[GaelFG]

I have no clues about what's better but as a french I'm amazed by the idea to delegate banking operations to a cloud provider. Last time I worked in bank IT political requirement and good practices were using their own private physical network infrastructure over all the country and data storage server rooms were literally bunkers with armed security.

Is it that common around the world and 'we' just happen to have been overkill on security or do they are not really a true 'bank' and more a payment provider ?

that seems such a change from some years ago were cost were totally the last of the issues against security.

[solardev]

In the US at least, I never thought of banks as particularly tech-savvy, just change-averse. They tend to be the big companies with the worst websites and apps, transactions take days to clear, their secure messaging is a mess, everything about the UX is terrible, fraud handling and benefits usage seem like separate apps altogether... I dunno if any of that translates to their security handling, but I would imagine big cloud providers with huge security teams would be better equipped to deal with those concerns than any single bank would?

Certainly I would trust AWS with my information more than my bank. My bank is only trustworthy because we have regulations limiting my liability for unauthorized charges... without that I would never trust my bank (or Paypal, for that matter) to hold my funds. These are the same people that still use magstripes and publicly-visible numbers to authorize transactions, after all. Of all the services I've used, my bank is the only one that regularly gets its info stolen (credit card fraud). Thankfully the law doesn't let them hold me responsible for the charges.

[wil421]

Some banks have so much tech (legacy mainframe to cloud providers) I’ve head them describe themselves as an IT company that makes money off banking.

My credit union is lackluster but that’s expected I’m not there for their mobile apps.

[lawlessone]

By any chance does the name of this bank sound the noun you'd use to describe a large urban area?. I've heard it too.

[wil421]

No it was Chase.

[solardev]

On the other hand, there a bunch of fintech startups now that only build fancy apps with nice UX on top of existing banking infra (often partnering with some legacy bank).

I miss Simple :(

[xeromal]

Me too. It helped me wrangle a budget where YNAB and all others failed

[uxp8u61q]

Banking in the US is very different from banking in France. USA has all these tiny banks, credit union and such, in addition to the mastodons like chase, boa etc. In France, there are maybe five or six huge banks, and their subsidiaries. As far as I know, most of Europe runs on the same model (a few huge banks rather than a plethora of small banks).

[SamuelAdams]

What makes a physical server so much more secure than a cloud-provided one? AWS services are very secure: they have a list of compliances and security controls for banking-related services here:

https://aws.amazon.com/financial-services/security-complianc...

[helsinkiandrew]

These are public facing bank services - so at some point have to be connected to the internet, quite a few banks use AWS for this [1]. I don’t know about Treezor but most of them will still have their own data centres for some or all of their ‘secure’ systems (if only because it’s running on some legacy hardware)

[1] https://aws.amazon.com/financial-services/banking/

[jmorenoamor]

I've worked for a bank in Europe, and the core banking system is as you describe it.

Other satellite services and applications are migrated to the cloud or SaaS, but the core is an old school mainframe, solid and tested to the last bit.

[vladvasiliu]

Which bank was that? As someone living in France, I bank with one of the "big banks" and even though I have no idea how their internal networks are laid out, I can't help but shake my head in disbelief whenever they send me an SMS to confirm some operation "for my security". Think adding a new transfer beneficiary, making a "large" bank transfer, or paying online with my credit card. The SMS doesn't even have all the details of the operation. It's something like "are you trying to pay X €?". No word to whom, from where, etc.

This isn't a step up from "nothing", mind. Initially, I used to have some kind of OTP fob for paying online. They then moved to SMS. Then to their app attached to my iphone. Now, back to SMS. I still have the app installed on the same iphone, and I use it regularly.

[GaelFG]

(Probably, why take risk) Can't tell the bank name (but yeah, in the top 4 by size) and not trying to defend your bank but the SMS validation thing is actually on the state 'fault' and you are in fact legally covered in most cases, I don't have the legal text on hand but by typing in google : https://www.moneyvox.fr/banque/actualites/77237/fraude-sur-c... Look for Code SMS and you have a link to the european reglementation. I assume one of the reason is that in fact in case of phishing wire transfert are heavily monitored and reversible. Without giving technical details, in fact 'a lot of peoples' have actually large right to move sums of money around. The trick is that's it reviewed and reversible for days.

[orangepurple]

It's way worse than you think. A large number of Swiss banks including Swiss banking regulators store all their data on Google Cloud.

[mellowagain]

A lot of swiss government data is also stored in AWS, made a few headlines during covid because we "delegate our data to the americans"

[wing-_-nuts]

I mean it's all encrypted, right? Most cloud providers even allow you to specify your own encryption keys. Sure, the NRO isn't going to start uploading all their sat imagery to a gcp bucket, but I'd imagine it's fine for everything that's not classified.

Heck, even for the classified stuff, I heard Azure built a government owned datacenter running a self hosted copy of their software. Much better quality than asking some Gen Dynamics contractor to manage everything for you.

[solardev]

We have your data, you have our money, sounds fair =)

[orangepurple]

They don't though. Swiss tax wealth (though its a tiny fraction). IRS makes it a massive PITA to hold substantial financial stakes in foreign companies. See FATCA and GILTI. And many tax deferred foreign retirement funds are not treated as being tax deferred by the IRS. It only gets more complicated from here. It's by far easier to earn and hold cash in America.

[kevinventullo]

Isn’t the point of a Swiss bank account that the IRS doesn’t know about it?

[orangepurple]

That was many years ago. The entire Western world is compromised and reports to the IRS -or- the bank kicks out anybody who MIGHT be a US Citizen to avoid being sanctioned. The end result is only the few most central banks in the country take American clients -or- they are hopelessly behind on regulatory compliance (YOLO).

[cameronh90]

In the UK, it’s relatively common. Some of the older systems at legacy banks will still run on premise, but more because AWS lacks a mainframe instance type than anything else.

The main concern from the regulator perspective isn’t security as much as concentration of risk in a small number of providers: if AWS goes down, will it take the whole financial sector with it?

[tomwojcik]

I heard it used to be similar in ING but they slowly migrate some services to Azure for quite some time now.

I bet they will never fully migrate (and they don't want to).

Not affiliated with ING in any way, its just what I heard.

[mvdwoord]

They did manage to get rid of their mainframes though ...

A imho healthy aspect of the move towards public cloud is to start with an exit strategy. This is turning out to be quite tricky. Some services though can be sourced from public cloud (ci/cd, ticketing, planning etc) but core workloads not so easy.