Cringe as you read Horrible Histories: UK Banking Sector, sigh as MPs finger cloudy Big 3 as future risk The Treasury Committee has told UK bank regulators they must do more to force banks to improve their woeful record on IT. Recommendations include increasing the levy paid by the banks so regulators can afford to hire better staff. But the committee also believes there is a strong case to start regulating cloud providers to …
My own buinding society proudly emailed me to bost of their new security measures. They're going to start to use SMS as a second factor. Nice to think they've been merrily developing a security architechture based upon a disredited model. SMS hasn't been good enough for years due to how easy it is to carry out SIM Swap fraud.
It's better than nothing I'll grant that. But they'll have known SMS is discredited but developed for it anyway because its the cheapest option. they're not alone either. I've had dealings with at least three large companies who will process large amounts of special category data. One didn't think there was anything wrong with having an unencrypted login to a system monitoring vulnerable adults, two others have special category (health) information and with single factor logins on public websites. They too are 'developing' an SMS based MFA. With reluctance. One is having ongoing arguments with us that health referrals don't contain personal information threfore it doesn't need to be secure (we've had enough of the nonsense and we've started speaking to the ICO about this one).
I'm getting very tired of just how fucking useless, niave, short sighted, two-faced, (have I said "fucking usless" already?) big businesses are. I'm loving the big fines the ICO handed out to BA and Marriot and I look forward to more. Then they might get it, might.
Who needs SIM Swap fraud, if someone steals your wallet don't you think they will also steal the expensive mobile phone you're carrying?
For some reason my bank fails to understand that this makes SMS useless (I have tried telling them) and now insists on sending me a text code for every online transaction with my debit card and most interactions with their own website. If I thought I could avoid this annoying shite I'd switch banks but if they're not doing it already they soon will.
As for insecure systems monitoring vulnerable adults well I could make your hair curl with tales from a critical care provider where the DPO thinks we can keep all data forever and use live data in development & testing without masking or anonymisation (and told me I was wrong) and nothing is encrypted. Not to mention a public facing website that contains detailed personal information on supported people that the IT dept can't say is secure.
I'm also curious as to what level of threat SIM swap attacks actually are.
Are we basically talking about transferring the number from your existing SIM card to a new SIM card (which is in the possession of a fraudster, rather than you)?
To port a number, wouldn't the fraudster need to have a PAC code, which they could only get if they can pass the authentication checks carried out by the telco when contacting them about the account?
If attempting a social engineering attack by claiming the phone (SIM) is lost or stolen, wouldn't the telco either require some authentication before sending out a new SIM in the post, or (presumably/hopefully) requiring the customer to show appropriate ID before issuing a new SIM at one of their shops?
In practice, it works often enough for criminals to specialize in making their living wiping out people's bank accounts. Getting shop staff to give you a new SIM is just a matter of social engineering. Another possible strand, featured recently on BBC radio's "Moneybox" personal finance news show, is to recruit an innocent teenage accomplice to do it on behalf of the criminal, maybe disguising the actual motive. Of course the accomplice probably gets caught, but you don't.
> If attempting a social engineering attack by claiming the phone (SIM) is lost or stolen, wouldn't the telco either require some authentication before sending out a new SIM in the post, or (presumably/hopefully) requiring the customer to show appropriate ID before issuing a new SIM at one of their shops?
Hoping that phone shop staff work diligently is not an excuse for the banks to roll out and then rely on broken technology. It's a bit like saying bank notes don't need sophisticated anti-forgery mechanisms because shop staff will spot them.
Note also that, while currently it is mostly SIM-swap attacks, the entire phone infrastructure is based on a notoriously broken, easily hacked command and control system, SS7, that has had known attacks at the telco infrastructure layer redirecting messages etc.
In 2008, several SS7 vulnerabilities were published that permitted the tracking of cell phone users.[14] In 2014, the media reported a protocol vulnerability of SS7 by which anybody can track the movements of cell phone users from virtually anywhere in the world with a success rate of approximately 70%.[15] In addition, eavesdropping is possible by using the protocol to forward calls and also facilitate decryption by requesting that each caller's carrier release a temporary encryption key to unlock the communication after it has been recorded.[16] The software tool SnoopSnitch can warn when certain SS7 attacks occur against a phone,[17] and detect IMSI-catchers that allow call interception and other activities.
