Cringe as you read Horrible Histories: UK Banking Sector, sigh as MPs finger cloudy Big 3 as future risk

Re: Not got much hope

Who needs SIM Swap fraud, if someone steals your wallet don't you think they will also steal the expensive mobile phone you're carrying?

For some reason my bank fails to understand that this makes SMS useless (I have tried telling them) and now insists on sending me a text code for every online transaction with my debit card and most interactions with their own website. If I thought I could avoid this annoying shite I'd switch banks but if they're not doing it already they soon will.

As for insecure systems monitoring vulnerable adults well I could make your hair curl with tales from a critical care provider where the DPO thinks we can keep all data forever and use live data in development & testing without masking or anonymisation (and told me I was wrong) and nothing is encrypted. Not to mention a public facing website that contains detailed personal information on supported people that the IT dept can't say is secure.

Re: Not got much hope

I'm not sure it's just uselessness. Doing security properly costs money. Money that "couldn't-give-a-shit" company directors/C-suite don't want to spend.

Re: Not got much hope

Thing is not long ago the UK banking industry did it right, it had a standardised hardware card reader capable of generating OTPs from an applet running on the card + PIN.

The mobile apps came along and they sort of collectively lost the plot as Marketing took over and ditched the requirement to have the card, when they could have decided to go with something like the app getting the OTP from the chip via NFC when logging in if the user really didn't want to use the card reader because it's too big and heavy and they'd break their back dragging it around with them all day.

Re: Not got much hope

MVNO operator giffgaff has recently rolled out a 2nd-factor protection against SIM swap fraud. They send a code as an SMS to the existing SIM and as an email to the registered email address, so you have to have one or the other to be able to carry out a SIM swap.

I recently tested this when I lent my mother-in-law a SIM to use while waiting airside at Heathrow before returning to China, with the instruction to bin the SIM on arrival. After she arrived, I performed such a swap to a spare SIM I had, using the code that arrived by email.

Of course, this requires that your email password and your giffgaff account passwords are secure!

Re: Not got much hope

I'm not going to say I totally disagree with you, but I'm also at the point where I think you are overreacting a bit. My bank has also implemented two factor authentication via SMS, as have numerous other websites I use such as Amazon etc - and as far as I can tell it works ok. All it does is send a time sensitive 8 digit code to my mobile that I need to use when I log in at a point in time. For any crim to get access to my accounts they'd also need access to my log on ID, password, and security phrases / codewords. And lets be honest, the chances of that are miniscule.

I'm not siding with the banks here, but they do have to balance security and everyday practicality for their users - so it's always a delicate balance. Security doesn't begin and end with the banks, it also requires the end user to take precautions with their credentials and devices. I think we'll all agree however that it definitely should not involve keeping PINs, account passwords and user IDs written down on a piece of paper in ones purse - as my sister used to do. She now keeps them in a password protected note on her mobile - which is only a slight improvement in my mind.

Silly sister.

Re: Not got much hope

> My own buinding society proudly emailed me to bost of their new

> security measures. They're going to start to use SMS as a second factor

Nationwide?

I got that email. All the links in it pointed to nationwide-services.co.uk, not nationwide.co.uk.

Apparently I can trust that it’s genuine because they know my postcode.

Pretty shocking.

Re: Not got much hope

"My own buinding society ... going to start to use SMS as a second factor."

And for the first time my bank did that just now. And the phone battery promptly expired. As I'm sitting at home next to the charger I could plug it in. It's not exactly hard (except, it seems, for banks) to think of circumstances where that might not be possible.

Re: somewhat unfair

One of the issues is that the legacy platforms so denigrated are more secure, more reliable, more resilient, even more efficient (?) than what is replacing them (so far). 'Stick it in the cloud' seems like a dangerous move that reduces cost, but does nothing to address security, reliability, or even resilience.

TSB should be excoriated for not having a fallback plan and for not making one up on the spot and implementing it.

Re: somewhat unfair

Spot on. I work with most of the large UK banks and also the payment system operators behind things like BACS and Faster Payments.

The focus on resilience and uptime is remarkable.

The Faster Payments scheme went something like 10 years with no downtime, running on a 24x7 basis. Visa also had a incredible uptime stat until their outage for a couple of hours a year or so back (after which the "experts" at the Treasury Select commitee put them through the ringer as if they were a bunch of naughty kids).

Let's not also forget that even with TSB, the whole thing was essentially forced through government incompetence in the first place, forcing Lloyds to bail out HBOS, almost taking Lloyds under, and creating a state owned monopoly that under EU rules was required to hive off what became TSB.

Those in government should look a lot closer to home if they want to see badly run, unreliable IT infrastructure and projects...

Re: somewhat unfair

"They don't want ... fraud ... They already invest heavily in ... security"

That may (or may not) be the case, but their publicly-visible actions don't seem to correlate with that. In the last couple of years, we've seen a banking web site that will silently truncate over-length account numbers when making a payment, numerous banking websites & apps with security vulnerabilities, a bank claiming to have anti-fraud systems in place then denying it when someone asks why obviously fraudulent transactions were made, and an industry generally dragging their feet on anything that would attempt to curb fraud (see the delayed-again account-holder verification).

