Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Banks Told To Reveal Tech Meltdown Plans (bbc.com)

Posted by msmash on from the setting-an-example dept.

UK banks have been told to explain how they would cope with a technology failure or cyber-attack. From a report: The Bank of England and the Financial Conduct Authority have given financial firms three months to detail how they would respond if their systems failed. Some TSB customers were left unable to access online banking for more than a month following a botched systems upgrade in April. Banks could be ordered to take action if their plans are judged to be poor. The Bank of England and FCA have emphasised that senior management at banks will be held accountable for prolonged disruption to services.

34 of 60 comments (clear)

  1. Silly by p51d007 · · Score: 2

    Yeah, tell how they would do it, then anyone that would try to "melt down" the tech sector or a cyber attack would know how they could scoop in and clean up. Real smart.

    1. Re:Silly by Desler · · Score: 1

      Because hiding what they would do is working so much better?

  2. Just follow military doctrine... by ksw_92 · · Score: 1

    After reading up on several large failures over the past years it seems like most UK banks cyber-DR plans seem to be lifted straight from the military: "When in danger, when in doubt, run in circles, scream and shout"

  3. Security by Obscurity by Comboman · · Score: 1

    Security by Obscurity is just another name for no security. Forcing the banks to be transparent about their processes at least makes it possible that problems can be found before they're exploited.

    --
    Support Right To Repair Legislation.
    1. Re:Security by Obscurity by Anonymous Coward · · Score: 2, Insightful

      Security by Obscurity is just another name for no security.

      To make use of a rude example: Tell me your credit card number, expiration date, security code, full name, social security number, and full address.

      Security often is keeping information confidential. "Security by obscurity" is a rule of thumb for only having confidentiality is insufficient. Having no confidentiality is equally insufficient.

      To give an example about what might happen during a disaster recovery effort with an attacker that knows the plan: the attacker would know what services you are running, where, the configurations; where the cold/warm/hot site is, it's configuration, it's security, and how data gets there. Imagine how easy it would be for an attacker to set up a MITM between a main site and a recovery site, or just physically infiltrate and compromise the hardware when he knows no one will be there.

      Giving out your recovery plan is no wiser than a general that gives the enemy army his battle plan.

    2. Re: Security by Obscurity by Anonymous Coward · · Score: 1

      Information can be secret, but process shouldn't be. If you're vulnerable to a MITM attack on the transport between main and DR sites, the problem is the lack of encryption on that link, not that someone found the route.
      DR sites should be manned and monitored for physical security just as much as your main datacenter.

  4. Obligatory by nwaack · · Score: 1

    1. Tech meltdown
    2. ???
    3. Profit!

    1. Re:Obligatory by PolygamousRanchKid+ · · Score: 2

      1. Tech meltdown

      2. ???

      3. Profit!

      1. Tech meltdown

      2. Government bailout

      3. Privatize profits; socialize losses

      We've got too many things that are "too big to fail" . . . and the "things" know that, and are expecting their bailouts.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  5. Not sure about the UK by rsilvergun · · Score: 3, Interesting

    but in the US I'd much rather hear about their plans to deal with the next economic downturn. Our right wing just repealed one of the major regulations here (Dodd Frank) that was passed to prevent another 2008 style crash. I've noticed that whenever we do something boneheaded Britain's right wing seems to take notes...

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:Not sure about the UK by AHuxley · · Score: 1

      That Electronic benefit transfer (EBT) stops working in the USA? No more digital Nutrition Assistance Program?
      In the USA some of the options when a nation wide cybering takes place are:
      1. Drive out to your cabin in the woods with its years of stored food, water filters, solar, books and wait out the city riots.
      2. Find that New Zealand passport kept for just such events and call up your business jet for a holiday. Enjoy the Hobbit Trilogy movie locations while the USA riots.
      3. Recall that person who could have had a cabin in the woods with a few years of food and ask them for an invite.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Not sure about the UK by AHuxley · · Score: 1

      See movies like the Road and the movie Mad Max.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Not sure about the UK by thegarbz · · Score: 1

      but in the US I'd much rather hear about their plans to deal with the next economic downturn.

      Profit or get bailed out.

      Okay let's go back to the technical question. I think it has more meat in it.

    4. Re:Not sure about the UK by Nidi62 · · Score: 1

      but in the US I'd much rather hear about their plans to deal with the next economic downturn.