SIM-swap attacks are more targeted, but SS7 hacks could be done en-mass.
Like any specific crime against individuals, SIM swap attacks are rare on a per-individual statistical scale. But so is robbery, even mugging is rare on a per individual basis.
However, within the realms of crimes being committed, especially within 'identity-theft' type crimes, it is not uncommon - at least on a global scale, some countries might have lax standards so is easier in some countries than in others.
For example, in the US there are cases against AT&T, Man sues AT&T after fraudulent SIM swap led to $1.8M cryptocurrency theft.
Choice quotes from that article:
In Shapiro's case, AT&T employees did not just unwittingly give hackers control over his phone, the lawsuit says. AT&T's "employees actively profited from this unauthorized access by knowingly giving control over his phone number to hackers for the purposes of robbing him," the lawsuit says.Shapiro backs up his lawsuit with details from a criminal case filed by the US government against nine people, including former AT&T employees Robert Jack and Jarratt White.
"[C]riminal investigations reveal that a third-party (an individual identified by authorities as 'JD') paid Jack and White to change the SIM card associated with Mr. Shapiro's AT&T account from the SIM card in Mr. Shapiro's phone to a SIM card in a phone controlled by JD and others," the lawsuit said. JD paid White $4,300 to conduct SIM swaps, including the swaps in May 2018 that targeted Shapiro, and paid $585.25 to White, the lawsuit said.
These employees were "prolific SIM swappers," with White conducting 29 unauthorized SIM swaps in May 2018 and Jack conducting 12 unauthorized swaps that same month, the lawsuit said.
(emphasis mine)
Two AT&T staff between them did 41 SIM-swaps that month alone. It's unlikely that that month is the only time these staff did it, and it is unlikely they are the only staff doing this. I'm not saying all staff do this, it would be a rare event on a per staff member basis, but in absolute terms with thousands - maybe 10's of thousands - of staff in this one provider alone, the absolute numbers would be quite high.
There was a spate of attacks against German and Swiss banks that were using SMS for 2FA. I don't know the details of the attacks, but they were severe enough that the banks have moved away to more robust 2FA approaches.
Ah! here we are: https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/ So not SIM swap, but a volume based attack.
"If I thought I could avoid this annoying shite I'd switch banks but if they're not doing it already they soon will."
Almost all of the banks are desperately trying to obtain mobile phone numbers from all of their account holders, as SMS is generally the "go-to" method for the "secure payment" malarkey that's going on at the moment.
I've been seriously considering telling them that I don't have a mobile phone to see what they do next.
One of my banks (where I only have a credit card with them) is trying to push out card readers, which is at least more sensible. However their system has been set up to only let debit card holders order one (which, of course, I don't have). Their solution when I rang them up to complain was to recommend that I open a current account with them!
SMS-based 2FA is not useless, because it *does* protect against attacks of the 'attacker somehow figured out your password' type, like credential stuffing. But yeah, it's no use against SIM swap or SMS hacking attacks, and banks really should've got that message by now. (They haven't in Canada either, though; one of my banks doesn't do 2FA *at all*, good grief, and the other lets you pick at login time to receive either an SMS or an automated phone call...)
Thing is not long ago the UK banking industry did it right, it had a standardised hardware card reader capable of generating OTPs from an applet running on the card + PIN.
The mobile apps came along and they sort of collectively lost the plot as Marketing took over and ditched the requirement to have the card, when they could have decided to go with something like the app getting the OTP from the chip via NFC when logging in if the user really didn't want to use the card reader because it's too big and heavy and they'd break their back dragging it around with them all day.
'Thing is not long ago the UK banking industry did it right, it had a standardised hardware card reader capable of generating OTPs from an applet running on the card + PIN.'
I still use mine, despite the repeated "We listened to our customers and have made it easier to log into your account!", and they will still send you a replacement when asked.
RBS still require use of the card reader to do things like set up a new Payee on payments and transfers. So it hasn’t entirely died.