Re: somewhat unfair

Correct - they don't want outages etc. But they do want profits more. Therein lies the problem.

Re: somewhat unfair

"But the Treasury Committee clearly don't understand just how much they're already doing, and how bloody hard that is."

And the financial services industry doesn't realise that they still aren't good enough and specifically that the loss of a local branch that we can visit is a particular problem.

The branches might not be used as much as they were given that there are other options. However they have a very specific role to play: they're our back-up. In IT we're used to the idea that we need to take back-ups and yet hope never to have to use them but when we do have nothing else will do. A slightly worrying possibility is that if banks can save money on the back-up the branch network provides maybe they're also saving money on not backing up their systems.

The first bank or building society that puts a branch back in my preferred village - a village where there used to be three - gets both my current and deposit accounts. I rather think that the bank or building society that realises that rebuilding a branch network is a competitive advantage will get a slew of new customers that makes it worth while.

Re: somewhat unfair

Yeah they are doing a lot to make it harder - to operate my account.

No one can pay cash into my account for me unless I add them as an authorised person, which is causing me a lot of inconveneience as I dont wish to add the 2 or 3 people who used to pop into the bank for me as they pass and the new super hi tech ATM that HSBC replaced our old green screen ATM with doesnt accept deposits.

However, the banks cant stop people taking money by transfer if the receiving account details are not identical to those given by the payment originator.

With the security holes, lack of branches and the few ATMS we have left round here being often out of cash Im back at the point where cash is king. Maybe its time we were given back the right to wages in cash - that migh wake this dozy lot up.

Re: Banks or Clouds

Make them reopen some branches as well as improving IT *.

Not everything can be easily done online / via phone with banking

Partner & I just about to open a new account with a different branch as bank we have used for years have closed down all local branches, so nearest branch many, many miles away.

So that account is getting closed and bank (well, building soc) that actually still has branches in easy distance of us is getting our custom instead.

* Though its not so long ago, when vast majority of banking stuff ran tried & tested mainframe code and was pretty much bulletproof. F knows what's happened since then (might be related to all the sackings of internal IT, as all my banking IT old contacts (hence no idea of recent changes in bank IT ) have long since moved to pastures new after being outsourced

Re: Banks or Clouds

With ApplePay and now the Apple Card, I fully expect Apple to either buy a Tier 2 Bank or setup a fully fledged banking operation within the next few years.

Is this good or bad? Hard to say at the moment but at least it isn't Google, Facebook or Amazon doing the same although FB is trying to go beyond that and bypass banks altogether with its own crypto-currency.

Now where is that fence I can sit on?

Re: Contractor exodus

To be fair there's an argument to be made that:

- If you're a "senior" contractor who has been around long enough to build up organisational memory you are almost certainly an employee in all practical terms anyway and thus should be paying your National Insurance like the rest of us

- If a bank is allowing external suppliers to build up enough institutional clout that they cannot be swapped out then this constitutes a risk that should be eliminated by replacing the function with one managed in-house.

Re: Contractor exodus

Just a reminder - when matress stuffing..... not too many twenties as they are being replaced next year.

Re: Which is a bigger worry?

They are both an enormous worry. Once upon a time, the notion of confidential had meaning. Now, apparently, banks have forgotten that and see no more problem in putting customer data on someone else's server.

And if this is the trend, then saying that you won't deal with a bank that uses The Cloud (TM) is not an option because they're all going to be doing it.

Reminds me of a saying with the words 'Hell' and 'handbasket'.

Re: Which is a bigger worry?

If banks take a similar approach to the DoD, then the banks will likely be in good hands.

Checkout GovCloud if you don't believe me - it's not "just" AWS/Azure. It's effectively large-scale managed hosting - you can only connect to the private side via authorised connectivity and the Internet facing side is very strictly managed.

There are no "shared" DC's allowing public cloud/GovCloud in the US (I don't know enough about non-US GovCloud-type alternatives to state if this is universal).

Re: Which is a bigger worry?

The worry is cumulative:

But the committee also believes there is a strong case to start regulating cloud providers to reduce risks associated with the concentration of banking infrastructure on the big three platforms – Google, Microsoft and Amazon Web Services.

If we add on to this the US DoD, the UK Gov., ...

What we are seeing is a very rapid concentration of IT infrastructure and services; in few short years it won't be the banks who are "too big to fail" but the big-3 cloud platforms...

Re: Wow. You mean for real?

The core value is almost always in reinvestment. There's a lot of IT supporting it (so you're not wrong about them being an IT biz), but a bank (also insurers, pensions, etc) makes it's money by spending your money in ways that they get it back with interest before you need it.

That pile of gold in the basement is almost entirely the government saying "you can only gamble with x% of your customer's money, and need to keep the rest on hand". Though these days the pile of gold in the basement is a pile of bits several machines agree is your pile of bits.