It's good to talk, UK banks told after massaging cyberattack figures Top techies at British banks are being encouraged to share information about cyberattacks following revelations that the financial sector is under-reporting breaches to regulators. According to the UK's Financial Conduct Authority, only five attacks were reported in 2014, a figure that has soared to 75 so far this year. But …
* * * How are Banks marching forward with Biometric without any public discussion? Its insane how they keep painting the rosy side (not having to remember passwords etc), while never addressing what happens once biometric data leaks out, as it will.
* * * I've got no confidence in anyone anymore. Certainly not government regulation of private industry.... Sing after me: "Its the self-preservation society".
Disclosure: I have worked at a bank during the last five years.
The "you can't revoke your fingerprint" argument is valid up to a point. You need to take into account that it's much more difficult to replay an intercepted bankend tokenised version of, say, a fingerprint, because the attacker needs to already be in the bank's internal auth network - in which case fingerprint replay is the least of their problems. Yes I know, gummi bears, but those attacks are implementation details.
As far as regulation goes, then as a security grunt down in the trenches I say bring it on. The levels of compliance monitoring in banks is, well, from my experience it's what you'd want it to be: stringent, independent, comprehensive. People still do bad things, no doubt, but the cost is much higher (because the of the need to evad compliance) and anyone doing it should be under no illusion that they're in serious trouble if/when caught. If the FCA or PRA regulated for mandatory security controls (even just Cyber Essentials compliance, for instance, that's a lot less noddy than you might expect - have a look at the requirements) -- banks would moan and groan, but they'd do it. or, at any rate, more of THEM would do more of IT, if such regulations were introduced.
@AC: "You need to take into account that it's much more difficult to replay an intercepted bankend tokenised version of, say, a fingerprint, because the attacker needs to already be in the bank's internal auth network"
.....Sounds like Security-through-obscurity... But the truth is hackers just need to get into the user fingerprint device that's paired with the account and play MITM... In effect, this is just another vector for keyloggers.
@AC: "The levels of compliance monitoring in banks is, well, from my experience it's what you'd want it to be: stringent, independent, comprehensive."
.....Not so. Look at Wells Fargo fake accounts in the US and the ongoing PPI scandal in the UK. There needs to be jail time and personal fines as a deterrent. Nothing else works.
Can't they go and report everything there in confidence*, or is this yet another set of "different laws" that seem to apply depending on who you know.
*Yes, I know I have commented in other posts on the dilemma this poses, but given that the place exists for this purpose, it would seem the sort of thing that it is meant to address, and might salve the concerns of the financial regulators.
I remember it being written in the papers about them getting caught not being entirely truthful about their financial states to the Bank of England.
Anon because I realised why certain things happened when and as they did, though after the facts were published in the papers. So I have no extra info, I just saw it first hand.
As long as the banks can draw up contracts that blame the customer for their losses, often in retrospect "We've just updated out Terms & Conditions!" in the hope that the upbeat language used will dissuade customers from reading the fine print which contains the grim news that fraud is now mostly the problem of the account holder, the banks have no cause for worry.
The banks have also, for many years, operated a policy of "sack the whistleblower and cover up". A good way to shorten one's career/contract in any bank is to point out the gaping security flaws in their systems. Banks rely on confidence to prevent a run on the bank, hence anything that threatens confidence is not to be encouraged. Only good news here, nothing to see, pass along please.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2021
