top | item 38100137

(no title)

GaelFG | 2 years ago

I have no clues about what's better but as a french I'm amazed by the idea to delegate banking operations to a cloud provider. Last time I worked in bank IT political requirement and good practices were using their own private physical network infrastructure over all the country and data storage server rooms were literally bunkers with armed security.

Is it that common around the world and 'we' just happen to have been overkill on security or do they are not really a true 'bank' and more a payment provider ?

that seems such a change from some years ago were cost were totally the last of the issues against security.

discuss

solardev|2 years ago

In the US at least, I never thought of banks as particularly tech-savvy, just change-averse. They tend to be the big companies with the worst websites and apps, transactions take days to clear, their secure messaging is a mess, everything about the UX is terrible, fraud handling and benefits usage seem like separate apps altogether... I dunno if any of that translates to their security handling, but I would imagine big cloud providers with huge security teams would be better equipped to deal with those concerns than any single bank would?

Certainly I would trust AWS with my information more than my bank. My bank is only trustworthy because we have regulations limiting my liability for unauthorized charges... without that I would never trust my bank (or Paypal, for that matter) to hold my funds. These are the same people that still use magstripes and publicly-visible numbers to authorize transactions, after all. Of all the services I've used, my bank is the only one that regularly gets its info stolen (credit card fraud). Thankfully the law doesn't let them hold me responsible for the charges.

wil421|2 years ago

Some banks have so much tech (legacy mainframe to cloud providers) I’ve head them describe themselves as an IT company that makes money off banking.

My credit union is lackluster but that’s expected I’m not there for their mobile apps.

uxp8u61q|2 years ago

Banking in the US is very different from banking in France. USA has all these tiny banks, credit union and such, in addition to the mastodons like chase, boa etc. In France, there are maybe five or six huge banks, and their subsidiaries. As far as I know, most of Europe runs on the same model (a few huge banks rather than a plethora of small banks).

SamuelAdams|2 years ago

What makes a physical server so much more secure than a cloud-provided one? AWS services are very secure: they have a list of compliances and security controls for banking-related services here:

https://aws.amazon.com/financial-services/security-complianc...

helsinkiandrew|2 years ago

These are public facing bank services - so at some point have to be connected to the internet, quite a few banks use AWS for this [1]. I don’t know about Treezor but most of them will still have their own data centres for some or all of their ‘secure’ systems (if only because it’s running on some legacy hardware)

[1] https://aws.amazon.com/financial-services/banking/

jmorenoamor|2 years ago

I've worked for a bank in Europe, and the core banking system is as you describe it.

Other satellite services and applications are migrated to the cloud or SaaS, but the core is an old school mainframe, solid and tested to the last bit.

vladvasiliu|2 years ago

Which bank was that? As someone living in France, I bank with one of the "big banks" and even though I have no idea how their internal networks are laid out, I can't help but shake my head in disbelief whenever they send me an SMS to confirm some operation "for my security". Think adding a new transfer beneficiary, making a "large" bank transfer, or paying online with my credit card. The SMS doesn't even have all the details of the operation. It's something like "are you trying to pay X €?". No word to whom, from where, etc.

This isn't a step up from "nothing", mind. Initially, I used to have some kind of OTP fob for paying online. They then moved to SMS. Then to their app attached to my iphone. Now, back to SMS. I still have the app installed on the same iphone, and I use it regularly.

GaelFG|2 years ago

(Probably, why take risk) Can't tell the bank name (but yeah, in the top 4 by size) and not trying to defend your bank but the SMS validation thing is actually on the state 'fault' and you are in fact legally covered in most cases, I don't have the legal text on hand but by typing in google : https://www.moneyvox.fr/banque/actualites/77237/fraude-sur-c... Look for Code SMS and you have a link to the european reglementation. I assume one of the reason is that in fact in case of phishing wire transfert are heavily monitored and reversible. Without giving technical details, in fact 'a lot of peoples' have actually large right to move sums of money around. The trick is that's it reviewed and reversible for days.

orangepurple|2 years ago

It's way worse than you think. A large number of Swiss banks including Swiss banking regulators store all their data on Google Cloud.

mellowagain|2 years ago

A lot of swiss government data is also stored in AWS, made a few headlines during covid because we "delegate our data to the americans"

cameronh90|2 years ago

In the UK, it’s relatively common. Some of the older systems at legacy banks will still run on premise, but more because AWS lacks a mainframe instance type than anything else.

The main concern from the regulator perspective isn’t security as much as concentration of risk in a small number of providers: if AWS goes down, will it take the whole financial sector with it?

tomwojcik|2 years ago

I heard it used to be similar in ING but they slowly migrate some services to Azure for quite some time now.

I bet they will never fully migrate (and they don't want to).

Not affiliated with ING in any way, its just what I heard.

mvdwoord|2 years ago

They did manage to get rid of their mainframes though ...

A imho healthy aspect of the move towards public cloud is to start with an exit strategy. This is turning out to be quite tricky. Some services though can be sourced from public cloud (ci/cd, ticketing, planning etc) but core workloads not so easy.

unknown|2 years ago

[deleted]