      You'll find out in 9 months when the Brits still haven't gotten their act together and force a hard Brexit.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  6. Normal banking while its cybering outside by AHuxley · · Score: 1

    0. Create a pre banking sorting tent outside. Got an account at the bank? Got a savings account at that branch that supports teller services? The bank is open for you.
    1. Open at 10 am for people to use the teller services.
    2. Be nice to people who have an existing account at that bank. No opening any new account during a cyber event
    3. Get some photo ID and account details from a person who has the correct bank account with that bank branch.
    4. Find paper records on file about the person and their account.
    5. Support the account holder with their banking needs that day as they can show they have the correct account type that offers bank teller services.

    Banks are going to need secure paper work every day on every account that was ever opened at that location.
    An online all digital bank accounts, apps would not need to work as such services never supported that type of bank service. That would reduce the amount of service needed for all other bank accounts. Types of savings accounts only get support.
    No support for international bank accounts as they are not what that bank branch created.
    The only service a bank has to support is the accounts opened in that branch and of an account type that a bank teller has always supported.
    The display of piggy banks and colourful banking related images is relaxing while account holders wait in line.
    Lots of police to keep away the non bank customers and non supported account holders well away from people using their bank accounts.
    A gov can set a max cash limit to each account per day while it is cybering. That would set a rate and amount of cash needed to be transported each day to support a set of savings accounts per bank branch.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Normal banking while its cybering outside by xxxJonBoyxxx · · Score: 1

      >> 0. Create a pre banking sorting tent outside.

      Elon, is that you?

    2. Re:Normal banking while its cybering outside by AHuxley · · Score: 1

      Big tents can offer solutions to many cyber related problems. With banking and cyber its just the size of the tent near the bank and the number of police needed.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Normal banking while its cybering outside by aaarrrgggh · · Score: 2

      Sorry, but aside from trying to triage/pre-screen people everything else is unlikely to work. Do you have your full account numbers available in a non-electronic form? (I do for my credit union account, but not my "real" bank account-- there I just go in and give my ID.) The banks cannot manage the volume of paper required any more-- and even if they could, the complexity of banking needs today would make a paper ledger nearly impossible for solving modern banking needs.

      About the only thing you could do is try to revert to batch settlement via a redundant system. You would have to shut down ATMs, and I don't think there is any viable way to do bill payment and similar types of services. The links to direct-deposit paychecks would be almost impossible to manage as well if a bank is truly hosed.

      I'm all for redundant arrays of irresponsible banks.

    4. Re:Normal banking while its cybering outside by sjames · · Score: 1

      Not quite. If they cannot provide the promised online banking services, they owe all customers teller service until they restore their online services. After all, it's the bank that screwed the pooch so it's the bank that needs to bear the pain.

      The only reasonable alternative would be requiring the bank to give their online only customers their full balance in cash on demand and close the account.

    5. Re:Normal banking while its cybering outside by AHuxley · · Score: 1

      Re "Do you have your full account numbers available in a non-electronic form?"
      A bank statement they got from their bank by post over the years. The card they got with their account. Photo ID.
      That would provide some evidence the correct account exists at the tent outside the bank during sorting.
      The bank would then have its paperwork on file during a cyber event to show the account exists and was created at that bank.
      The person could then ask for a set amount of cash per day from their own account while the cybering lasted.
      Re "The banks cannot manage the volume of paper required any more-- and even if they could, the complexity of banking needs today would make a paper ledger nearly impossible for solving modern banking needs."
      Thats why only accounts created in that bank and for accounts that have teller support need to be allowed in during cybering.
      No networks needed as its cybering. Just the paper files created in that bank.
      A set of supported accounts created at that bank would be printed out and be on file.
      Re 'bill payment and similar types of services"
      The daily cash allowed would be enough to pay for food and other needed items from a shop. Citizens with ID, ATM cards and online banking apps with no way to get more cash would have to line up for the gov to hand out food.

      --
      Domestic spying is now "Benign Information Gathering"
    6. Re: Normal banking while its cybering outside by nitehawk214 · · Score: 1

      If you have a checkbook, you already have your account number. My backup file on my local network covers the rest of the details. Otherwise, get a piece of paper and a secure place to put it.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    7. Re:Normal banking while its cybering outside by AHuxley · · Score: 1

      Not if that account type never supported such services. The banks would be open for teller supported accounts from each bank branch.
      During a cybering no network crypto could be trusted to work any electronic network to see if such digital accounts and customers existed.

      --
      Domestic spying is now "Benign Information Gathering"
    8. Re:Normal banking while its cybering outside by sjames · · Score: 1

      That's the bank's problem. They need to have a contingency plan to deal with their own failures.

