Canada - Autumn 2018


How are tests performed?

Our framework performs the same “basic security tests” on every bank that appears on our charts. These tests include testing for certain common vulnerabilities, or digital practices. When we see specific issues at a bank, we add additional “bank specific” tests to these banks to repeatedly check for any ongoing (or future) reocurrence of these known problems. These bank specific tests cover all manner of items, including checking for known leaks, breaches, cloud leaks, confidential customer data leaks, vendor leaks, and many other issues. In exceptional cases, adjustment scores are appended to the end of the tests as a result of issues that are known to us, and can be tested by humans. This includes items such as issues with mobile applications, payment systems that require humans to initiate transactions, security issues with specific staff, branches or locations, and so on. Details of these are logged and both the banks and governments can see when this occurs.

How many tests are performed?

This depends on the size of each bank. For a large bank with a large digital footprint, we commonly perform anywhere between 200 to 750 tests.

How are results displayed?

We tally the test results, first sorting by the percentage of tests passed, and a secondary sort by the number of tests performed (in case two banks both have the same percentage of test passes), finally a third sort by alphabetic name is performed. For security reasons, we don't publish how many tests were done on a specific bank, or what the percentage of passes were for each bank.

Do you log what you find wrong in each bank?

Yes. Each month’s chart is compiled and a full audit trail is generated and archived. The logs are not stored on this webserver or any other webserver, but are kept in cold storage until needed.

Do you sell the bank tests?

Banks can purchase and run their tests themselves in the very near future. For security reasons, one bank cannot purchase another bank's test framework. The tests are expanded and enhanced regularly, so banks should renew frequently to stay on top of things. If you are a bank interested in purchasing your bank's tests, please use the contact form below.

Do you sell the bank test logs?

Do to the nature of the logs and the pictures they paint about each bank, we don’t publish the logs. However, they are definitely available to regulators, law enforcement and other government agencies for an appropriate fee. If you are interested in the logs for your country, please contact us.

Do you check banks in other countries?

We currently check all major domestic regulated banks in Canada. We check banks in other countries, but we do not currently publish charts for those.

I don't see my bank. Where is it?

We only show the top 10 banks in Canada. If we showed how bad some banks score, it could cause those banks to become targets. That wouldn't be good for the customers. Further, we only publicly show results from Canada.


The Digital Banking Security Index was started in Canada. It was created by someone who was not impressed with Scotiabank's (their bank at the time) idea of what security looked like, and wanted to make the world a safer place by measuring and quantifying how bad the problem was. The manual safety checks that were being repeatedly performed on this bank were eventually automated, and then these tests were extended to encompass more banks, allowing us to compare other banks to the original bank. Currently, we check banks across three four countries on three continents.

Contact Us