator Black: In terms of cooperation in innovation, I know in the oil sands in Alberta the major participants are working together to share technology as they try to become more efficient and effective in the work they do. You mentioned the tremendous work that your bank is doing.
Do you work with your competitors to share innovations?
Mr. Milkman: Yes, we work with both our competitors and with industries that are, we would say, behind the banks. We would say that the energy industry would be one of those industries, so there are two major areas. Within the banks, through the Canadian Bankers Association, we actually have a collection of the major banks and financial institutions that actually meet regularly and also have a working group. When there's an incident or a particular threat to one, we share it across in an anonymous way so that everybody knows what to be afraid of, not who is doing it.
On a larger scale, we are working with Public Safety, SIRC, CSIS and CSE on a number of best practices and a number of ways to assist the other industries. Generally speaking, if you are a bank and anyone gets hurt, you get hurt in some way because it is a customer — any significant entity in Canada is a customer of one of us.
Senator Greene: As you know, bitcoin doesn't essentially keep a database. From that point of view, it is very difficult to hack. It may not be in future difficult to hack an individual transaction or an individual doing a transaction, but it strikes me that it is virtually impossible to hack a large amount of data because a large amount of data on bitcoin really does not exist in contrast to banks or retail operators. Stores such as Target, as we have seen, keep massive amounts of data and because of that are targets for hackers. Could you comment from that point of view in terms of rewards and risks for hackers?
It seems that the rewards for hacking bitcoin are very low so it is unlikely to happen, whereas the rewards for hacking a bank or maybe other operations like it, such as retail stores, are probably high because of the amount of data that's kept.
Mr. Milkman: I would say the model is different. For example, let's say everyone in this room has a significant amount of bitcoin. Assume for the moment that we can manipulate it and manage it the way you manage other accounts with a computer. And a very high degree of individual computers are being compromised right now. Let's say your bitcoin gets stolen. That doesn't hurt anybody else, although it does alter the supply. The problem you have now is that because there's no central registry maintained by central banks, someone has it in a foreign country. So first, you can't prove that it was yours; second, you can never get it back; and third, they can never be traced. Essentially a value has moved with no recourse.
If you had a central database and a large number of similar things — let's take Target — you knew exactly which card numbers were taken, and you knew that you could reissue cards or protect clients or give them special privacy monitoring, so it actually allows some recourse. Further, it allows consumer protection. Once your bitcoin is gone, perhaps you can prove that someone hacked you, but no one will be able to identify or serialize that later.
The Chair: Mr. Milkman, I haven't decided yet whether or not I was surprised when I asked the question how many times is the bank attacked a day. You said that it was 1,000 times a day. That sounds like a lot but I guess if it happens every day you get pretty used to it. If you would accept my next question with the greatest of respect, what keeps you up at night? If that doesn't, what does? Something must, and I don't mean to be personal.
Mr. Milkman: If you are in this business for 20 years, there is nothing that keeps you up at night.
I have had some long nights. There was a period a few years ago in 2012 when an Iranian-supported group was launching denial of service attacks to block web access to banks, mostly U.S. banks, but because we are also a U.S. bank, we were on the list. There were some nights when we worked very hard to ensure that TD customers would be able to bank the next day. Generally we did pretty well with that.
There have been some rough nights. There are things that are scary, but they're more related to the fundamental protection of the Internet. They're less related to things that people would do to TD or to another bank. They're really more related to what would happen if we lost the Internet altogether, things like that, for a period of time. It would be pretty disruptive. We do think about some of those scenarios.
Senator Massicotte: I think today's Globe and Mail or another newspaper talked about an incident that an individual had with CIBC where his card was cancelled seven times. It has been a disaster. Did you see the article?
Mr. Milkman: No, not that one.
Senator Massicotte: His card is constantly cancelled and copied. He just can't get services. Is that unusual? From the article, obviously, we're getting a nice story, but there doesn't seem to be any particular reason that he is picked on constantly.