      The data exists or the account wouldn't exist in the first place. If they don't have an appropriately isolated internal network, they'll need to move data on tape around.

    9. Re:Normal banking while its cybering outside by AHuxley · · Score: 1

      The contingency plan is to look after a set of customers who hold the correct paperwork and account types.
      Crypto will be down during a total cybering so each bank is isolated and can only trust its own paperwork.
      Any attempt to network could result in contacting a fake network that supports fake bank accounts and fake crypto.
      Criminals could use the cybering event to present with fake networked apps and accounts requesting cash.
      A van or truck under police guard arrives with a set amount of cash for a set of a banks own account holders.

      A government could set up a system for people to show they are citizens, their ID and give out a set amount every day.
      That would be for a government to do. Re "data on tape around"? The power supply might not be working. Any central location could have been infected with malware before or as part of a cybering event. All later data added to or trusted from that tape could be used to criminal groups. It could also move malware from bank to bank.

      --
      Domestic spying is now "Benign Information Gathering"
    10. Re:Normal banking while its cybering outside by sjames · · Score: 1

      So they'll just have to copy data to a few tapes and send them by car. Enough data to handle the contingency would easily enough fit on one LTO tape. They'll have to do that anyway for the other customers since last month's statement won't likely be up to date.

    11. Re:Normal banking while its cybering outside by AHuxley · · Score: 1

      AC the bank gave the person a list of products and services. When the person selected an online online back account they understood that account would only ever work with the needed "internet" part.
      During a time of of cybering why should a bank change its policy? Risk fraud and criminal cash flows under the cover of cybering?
      The government can ask for photo ID, proof of citizenship and hand out free money every day during a cyber event.

      Criminal groups could use failed crypto and criminal bank staff to get money out of a bank under the cover of wide scale cyber events.
      After the cyber event a bank would have to tell online account users someone with the correct crypto at that time collected from all their accounts?

      --
      Domestic spying is now "Benign Information Gathering"
  7. Our reach exceeds our grasp.. by Rick+Schumann · · Score: 1, Interesting

    ..and greed has poisoned everything.

    Every week, right here on Slashdot, we read of at least one data breach. Banks and electronic payment systems are no longer immune to it, in fact they're at least as vulnerable, if not more so, than anything else. Most of you wander around all day long, eyes glued to the Mobile Surveillance, Tracking, and Data Logging Device you call your 'smartphone'. ISPs log your DNS requests, break into your HTTPS traffic, logging and analyzing your web browsing habits, ostensibly to 'insert targeted advertising', but all that Personally Identifiable Data still remains. The NSA/CIA/DHS/{insert gov agency here} pays companies like AT&T for direct access to Internet backbone traffic for the specific purpose of surveilling everything that happens on the Internet, everywhere. So-called 'social media' like Facebook exist solely as honeypots to not just collect people's Personally Identifiable Data, but to encourage them to volunteer it, and they pioneer new methods to extract data from people, whether they're willing or not. Most every country on the planet that can afford one has a cyber-warfare division of their military, and they're actively and continually working to break into corporate, government, and vital infrastructure systems.

    We are living in a house of cards. All it will take is One Stiff Breeze to blow it all down, perhaps taking our entire civilization down with it.
    What are you all going to do then?

    People rely more and more on 'automation' and mechanized 'conveniences' instead of learning skills themselves.
    When all the machines stop working, what will you all do then? Sit around and wait for the Repairman that will never come?

    There is no species that is the natural predator of Humans; we are our own predators, though.
    It only follows that the 'extinction-level event' that gets us will be caused by Humans.
    What will you all do then?

    The point of all this verbage is this: We need to change the way we do things, and we need to do it starting NOW.
    Do I have all the answers? Hell, no I don't! I don't even have some of the answers! But I can see that we're at a critical point where something is going to break in a big, bad way, but there may still be time to head it off.

    So, what are YOU going to do NOW?

    1. Re:Our reach exceeds our grasp.. by rtb61 · · Score: 1

      Nuthin' because as you well know, doing something costs money and doing nuthin' cost nuthin' and boosts this quarter bonus. Don't expect anything to change until regulations force it and don't expect regulations until it fucks up really bad. Likely the next major solar flare, which half of the planet, gets pretty digitally fucked up, just a matter of waiting to find out.

