Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security United Kingdom

UK Banks Told To Reveal Tech Meltdown Plans (bbc.com) 60

UK banks have been told to explain how they would cope with a technology failure or cyber-attack. From a report: The Bank of England and the Financial Conduct Authority have given financial firms three months to detail how they would respond if their systems failed. Some TSB customers were left unable to access online banking for more than a month following a botched systems upgrade in April. Banks could be ordered to take action if their plans are judged to be poor. The Bank of England and FCA have emphasised that senior management at banks will be held accountable for prolonged disruption to services.
This discussion has been archived. No new comments can be posted.

UK Banks Told To Reveal Tech Meltdown Plans

Comments Filter:
  • Yeah, tell how they would do it, then anyone that would try to "melt down" the tech sector or a cyber attack would know how they could scoop in and clean up. Real smart.
    • Security by Obscurity is just another name for no security. Forcing the banks to be transparent about their processes at least makes it possible that problems can be found before they're exploited.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Security by Obscurity is just another name for no security.

        To make use of a rude example: Tell me your credit card number, expiration date, security code, full name, social security number, and full address.

        Security often is keeping information confidential. "Security by obscurity" is a rule of thumb for only having confidentiality is insufficient. Having no confidentiality is equally insufficient.

        To give an example about what might happen during a disaster recovery effort with an attacker that knows the plan: the attacker would know what services you are running,

        • by Anonymous Coward

          Information can be secret, but process shouldn't be. If you're vulnerable to a MITM attack on the transport between main and DR sites, the problem is the lack of encryption on that link, not that someone found the route.
          DR sites should be manned and monitored for physical security just as much as your main datacenter.

    • by Desler ( 1608317 )

      Because hiding what they would do is working so much better?

  • After reading up on several large failures over the past years it seems like most UK banks cyber-DR plans seem to be lifted straight from the military: "When in danger, when in doubt, run in circles, scream and shout"

  • 1. Tech meltdown
    2. ???
    3. Profit!

    • 1. Tech meltdown

      2. ???

      3. Profit!

      1. Tech meltdown

      2. Government bailout

      3. Privatize profits; socialize losses

      We've got too many things that are "too big to fail" . . . and the "things" know that, and are expecting their bailouts.

  • by rsilvergun ( 571051 ) on Friday July 06, 2018 @11:13AM (#56902296)
    but in the US I'd much rather hear about their plans to deal with the next economic downturn. Our right wing just repealed one of the major regulations here (Dodd Frank) that was passed to prevent another 2008 style crash. I've noticed that whenever we do something boneheaded Britain's right wing seems to take notes...
    • by AHuxley ( 892839 )
      That Electronic benefit transfer (EBT) stops working in the USA? No more digital Nutrition Assistance Program?
      In the USA some of the options when a nation wide cybering takes place are:
      1. Drive out to your cabin in the woods with its years of stored food, water filters, solar, books and wait out the city riots.
      2. Find that New Zealand passport kept for just such events and call up your business jet for a holiday. Enjoy the Hobbit Trilogy movie locations while the USA riots.
      3. Recall that person wh
    • but in the US I'd much rather hear about their plans to deal with the next economic downturn.

      Profit or get bailed out.

      Okay let's go back to the technical question. I think it has more meat in it.

    • by Nidi62 ( 1525137 )

      but in the US I'd much rather hear about their plans to deal with the next economic downturn.

      You'll find out in 9 months when the Brits still haven't gotten their act together and force a hard Brexit.

  • 0. Create a pre banking sorting tent outside. Got an account at the bank? Got a savings account at that branch that supports teller services? The bank is open for you.
    1. Open at 10 am for people to use the teller services.
    2. Be nice to people who have an existing account at that bank. No opening any new account during a cyber event
    3. Get some photo ID and account details from a person who has the correct bank account with that bank branch.
    4. Find paper records on file about the person and their
    • >> 0. Create a pre banking sorting tent outside.

      Elon, is that you?
      • by AHuxley ( 892839 )
        Big tents can offer solutions to many cyber related problems. With banking and cyber its just the size of the tent near the bank and the number of police needed.
    • Sorry, but aside from trying to triage/pre-screen people everything else is unlikely to work. Do you have your full account numbers available in a non-electronic form? (I do for my credit union account, but not my "real" bank account-- there I just go in and give my ID.) The banks cannot manage the volume of paper required any more-- and even if they could, the complexity of banking needs today would make a paper ledger nearly impossible for solving modern banking needs.

      About the only thing you could do

      • by AHuxley ( 892839 )
        Re "Do you have your full account numbers available in a non-electronic form?"
        A bank statement they got from their bank by post over the years. The card they got with their account. Photo ID.
        That would provide some evidence the correct account exists at the tent outside the bank during sorting.
        The bank would then have its paperwork on file during a cyber event to show the account exists and was created at that bank.
        The person could then ask for a set amount of cash per day from their own account while
      • If you have a checkbook, you already have your account number. My backup file on my local network covers the rest of the details. Otherwise, get a piece of paper and a secure place to put it.

