back to article Rethink on bank cybersecurity rules might only follow major bank breach, says expert

It might take a major bank to fail as a result of a cyber attack for meaningful changes in cybersecurity practices, regulation and governance in the UK banking market to be implemented, a leading industry commentator has said. In an interview with Out-Law.com, professor Richard Benham, chairman of the National Cyber Management …

  1. wolfetone

    You mean, banks won't do anything to secure themselves until they have to do something?

    Let me just go to the tap, I want to make sure water is still wet after this revelation.

    1. Anonymous Coward
      Anonymous Coward

      In other news...

      Bears still Catholic

      Pope still going in the woods

    2. tr1ck5t3r
      Trollface

      Even when the General Data Protection Regulation (GDPR) kicks in, if they don't see anything how can they report anything?

      AV only works at the software level, it cant validate firmware and although Secure Boot goes a little way to secure computers, the same attack vectors still exist https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/boot-and-uefi when you consider you can still update firmware from within windows.

      1. wolfetone
        Linux

        UEFI was only invented by Microsoft to try and screw Linux over. Everyone knows that.

  2. Doctor Syntax Silver badge

    "High street banks, able to deal with issues in-branch"

    What are these branches of which he speaks? "High street" banks are scarcely worth the name, they're closing branches as fast as they can and their approach to the "customer experience" he refers to is about the same as the "user experience" that you can expect when the UX folk take over your preferred software. The whole shower exist solely on the basis that we need to deal with one of them; I don't know that any of them could get customers based on customer service.

    1. Tom Paine Silver badge

      Anecdote, not data, I know, but fwiw: I have both a Barclays and a Nat West within 3 minutes' walk of my house in a small town / large village (pop <10,000) and the counter staff in the former, at least, are friendly and helpful when I've popped in to pay a few months' accumulated small change into an ISA.

  3. LDS Silver badge

    The mobile payments frenzy is hitting banks too... what could go wrong?

    Last month I found a message in my home banking page telling me "JiffyPay" has been activated for my account - something I never did although being bugged for several times. That's a service (and an app) in Italy to send money to anybody with a phone number (really, what could go wrong?)

    Having literally no use for it, and not trusting it at all, I never activated it. Called the bank to understand what happened (did someone access my account?), and they said me "don't worry, we just activated it for everybody", being surprised I wasn't happy at all about it.

    Probably the fact they take 1 euro for any transaction above 50 has a lot to do with the decision...

  4. 0laf Silver badge

    Customer experience

    Wot's that then? Better hold music.

    Customers are just as bad, they don't want security on the front door because it takes them an extra 2sec to get into their account.

    Banks don't want to makes things secure either becasue it costs money and it pisses the customer off as in point 1.

    The Tesco hack was pretty significant, it that won't change things a jot then pretty much nothing will. Maybe a nice 2% turnover fine from the GDPR but even then...

    1. Charlie Clark Silver badge

      Re: Customer experience

      Banks don't want to makes things secure either becasue it costs money

      They want just as much security as will give them plausible deniability and mean that they are not liable for any losses. Making customers responsible also means that they can sell insurance. Win, win you might say.

      Good security that is easy to use is possible with HBCI. Never heard of it? Makes you wonder why, doesn't it.

      1. Primus Secundus Tertius

        Re: Customer experience

        In the "good old days" banks really did know their cutomers: they would recognise us when we walked in. Also, we could telephone our branch and they would recognise our voice over the phone.

        One of the best security measures is still human recognition of voices over the plain old telephone.

        Mind you, i remember inheriting a club/society account where the old bank statements were the legendary hand-written things.

        1. Tom Paine Silver badge

          Re: Customer experience

          Indeed. And I remember when you had to book international phone calls in advance, and they cost an absolute fortune. And when wrist or hand-held flatscreen TVs with videoconferencing were featured on a "World of Tomorrow" series of cards in Brooke Bond tea... Press Button B... uphill, both ways...

      2. Tom Paine Silver badge

        Re: Customer experience

        They want just as much security as will give them plausible deniability and mean that they are not liable for any losses.

        Who do you think covers losses due to customers' own poor security practices leading to their CC details or passwords being stolen? (yes yes I know crap website security is responsible for carder juice as well -- the banks are liable for those losses too in most cases.)

  5. Anonymous Coward
    Anonymous Coward

    Smile/Cooperative Bank Poor account reset Security.

    Smile/Cooperative bank allows you to reset all access to bank accounts with a generic card reader, the card + pin. If you have your Card and Pin stolen, crooks can empty your bank account using one large transaction, rather than multiple card withdrawals.

    All done in the interest of saving money on Telephone Support. They are also now removing most telephone support for Smile 'online' customers too.

    It's actually easier to pretend that you have forgotten your security information, use the card reader and card to get access. It's actually quicker than logging on normally, given the amount of info a combination of the old system and the new system require you to enter.

    The new system is slow, badly implemented, just horrible. The old system just worked for 17 years, pretty unchanged over that time. It was well implemented without the bloat, so even with a crappy 2G connection you could still make a bill payment, in the middle of nowhere.

