undefined | Better HN

0 pointstzs8y ago0 comments

OK, so that sounds like it would work out well in the case of ordinary fraud. You notify the bank in timely fashion, and the bank covers it.

But in the case of the bank being hacked, I could imagine it affecting enough accounts that the bank cannot cover it. Would that count as the bank failing (or perhaps a run on the bank?), and so then be covered by FDIC insurance?

Finally, suppose the hack is a case of financial terrorism. Say, a state sponsored group is trying to undermine confidence in the banking system and so wants to be as disruptive as possible. Instead of just getting in and stealing some money, they have been in for months and have been sabotaging things. They mucked with the backup procedure to make it so the backups are corrupt, and the bank unwisely did not do actual restore tests on samples to check things. Finally, the hackers set everyone's account balance to zero (or more fun, delete everyone's account).

So now my bank has no idea how much money I'm supposed to have (or even if I'm a customer). They fail and FDIC steps in. Do the banks have to periodically give the FDIC or other regulators lists of accounts and balances, so that FDIC would be able to at least figure out things up to the last month, say, or would the FDIC also have no idea who gets what?

0 comments

4 comments · 3 top-level

eitland8y ago· 1 in thread

A few words as a sysadmin:

* offsite backups

* verified offsite backups (not saying this happens everywhere but I'd expect banks to some kind of routines)

A few words as a news reading citizen:

* force majeure

* fannie mae and freddie mac

odammit8y ago

> verified off-site backups

So important... i can’t tell you how many times I’ve come across a database backup process that either the cron had been failing for months, that wasnt backing up all the data, or was simply corrupted.

Not only verify your backups, but make sure you know you’re restore process too!

You’ve got to trust that our banking systems do this thoroughly though ... amirite?!1!!

user59944618y ago

>>> So now my bank has no idea how much money I'm supposed to have (or even if I'm a customer). They fail and FDIC steps in. Do the banks have to periodically give the FDIC or other regulators lists of accounts and balances, so that FDIC would be able to at least figure out things up to the last month, say, or would the FDIC also have no idea who gets what?

When a was running an exchange, which is far from a bank but already has annoying scrutiny.

We were required to have a feed of all the transactions to an off site location. Then we had to store off line archives and off site archives.

The location must be within the jurisdiction of the regulator so they can send the police to the datacenter, seize all the hardware and reconstitute the balances.

friendzis8y ago

These things depend on jurisdiction and your particular contract, but in the western world generally some things apply:

  * transactions are printed physically (iirc SEPA mandates this) (account balances can be recovered, like bitcoin)
  * accounts are insured up to some ammount (will be covered by insurer provided bank cannot cover)
  * bank will cancel/refund transactions that happen x hours prior to proper notification of account compromise (details vary)

j / k navigate · click thread line to collapse