      --
      Chaos - everything, everywhere, everywhen
    2. Re:Our reach exceeds our grasp.. by Rick+Schumann · · Score: 2

      Of course you know I agree with you 100%, right? Why do you think I carry cash and pay cash for everything I can? Reduces my overall risk of getting caught in one 'data breach' or other that will expose access to my bank account. Even then the Equifax breach probably screwed me anyway, likely dozens of criminal organizations have all my Very Personal Data sitting on a storage device somewhere, and the only reason they haven't fucked me over with it is because I'm too poor to bother over. Guess we'll see what happens won't we? As you say: there'll have to be some major event happen before The Masses get their torches, pitchforks, pointed sticks, and what-not, and go out in the streets in force and demand something be done. Might be too late by then.

    3. Re:Our reach exceeds our grasp.. by AlwinBarni · · Score: 2

      Have you ever seen the movie "Cube"? - Humanity in a nutshell.

      To me it seems like the only way is to create society incentivizing learning and compassion and give everybody opportunity to learn, not just skills, but to learn to be a conscience human being responsible for his/her own actions, curious, active, assertive, non violent in pursuing its goals, knowing and understanding the history and last but not least participating in the democratic process - we should be OK then. Ignorance and corruption are very serious diseases for any society.

      Also psychology should be part of the basic curriculum, people should know how inherently biased and vulnerable to manipulation we all are. If we knew ourselves better, we would be less prone to exploitation and more understanding to others.

    4. Re:Our reach exceeds our grasp.. by Rick+Schumann · · Score: 2
      I agree with what you're saying, but allow me to attempt to distill what you just wrote down to a single sentence:

      The Human Race must evolve beyond the stage of caveman-like primitivism.

      As much as Humans can be amazing and resourceful and wonderful, we're all still very, very young as sentient races go, so far as my opinion goes; we're children with high-tech toys, our technology has evolved at a rate orders of magnitude faster than our poor meat brains have, and, sadly, it shows. If we, as a species, manage to survive the next few hundred years, we might start getting past this Caveman stage we're still, apparently, stuck in. Right at the moment, though, it's hard to maintain an attitude of hopefulness, with the way things are going.

    5. Re:Our reach exceeds our grasp.. by Rick+Schumann · · Score: 1

      ..yeah, I knew I wasn't alone in this strategy, but we're still in the minority, and are subject to ridicule for it by people who are too trusting and/or too myopic.

    6. Re:Our reach exceeds our grasp.. by thegarbz · · Score: 1

      So, what are YOU going to do NOW?

      Post this. Close the tab. Read the next Slashdot Tab about Intel 5G Modems to see if there's anything other than crazy rants there.

    7. Re:Our reach exceeds our grasp.. by AlwinBarni · · Score: 1
      Well said.

      Right at the moment, though, it's hard to maintain an attitude of hopefulness, with the way things are going.

      I am still optimistic though. Considering the history, we're living in really good times so far. There are good things happening, just are not news worthy (our monkey brain seems to put more attention to bad news - well, to be fair, it's a reasonable evolutionary trait). There's a song ("Strange is this world") "... however, there are more people of good will, and I deeply believe, that the world will not perish because of them ...".

  8. Vender Problems... by Anonymous Coward · · Score: 1

    As someone who works in IT in the financial sector (in America) for the last 10 years, I have a few thoughts...

    I'm sure things work the same over seas as they do here. So, unless your among the largest banks (top 10), they all outsource their internet banking to their core vendor. The banks host the data (customer account info) but the vendor does everything else. If the bank looses connection, the vendor uses stand in (last known) data and internet banking continues. According to this, the outage was due to a "a botched systems upgrade". If it had been the bank's system, they wouldn't have been able to do any banking at all until it was fixed, but the article specifies internet banking. So what do you do when your core vendor implodes? It's no easy task to move a bank and all its branches to a new software core. You're also locked into a very costly contract as these vendors charge by your total assets, not some established amount like O365. Lastly, as we are seeing here, banks are heavily regulated and inspected, but the vendors usually aren't. (A problem I've worried about for a long time)

    Hopefully the governing bodies over there will turn their attention to the proper entities, the vendors, but I do worry about smaller banks. This outsourcing is done for several reason. For smaller banks, it is just too cost prohibitive to stand up the infrastructure your core vendor possesses and is ready to provide. For large banks, nothing makes a CEO happier then offloading risk. (hence, why the "cloud" is so popular.) But more regulation, and especially the associated costs, could put smaller (community) banks out of business. Even in this situation, the high costs of new contracts and implementation could be the end for smaller banks who are usually willing to work with individuals and families.

    Anyway, before I ramble too much, I'll end by saying that this is how someone in this field reads this...