    Now its like a data hog. Impossible to do anything over poor broadband.

    1. wolfetone

      Re: Smile/Cooperative Bank Poor account reset Security.

      I tore them a new one over this over Christmas. I had lost my card a week before Christmas, they said they'd send me a new card and PIN. I got the card before Christmas, but the PIN number only turned up yesterday. And that was the second PIN that was sent out, so God knows where the first one went.

      Anyway, as I was using my credit card as it's the only thing I could use to buy petrol etc, I decided to transfer some money to the card. I go to do it and I'm greeted with the God awful username and password thing they've decided is a good idea. I forget the password, and I'm asked to use the card reader. Guess what? I couldn't, as I lacked the PIN number!

      So I call them to see if they could reset it, and they could with alot of huffing. But I asked them why this new way of internet banking security is better than the old one? A three step process, and if you didn't have the information for one of the three steps, you couldn't get in. As you said, it worked for 17 years and was brilliant, if a little dated looking.

      The Co-Operative Bank has gone to shit since the Americans "saved" the bank. I stuck around during those months when the bank was struggling, but recently their game has slipped. And I know I'm not alone, and I won't be the only one looking to leave the bank over this bullshittery.

      1. Doctor Syntax Silver badge

        Re: Smile/Cooperative Bank Poor account reset Security.

        "I won't be the only one looking to leave the bank over this bullshittery."

        You're not but with branches closing all over where do you go?

        I'd been waiting for YBS to roll out their Norfolk & Peterborough (or whatever) current accounts to the rest of their franchises but it looks as if they're trying to phase it out; I was told they're not accepting new customers.

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: Smile/Cooperative Bank Poor account reset Security.

          You're not but with branches closing all over where do you go?

          Er, Bitcoin?

    2. Tom Paine Silver badge

      Re: Smile/Cooperative Bank Poor account reset Security.

      Smile/Cooperative bank allows you to reset all access to bank accounts with a generic card reader, the card + pin.

      Eh? I'm a Co-Op customer and I don't know any way to change your contact details (I assume that's what you mean by 'access to bank accounts') using a debit, credit or ATM card. You definitely can't do it with a "card reader" - the PDQ machines by the till in shops or at an ATM.

  6. Anonymous Coward
    Anonymous Coward

    Backfire

    On the plus side, the established UK banking policy of blaming the customer unless they can prove otherwise and charging them for it, will in the event of a major breach convince a large departure and hopefully failure.

    Though no matter how easy the government tries to implement and easy transfer of current accounts, if you don't have the original open you can kiss your credit score good bye.

  7. Version 1.0 Silver badge

    Too Late

    Several US banks have seen major data hacks - and nothing has happened. As far as the banks are concerned it's just a risk of doing business and any costs associated with a hack can be passed on to the customers or recovered in the tax returns.

    I expect nothing to happen following a major bank hack - if it got really bad the government would just bail them out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Too Late

      I worked* in infosec at a large well-known bank that had suffered a significant systems compromise in the past. I can assure you they take security very, very seriously indeed. They had the best ops practices, the best gear, the best user awareness training, the best policies and some of the best people I've worked with in my career. Not perfect, but nowhere is, and I've not seen or heard of a tighter ship outside military / LEA / spooky orgs.

      * (I left because with hundreds of people above me in the hierarchy it would have taken me decades to get anywhere; I took a pay cut to go to a much much smaller firm with a substantial security debt, because I enjoy improving and fixing systems and processes rather than just operating from checklists written by someone else. Also, I found Canary Wharf soulless, depressing, and isolated from the real London. Imagine my surprise to find there were things more important to me than money!)

  8. Commswonk Silver badge

    Don't think that will work...

    Tyrie said the UK should consider reorganising its governance of cyber risk in financial services so that there is "a single point of responsibility".

    Precisely how far would that "responsibility" extend? As far as being legally liable if having pronounced on some aspect of cyber security, and having that pronouncement adopted by the financial services industry (banks in particular) if there was then a breach of the security at one or all of the organisations concerned?

    I simply cannot see that happening. I can see some merit in setting generic minimum standards (possibly even fairly exacting standards) but beyond that..? Who is going to willingly put their head in a noose and sit around waiting for someone to kick the chair away? A committee of the Great and the Good? Ah... then nobody is actually responsible. Then there is the problem of succession planning; G & G "A" sets a standard which works for a while, and then s/he retires and G & G "B" takes over. Then there is a compromise and major loss; who gets blamed and "punished"; "A" who set the standard which worked for a while, or "B" who is in the hot seat when the shit hits the fan?

    As it happens there is an organisation that is well placed to provide strong generic advice, and that is CESG, although I know I risk multiple downvotes for even thinking about it, never mind actually typing the letters on this forum. It might be well outside its current remit, but extending its brief to cover banking security ought not to be either difficult or all that costly.

    Disclaimer: no connection with said organisation at any point in my life!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019