Mr. Milkman: We would say that the least protected entities right now in the banking world are individual consumers and small businesses. We know how difficult it is to protect an individual PC from being compromised. I don't know what the statistics are, but there is a tendency for an individual who has been compromised that is continuously unable to clean up their machine. Basically the same person can see every financial transaction they do and will simply compromise them time and time again.
In fact, the more it happens to you, the more often it is likely to happen because you are on somebody's hot list. If it's that kind of credit card theft or direct fraud, it is either somebody in the U.S., Canada, the Ukraine or Russia most likely that has you on their list. They have a PC that tracks you and they know when you are online doing transactions and they pop up. Then a key logger captures your new card and off they go to do a transaction.
People who have compromised machines most frequently will get compromised multiple times. It is not a rare story.
Senator Massicotte: How about the new software we read a lot about? People told us about malware or something of that nature, whereby it is very easy to get on our system and then they blackmail you for payment to get rid of it, either family pictures or whatever. Is that something we should worry about?
Mr. Milkman: CryptoWall is common but individual. As a bank, we have seen it so many times that we can usually block it. If somebody manages to get it, we have procedures to reimage the machine and clean it up. We would never pay it. For an individual it is much more difficult because they have to go to a computer professional and if they don't have backups in a safe place, they may lose data. It is a nuisance.
We have seen relatively few really big problems, but we have seen some small businesses literally go down for a couple of weeks because of it. It can be harmful.
Senator Massicotte: How about in the United States where it is an issue with emails, as we saw with Hillary Clinton? How about our emails? Is there an issue of somebody getting copies of it automatically, especially with iPad which is less secure than BlackBerry? Should we worry about that?
Mr. Milkman: It wouldn't be top on my list that people are reading your email. It wouldn't be the most likely thing. It is possible and periodically Google's gmail has been hacked.
Yahoo mail has been hacked, so there have been instances. More likely, if something like that is happening, again, it comes back to malware on the PC. Somebody has gotten you to click on a site that you shouldn't or open an attachment you shouldn't, and, essentially, they have a view into your machine, which means they can see your IDs and passwords for email. They may generate email, generate spam, on your behalf. Most of us don't have email that's interesting enough that anybody would want to read it, but some very specific individuals, like senators, might be a little more worried about that.
But it is not really any different from any other kind of personal PC protection.
Senator Massicotte: Now we have a lot of software that sells you that. You have Passbox, Dropbox, Password Box, and others. What they're telling us is that, when you use that, put all of your passwords, all of your confidential information, in this particular site. Does that resolve the issue of somebody getting hold of our program? Does that mean you have an additional level of security, or they get into it?
Mr. Milkman: Or there's another place they can steal it. I don't know that it's necessarily better.
Senator Massicotte: Why not? It might be better than normal information in the address or the notes.
Mr. Milkman: It is not the method I would use, I don't think.
Senator Massicotte: What method would you use?
Mr. Milkman: My ultimate passwords I rotate and almost never write down. I do change them every 45 days for everything. I have a limited number of account numbers and specific data that I keep in a safe, physically, and I have a number of other things that make sense to me but that no one else would understand. So different ways of storing things electronically.
Senator Massicotte: Every 45 days you change them?
Mr. Milkman: Every 45 days, I change every password I have. My corporate ones require me to do that. Everything at TD must be turned over every 30 to 45 days.
Senator Massicotte: I have trouble remembering the names of my kids, never mind changing my password every 45 days.
Senator Tkachuk: How many kids do you have?
Senator Massicotte: I can't remember. I know of four.
The Chair: Committee, you are digressing too far. Mr. Milkman I started by saying this is a very complicated topic. I don't want you to take it in any negative way that it is still remaining complicated to us, but, on behalf of all of the members of the committee today, I would like to express our great appreciation for your appearance. You've been very helpful as we wade through this most interesting topic. Thank you for joining us.
Mr. Milkman: Mr. Chair and senators, thank you for having me.
(The committee continued in camera.)
(The committee resumed in public.)
The Chair: Is it approved?
Senator Tkachuk: I so move.
Senator Massicotte: I second.
The Chair: Carried.
(The committee continued in camera.)