    • by sjames ( 1099 )

      Not quite. If they cannot provide the promised online banking services, they owe all customers teller service until they restore their online services. After all, it's the bank that screwed the pooch so it's the bank that needs to bear the pain.

      The only reasonable alternative would be requiring the bank to give their online only customers their full balance in cash on demand and close the account.

      • by AHuxley ( 892839 )
        Not if that account type never supported such services. The banks would be open for teller supported accounts from each bank branch.
        During a cybering no network crypto could be trusted to work any electronic network to see if such digital accounts and customers existed.
        • by sjames ( 1099 )

          That's the bank's problem. They need to have a contingency plan to deal with their own failures.

          The data exists or the account wouldn't exist in the first place. If they don't have an appropriately isolated internal network, they'll need to move data on tape around.

          • by AHuxley ( 892839 )
            The contingency plan is to look after a set of customers who hold the correct paperwork and account types.
            Crypto will be down during a total cybering so each bank is isolated and can only trust its own paperwork.
            Any attempt to network could result in contacting a fake network that supports fake bank accounts and fake crypto.
            Criminals could use the cybering event to present with fake networked apps and accounts requesting cash.
            A van or truck under police guard arrives with a set amount of cash for a se
            • by sjames ( 1099 )

              So they'll just have to copy data to a few tapes and send them by car. Enough data to handle the contingency would easily enough fit on one LTO tape. They'll have to do that anyway for the other customers since last month's statement won't likely be up to date.

  • ..and greed has poisoned everything.

    Every week, right here on Slashdot, we read of at least one data breach. Banks and electronic payment systems are no longer immune to it, in fact they're at least as vulnerable, if not more so, than anything else. Most of you wander around all day long, eyes glued to the Mobile Surveillance, Tracking, and Data Logging Device you call your 'smartphone'. ISPs log your DNS requests, break into your HTTPS traffic, logging and analyzing your web browsing habits, ostensibly
    • by rtb61 ( 674572 )
      Nuthin' because as you well know, doing something costs money and doing nuthin' cost nuthin' and boosts this quarter bonus. Don't expect anything to change until regulations force it and don't expect regulations until it fucks up really bad. Likely the next major solar flare, which half of the planet, gets pretty digitally fucked up, just a matter of waiting to find out.
      • Of course you know I agree with you 100%, right? Why do you think I carry cash and pay cash for everything I can? Reduces my overall risk of getting caught in one 'data breach' or other that will expose access to my bank account. Even then the Equifax breach probably screwed me anyway, likely dozens of criminal organizations have all my Very Personal Data sitting on a storage device somewhere, and the only reason they haven't fucked me over with it is because I'm too poor to bother over. Guess we'll see wha
    • Have you ever seen the movie "Cube"? - Humanity in a nutshell.

      To me it seems like the only way is to create society incentivizing learning and compassion and give everybody opportunity to learn, not just skills, but to learn to be a conscience human being responsible for his/her own actions, curious, active, assertive, non violent in pursuing its goals, knowing and understanding the history and last but not least participating in the democratic process - we should be OK then. Ignorance and corruption are

      • I agree with what you're saying, but allow me to attempt to distill what you just wrote down to a single sentence:

        The Human Race must evolve beyond the stage of caveman-like primitivism.

        As much as Humans can be amazing and resourceful and wonderful, we're all still very, very young as sentient races go, so far as my opinion goes; we're children with high-tech toys, our technology has evolved at a rate orders of magnitude faster than our poor meat brains have, and, sadly, it shows. If we, as a species, manage to survive the next few hundred years, we might start getting past thi

        • Well said.

          Right at the moment, though, it's hard to maintain an attitude of hopefulness, with the way things are going.

          I am still optimistic though. Considering the history, we're living in really good times so far. There are good things happening, just are not news worthy (our monkey brain seems to put more attention to bad news - well, to be fair, it's a reasonable evolutionary trait). There's a song ("Strange is this world") "... however, there are more people of good will, and I deeply believe, that the world will not perish because of them ...".

    • So, what are YOU going to do NOW?

      Post this. Close the tab. Read the next Slashdot Tab about Intel 5G Modems to see if there's anything other than crazy rants there.

  • by Anonymous Coward

    As someone who works in IT in the financial sector (in America) for the last 10 years, I have a few thoughts...

    I'm sure things work the same over seas as they do here. So, unless your among the largest banks (top 10), they all outsource their internet banking to their core vendor. The banks host the data (customer account info) but the vendor does everything else. If the bank looses connection, the vendor uses stand in (last known) data and internet banking continues. According to this, the outage was due

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...