However I have a credit card with another provider, the one formerly commonly owned but now in the hands of venture capitalists, they will email a confirmation number BUT if you do something like select the text option, get tired of waiting and select email you get the same number through both AND if you get tired waiting for the email and choose send again they send the same number both times.
I also selected paperless statements on the online banking system they made me register for as the ONLY way to achieve that. Not only did I not get a notice of a new statement by email but a paper one turned up today. Which was a minor miracle in and of itself as they’ve been going missing in the post, hence going paperless. Except it doesn’t seem to work and ringing them up gets no answers. Oh and the phone system doesn’t recognise my card # either.
It all rather smacks of gross under investment in systems.
I was thinking of moving my current account now the mortgage is paid off and I’m not tied to RBS any more, but I’m thinking less and less of the idea.
Not dropped the reader, rather keeping it and using SMS as a fallback if you can't/don't want to use the reader. They're also keeping the customer number and replacing memorable information (passwords) with your DOB (public information).
What's odd is they've interpreted PSD2 to mean no passwords but other banks are keeping them. If a fallback is required, leaving aside the merits or otherwise of SMS, I would have thought that having to get a password that only you should know right beforehand would be an extra layer of security to protect against SIM swapping/cloning.
MVNO operator giffgaff has recently rolled out a 2nd-factor protection against SIM swap fraud. They send a code as an SMS to the existing SIM and as an email to the registered email address, so you have to have one or the other to be able to carry out a SIM swap.
I recently tested this when I lent my mother-in-law a SIM to use while waiting airside at Heathrow before returning to China, with the instruction to bin the SIM on arrival. After she arrived, I performed such a swap to a spare SIM I had, using the code that arrived by email.
Of course, this requires that your email password and your giffgaff account passwords are secure!
I'm not going to say I totally disagree with you, but I'm also at the point where I think you are overreacting a bit. My bank has also implemented two factor authentication via SMS, as have numerous other websites I use such as Amazon etc - and as far as I can tell it works ok. All it does is send a time sensitive 8 digit code to my mobile that I need to use when I log in at a point in time. For any crim to get access to my accounts they'd also need access to my log on ID, password, and security phrases / codewords. And lets be honest, the chances of that are miniscule.
I'm not siding with the banks here, but they do have to balance security and everyday practicality for their users - so it's always a delicate balance. Security doesn't begin and end with the banks, it also requires the end user to take precautions with their credentials and devices. I think we'll all agree however that it definitely should not involve keeping PINs, account passwords and user IDs written down on a piece of paper in ones purse - as my sister used to do. She now keeps them in a password protected note on her mobile - which is only a slight improvement in my mind.
Silly sister.
I'm not going to say I totally disagree with you, but I'm also at the point where I think you are overreacting a bit. My bank has also implemented two factor authentication via SMS, as have numerous other websites I use such as Amazon etc - and as far as I can tell it works ok. All it does is send a time sensitive 8 digit code to my mobile that I need to use when I log in at a point in time. For any crim to get access to my accounts they'd also need access to my log on ID, password, and security phrases / codewords. And lets be honest, the chances of that are miniscule.
I think the point is that if your log on ID, password and security phrase / code words were secure then the banks wouldn't need to introduce two-factor SMS. It's precisely because those things are not secure (enough) that they are bringing in this measure.
If you haven't realised, the banks aren't relying on SMS for security per se, they're relying on you realising that you've lost your phone and reporting it quickly.
In theory this is better than the current situation where you have no idea whether your login creds have been stolen or not, until money goes missing, by which time it is too late.
The 'over-reaction' from us commentards is that SIM swap puts people back in exactly the same situation: you have no idea that your SIM has been swapped until it's too late. Sure, phone-addicted type will realise they've lost connectivity but they won't associate that with being the victim of a fraud until it's too late. And if SIM-swap fraud becomes so prevalent that the general public do realise then ... well we're back where we started.
"they're relying on you realising that you've lost your phone and reporting it quickly"
Actually, they're relying on [a] finding the cheapest way to ostensibly fulfil their "obligation" to security (thereby reducing their insurance burden), [b] passing the liability as far as possible to the customer, and [c] systems people who latch onto the "obvious" because they don't have enough understanding of underlying principles or of cause and effect (like at Boeing).
