Many banks still use outdated legacy systems, but it is “unacceptable” for a large bank like DBS to have services down for more than 24 hours, an expert told VIXIO.
Numerous services of Singaporean multinational bank DBS went down on Tuesday causing an outage that eventually lasted for two days.
The bank’s Singapore country head Shee Tse Koon said the outage was caused by malfunctioning access control servers, without revealing further details of the incident.
DBS assured its team was “working round the clock, together with our third-party engineering providers, to fix the problem,” and extended banking services by two hours at all its branches.
“For a renowned bank, like DBS, to have some services down for more than 24 hours — with none of the services available at some point — is quite unacceptable,” said Kevin Reed, chief information security officer of software company Acronis.
There are various reasons that might explain why the system went down.
A system upgrade or some external event could be causing significant overload of the authentication platform, leading to its malfunctioning. Many users have reported the issue and the access is sporadic, which are signs of an overload, according to Reed.
This is not a unique event, as in many cases DDoS attacks are often the cause of a system overload when the system is not responding to legitimate user requests.
The most common problems with such long-duration incidents are likely related to database and its replication. “It takes a long time to restore and synchronise the entire cluster”, Reed added.
Such systems were being developed a long time ago, such as mainframes, which are historically used by banks, and there is no longer internal expertise to understand the problem and restore workability, he continued.
“In my experience, no bank is much better at that – and DBS is not the first bank to face such issues. Banks are known to still use outdated, legacy systems — especially if they were founded long ago. Large US banks are known to use COBOL and mainframes, but they are not exactly technological power horses, to say the least.”
The banking industry is not alone with this issue. Many sectors, including transport, telecoms to some extent, manufacturing, industrial and even the military, still rely on legacy systems, which poses a problem internally, to employees, and externally, to customers, Reed explained. This also exposes them to cybersecurity threats, he added.
Typically authentication is one of the core components of internet banking and banks rarely outsource such a critical function, Reed explained. Some dependent subsystems, however, like sending SMS for two-step authentication, could be outsourced.
As for small banks, they use ready-made versions of remote banking services and automated banking systems to service their systems, which they modify for themselves. However, as large banks write their own systems rather than ready-made solutions, the reliability of the software depends on the internal processes of the company, according to Reed.
“In the 21st century, banks need to modernise their infrastructure with advanced technology, including cyber protection. Having a capable tech team helps achieve just that and be on top of the problem.”
Although DBS worked to solve the meltdown, many services were down for two days. In addition, customer support functions were not working and there was no announcement on any public DBS channel until hours later, Reed pointed out.
“In short, this is not the best example of crisis handling.”
According to press reports, the Monetary Authority of Singapore (MAS) considers the outage “serious” and is weighing the possibility of a thorough investigation that could result in a fine for the bank.
Singapore’s banking regulations require financial institutions to make sure that the total unscheduled downtime for critical systems affecting customer services does not exceed four hours within any given 12-month period.