611
Sweden, Norway rethink plans for cashless societies over fears that fully digital payment systems would leave them vulnerable to Russian security threats (www.theguardian.com)
submitted 2 days ago by 0x815@feddit.org to c/technology@lemmy.world
152 comments fedilink hide all child comments

cross-posted from: https://feddit.org/post/4262252

A combination of good high-speed internet coverage, high digital literacy rates, large rural populations and fast-growing fintech industries had put the Nordic neighbours on a fast track to a future without cash.

[...]

But Russia’s invasion of Ukraine in 2022 and a subsequent rise in cross-border hybrid warfare and cyber-attacks blamed on pro-Russia groups have prompted a rethink.

[...]

The Swedish government has since completely overhauled its defence and preparedness strategy, joining Nato, starting a new form of national service and reactivating its psychological defence agency to combat disinformation from Russia and other adversaries. Norway has tightened controls on its previously porous border with Russia.

[...]

[Norway's] justice and public security ministry said it “recommends everyone keep some cash on hand due to the vulnerabilities of digital payment solutions to cyber-attacks”. It said the government took preparedness seriously “given the increasing global instability with war, digital threats, and climate change. As a result, they’ve ensured that the right to pay with cash is strengthened”.

[...]

you are viewing a single comment's thread
view the rest of the comments
[-] irotsoma@lemmy.world 18 points 21 hours ago

Yeah, considering how bad banks and other financial institutions are at IT security and the fact that there's no incentive for a capitalist financial institution to fix that problem, it's not a good idea.

[-] ChairmanMeow@programming.dev 9 points 20 hours ago

That's not entirely true. In order to be allowed to keep processing transactions you have to adhere to strict rules which do get regularly audited. And then there's the whole "customers will switch to another more reliable party in case of outages or security problems". And trust me, I've seen first-hand that they do.

[-] uis@lemm.ee 1 points 4 hours ago

And then there's the whole "customers will switch to another more reliable party in case of outages or security problems".

Outages? Yes. Security problems? LMAO!

[-] ChairmanMeow@programming.dev 1 points 2 hours ago

Our company has directly profited from a competitor that leaked sensitive data, because some of their large corporate customers decided to switch to us.

Business don't like being on the receiving end of a data leak either you know.

[-] irotsoma@lemmy.world 7 points 19 hours ago

You have to put on a show that you are sticking to those processes, on paper. But the fines for data breaches are generally way less than they save on not having a fully funded IT department and using security products that someone got a kickback for rather than the best product.

"Hacking" isn't some magical, intensely creative process for geniuses loke on TV. For the most part, it's usually just finding the really common things that IT departments don't do because they are underfunded and treat IT people like replaceable cogs. There is software out there to exploit those deficiencies. So they are forced to do things like use default or obvious admin passwords because who knows who is going to be there tomorrow to fix something and without the proper tools to store credentials, there's no way to properly secure things.

And when a security vulnerability is found, there's a reason why many don't bother informing the company before going to the media. Those companies pour tons of money into lawyers to avoid admitting the fault, often getting the innocent person who found the problem arrested, and never fix the actual issue. Just ask any pro whitehat security researcher not hired by the company all the things they have to do to protect themselves from being sued or arrested for "hacking" when they notice a problem.

And government technical auditors are a rarity because the regulators are underfunded. So they might go through some small list of things during regular audits, but they don't know to check if a DBMS system that contains backups and is stored "in the cloud" is using a default password or other common hacking targets. Hackers don't go after the primary infrastructure most of the time. It's not necessary because there are so many sloppy processes or left over insecure projects that "the last guy" was working on or that got defunded before it was completed, but only the primary infrastructure gets audited usually because that's all there is time and money for.

As for going somewhere else, there often aren't other places to go and when there are they usually have the same problem because there's very little reason for any of them to compete with each other. Most industries have consolidated so much that there are only a handful of parent companies left so it's easy to collude just because their leaders are often all in the same room at conferences and such.

[-] ChairmanMeow@programming.dev 7 points 17 hours ago

I think you're being too pessimistic about IT security, particularly in the Financial sector. A lot of the security rules and audits aren't even government-run, it's the sector regulating itself. And trust me, they are pretty thorough and quite nitpicky about stuff.

The cost of failing an audit also often isn't even a fine, it's direct exclusion from a payment scheme. Basically, do it right or don't do it at all. Given that that is a strict requirement for staying in business, most of these companies will have sufficiently invested in IT security.

Of course it's not airtight, no system really is. But particularly in the financial sector most companies really do have their IT security in order.

this post was submitted on 30 Oct 2024
611 points (98.6% liked)

Technology

59020 readers
3375 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world