This is also the world where the Mitre Risk Management Toolkit recommends ‘Encourage outrageous ideas’ as a means of identifying risk scenarios.
The net result is that, like at Equifax, nobody is actually taking realistic risk control decisions. Everyone is winging it while believing they're doing fine - until of course the accident happens, whereupon it's always a "black swan".
My bank has also implemented two factor authentication via SMS, as have numerous other websites I use such as Amazon etc
I'm afraid we'll have to take your commentard licence off you sir, Amazon have a choice of SMS or TOTP and faced with that choice you clearly should have chosen TOTP.
What you’re hinting at is that a lot of consumer facing security design is based on making it not worth a criminal’s while breaking that security. If the risk goes up, the design changes to meet it to maintain the status quo.
However that’s increasingly not sustainable. It depends on the rate of relatively minor incidents increasing slowly, acting as a warning sign that improvements are needed. But with modern cloud systems, reliance on SMS, etc. there is a risk that a bank, or possibly all banks, are hit with one mega incident with no warning, causing economic mayhem. Whilst this risk might seem low, the impact is too high for it to be safely ignored.
Plus there’s problems like, how much does it cost to bribe a cloud operator admin? Probably far less that you’d think.
> My own buinding society proudly emailed me to bost of their new
> security measures. They're going to start to use SMS as a second factor
Nationwide?
I got that email. All the links in it pointed to nationwide-services.co.uk, not nationwide.co.uk.
Apparently I can trust that it’s genuine because they know my postcode.
Pretty shocking.
"My own buinding society ... going to start to use SMS as a second factor."
And for the first time my bank did that just now. And the phone battery promptly expired. As I'm sitting at home next to the charger I could plug it in. It's not exactly hard (except, it seems, for banks) to think of circumstances where that might not be possible.
Millions of transactions a day are securely processed, day after day after day. Bank IT is exceedingly resilient and surprisingly secure.
More credit is due to the Financial Services organisations that keep the country running. They don't want outages, they don't want fraud, they don't want poor publicity or additional regulation. They already invest heavily in technology, redundancy and security, and already deliver world class uptime.
Could they do more? Of course. But the Treasury Committee clearly don't understand just how much they're already doing, and how bloody hard that is.
One of the issues is that the legacy platforms so denigrated are more secure, more reliable, more resilient, even more efficient (?) than what is replacing them (so far). 'Stick it in the cloud' seems like a dangerous move that reduces cost, but does nothing to address security, reliability, or even resilience.
TSB should be excoriated for not having a fallback plan and for not making one up on the spot and implementing it.
Spot on. I work with most of the large UK banks and also the payment system operators behind things like BACS and Faster Payments.
The focus on resilience and uptime is remarkable.
The Faster Payments scheme went something like 10 years with no downtime, running on a 24x7 basis. Visa also had a incredible uptime stat until their outage for a couple of hours a year or so back (after which the "experts" at the Treasury Select commitee put them through the ringer as if they were a bunch of naughty kids).
Let's not also forget that even with TSB, the whole thing was essentially forced through government incompetence in the first place, forcing Lloyds to bail out HBOS, almost taking Lloyds under, and creating a state owned monopoly that under EU rules was required to hive off what became TSB.
Those in government should look a lot closer to home if they want to see badly run, unreliable IT infrastructure and projects...
"They don't want ... fraud ... They already invest heavily in ... security"
That may (or may not) be the case, but their publicly-visible actions don't seem to correlate with that. In the last couple of years, we've seen a banking web site that will silently truncate over-length account numbers when making a payment, numerous banking websites & apps with security vulnerabilities, a bank claiming to have anti-fraud systems in place then denying it when someone asks why obviously fraudulent transactions were made, and an industry generally dragging their feet on anything that would attempt to curb fraud (see the delayed-again account-holder verification).
"But the Treasury Committee clearly don't understand just how much they're already doing, and how bloody hard that is."
And the financial services industry doesn't realise that they still aren't good enough and specifically that the loss of a local branch that we can visit is a particular problem.
The branches might not be used as much as they were given that there are other options. However they have a very specific role to play: they're our back-up. In IT we're used to the idea that we need to take back-ups and yet hope never to have to use them but when we do have nothing else will do. A slightly worrying possibility is that if banks can save money on the back-up the branch network provides maybe they're also saving money on not backing up their systems.
The first bank or building society that puts a branch back in my preferred village - a village where there used to be three - gets both my current and deposit accounts. I rather think that the bank or building society that realises that rebuilding a branch network is a competitive advantage will get a slew of new customers that makes it worth while.
Yeah they are doing a lot to make it harder - to operate my account.
No one can pay cash into my account for me unless I add them as an authorised person, which is causing me a lot of inconveneience as I dont wish to add the 2 or 3 people who used to pop into the bank for me as they pass and the new super hi tech ATM that HSBC replaced our old green screen ATM with doesnt accept deposits.
However, the banks cant stop people taking money by transfer if the receiving account details are not identical to those given by the payment originator.
With the security holes, lack of branches and the few ATMS we have left round here being often out of cash Im back at the point where cash is king. Maybe its time we were given back the right to wages in cash - that migh wake this dozy lot up.
There was a meme a few years ago with Bill Gates and Steve Jobs sitting next to each other laughing:
Bill: "Went to see the bank today about a loan"
Steve: "Why do you need a loan?"
Bill: "I don't"
Just makes me wonder when the big cloud providers who already host many of the bank services actually end up buying the banks.
Make them reopen some branches as well as improving IT *.
Not everything can be easily done online / via phone with banking
Partner & I just about to open a new account with a different branch as bank we have used for years have closed down all local branches, so nearest branch many, many miles away.
So that account is getting closed and bank (well, building soc) that actually still has branches in easy distance of us is getting our custom instead.
* Though its not so long ago, when vast majority of banking stuff ran tried & tested mainframe code and was pretty much bulletproof. F knows what's happened since then (might be related to all the sackings of internal IT, as all my banking IT old contacts (hence no idea of recent changes in bank IT ) have long since moved to pastures new after being outsourced
I genuinely can't think of any need for a physical bank branch these days other than for making deposits or (sometimes) withdrawals, and either ATMs or post offices can do that.
Anything else should be able to be done via internet banking, phone or videoconferencing.
Even for mortgages or loans, the bank knows who you are, and the details of your finances, and doesn't necessarily need to meet you in person (or could retain a few branches in larger towns and cities only, if need be).
That only works when you have clean data.
One misspelling, or coincidental birthday could have you confused in the dB with someone else.
You then can't pass authentication because you need the same wrong answers as the DB. Pub Quiz style.
Some of the first hand accounts have been told in these very comment sections
"or could retain a few branches in larger towns and cities only, if need be"
I don't want a branch in a larger town or city. The town where my nearest branch is now located, like so many, has an anti-car obsession that means the most effective way of getting there is to drive to where I previously banked, park there and get a bus. Any bank or building society that puts a branch back there gets my accounts as fast as I can get over there to transfer them.
@Doctor Syntax, genuine question: what do you need to visit an actual bank branch for (that a post office does not serve (assuming that you are in the UK, or another country where post offices provide cash handling services))?
I am perfectly willing to accept that there may be use cases that I am not aware of where a bank branch may be of use, and to rethink my stance, but I just can't think of one. (I'm just being inquisitive (not, unexpectedly or otherwise, Inquisitive.)
With ApplePay and now the Apple Card, I fully expect Apple to either buy a Tier 2 Bank or setup a fully fledged banking operation within the next few years.
Is this good or bad? Hard to say at the moment but at least it isn't Google, Facebook or Amazon doing the same although FB is trying to go beyond that and bypass banks altogether with its own crypto-currency.
Now where is that fence I can sit on?
Let's talk again after April once all the contractors had left due to IR35 (in effect it's already caused a blanket termination from all UK big banks)
Going perm is not an option for most. There are too many non-competes and financial penalties in place to make it worth while for most.
Senior contractors with years of knowledge in their heads... now being replaced by junior outsourced staff from abroad.
Good luck to us all! Time to start stuffing cash in a matress again.
To be fair there's an argument to be made that:
- If you're a "senior" contractor who has been around long enough to build up organisational memory you are almost certainly an employee in all practical terms anyway and thus should be paying your National Insurance like the rest of us
- If a bank is allowing external suppliers to build up enough institutional clout that they cannot be swapped out then this constitutes a risk that should be eliminated by replacing the function with one managed in-house.
You are labouring under the misconception that somehow contractors have a large tax advantage when in fact they do not. (1)
If you did a bit of research, you would see there is very little difference in the overall effective taxation rates between full time staff and contractors; the new rules will effectively make the effective rates for contractors far higher than for full time staff without the legal protections and perks full time staff enjoy such as paid holiday and sick time.
That being the case for those deemed to be within IR35 is why the exodus will happen; I know a lot of people who simply will not take those positions without the rates paid going up sufficiently to keep their pay on par with what they currently make.
You can also see the effect of bizarre tax rules here. (Incidentally, refusing to work overtime is a form of tax avoidance which is perfectly legal).
(1) Contractors *generally* make more money per hour than full time staff but that allows us to actually have our (effective) paid holidays and sick time apart from having little to no job security; companies pay this premium for the *flexibility* contractors give them.
>the new rules will effectively make the effective rates for contractors far higher than for full time staff without the legal protections and perks full time staff enjoy such as paid holiday and sick time.
Minor nit - you are a full time member of staff, you're just a full time member of staff who is also the owner of your own employer. Therefore the "but I don't get holidays or sick time!" line should strictly be read as "but I choose not to give my employees any holidays or sick time!", which is also, if we're splitting hairs here, more than a little bit illegal and could land you in trouble if you chose to take yourself to a tribunal.
Though I doubt that would happen.
I’m about to become a contractor after 29 years in regular employment - blame the collapse of Thomas Cook for that.
So I have landed a contract, paying a reasonable rate, annually it works out at £money x 250 (working days in a year) for me to have the same typical holidays as someone employed then you can take it down to £money x 216 (25 days holiday + 8 bank holidays). Then If I am ill I don’t earn anything, if I need to take a training course I don’t earn anything.
I also need to pay my accountant £151+vat per month.
So in reality I don’t earn that much more than as a salaried person, with a lot less in the way of security, now I am lucky in that I don’t have a mortgage but it still isn’t that easy.
On another note I saw a contract for a ccnp engineer to basically replace wireless ap point on a night shift. Key requirement for job - must have a ladder!!
"if I need to take a training course I don’t earn anything."
Pro tip. You have an advantage here. The average employer finds great difficulty in making up their mind about this sort of investment. Your employer can make up your mind PDQ. There are circumstances where you can use that to pick up a contract for work that the average employer's employee could do but won't because they don't get that training. Yes, you're not billing and you have the cost of the course plus maybe overheads of travel and accommodation but it can be a worth while investment.
"Minor nit - you are a full time member of staff, you're just a full time member of staff who is also the owner of your own employer. "
Contra-nit. The difference is that the client pays their full time staff holidays and sick leave when they're taking that leave. They don't pay their contractors when they're not there so the contractor's company has to pay that out of the fees received from the times they are working. The OP might not have made that quite clear enoug for you but it's undoubtedly the point that was being made.
This
If a bank is allowing external suppliers to build up enough institutional clout that they cannot be swapped out then this constitutes a risk that should be eliminated by replacing the function with one managed in-house.
Should be
If a bank is allowing external suppliers to build up enough institutional clout that they cannot be swapped out then this constitutes a risk that should be eliminated by replacing the function with one managed IN INDIA
there fixed it for you...
"you are almost certainly an employee in all practical terms anyway and thus should be paying your National Insurance like the rest of us"
Usual uninformed A/C contractor envy. Usual reply: if you think it's that easy why are you still an employee? Are you not good enough or are you too risk averse? If the latter perhaps you're getting some inkling of why contractors used to be, and should be, treated as businesses, not as employees.
Nobody said that the “contractors” (who were/are nothing of the sort) had it “easy”. We do say that it is tax-dodging. Yeah, one reason why most people didn’t go that way is being risk-averse, but can you explain why somebody’s personality trait should be rewarded by the tax system while doing exactly the same work?
Let me propose the following law to you, and see how you feel about it.
Companies who employ more than ten people, administering PAYE, should be allowed to “pre-spread” the income across their employees such that the income tax band to be paid is based on the average, not per-person. Companies can re-allocate some of the total tax saved to increase the salaries of cleaning staff well above minimum wage, to make it worth their while too. Everyone’s a winner.
Logically, what’s wrong with it? Contractors do their own admin, cleaning, HR. Just because permies choose to specialise roles within our company, making some people go into higher tax bands, why should we pay more tax on aggregate for the same total amount of income and work?
- If you're a "senior" contractor who has been around long enough to build up organisational memory you are almost certainly an employee in all practical terms anyway and thus should be paying your National Insurance like the rest of us
That assumes that the years of knowledge are about a single financial institution. I have a friend that works contracts helping multiple banks implement payment systems because he helped write the standard and can help institutions accelerate a secure reliable implementation because he knows it inside out.
It doesn't make sense for him to go permanent, he needs to step in, deliver 4-6 months of tremendous value then move on to the next client.
That's not institutional clout, that's domain expertise; one of the very reasons contract work is so important to the economy.
They are both an enormous worry. Once upon a time, the notion of confidential had meaning. Now, apparently, banks have forgotten that and see no more problem in putting customer data on someone else's server.
And if this is the trend, then saying that you won't deal with a bank that uses The Cloud (TM) is not an option because they're all going to be doing it.
Reminds me of a saying with the words 'Hell' and 'handbasket'.
If banks take a similar approach to the DoD, then the banks will likely be in good hands.
Checkout GovCloud if you don't believe me - it's not "just" AWS/Azure. It's effectively large-scale managed hosting - you can only connect to the private side via authorised connectivity and the Internet facing side is very strictly managed.
There are no "shared" DC's allowing public cloud/GovCloud in the US (I don't know enough about non-US GovCloud-type alternatives to state if this is universal).
The worry is cumulative:
But the committee also believes there is a strong case to start regulating cloud providers to reduce risks associated with the concentration of banking infrastructure on the big three platforms – Google, Microsoft and Amazon Web Services.
If we add on to this the US DoD, the UK Gov., ...
What we are seeing is a very rapid concentration of IT infrastructure and services; in few short years it won't be the banks who are "too big to fail" but the big-3 cloud platforms...
Quote :
which requires banks to "have an explicit senior management function with responsibility for information technology"
Like actually admitting that IT is the core business of a bank?
Not pretending it's all based on cash or gold in a vault (Like back when great-grandad was a baby)!!!
The core value is almost always in reinvestment. There's a lot of IT supporting it (so you're not wrong about them being an IT biz), but a bank (also insurers, pensions, etc) makes it's money by spending your money in ways that they get it back with interest before you need it.
That pile of gold in the basement is almost entirely the government saying "you can only gamble with x% of your customer's money, and need to keep the rest on hand". Though these days the pile of gold in the basement is a pile of bits several machines agree is your pile of bits.
The report states: "The case for the regulation of these providers to ensure high standards of operational resilience is therefore considerable. The government should urgently consider how best to regulate cloud service providers. Regulating them as critical infrastructure, while complex, may be necessary."
This implies that if the clouds continue to support retail banking, they're going to get hit with the regulation hammer. Until we know precisely what these regulations are, it's difficult for them to start calculating costs, but it's obvious there will be some sort of hit. This means that if your cloud supplier has consumer banks as customers the prices you pay will probably go up (unless they accept reduced profits from UK customers, or spin off banking services subsidiaries).
It's possible the tipping point when deciding on moving between cloud/local will change in favour of the latter soon.
Having forced me to give them my mobile number to continue to use their Android app, my scumbag bank are now using it to spam me to start using their app (!), upgrade my phone because of a known fault (in a different model of phone). I've asked them to point out their GPDA authorisation for doing such things. But ultimately I'm stuck, mobile phones are now required for banking access and if they continue to be scumbags they continue to be scumbags.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
