Slashdot Mirror
Federal Reserve To Use Internet For Money Transfer
An anonymous reader writes "According to the New York Post, the Federal Reserve (i.e. Alan Greenspan and Co.) is going to change the way that it transfers money between banks so that transfers now take place over the internet instead of via a private banking network. They aren't specifying the types of security measures that will be used (security through obscurity?) Am I the only one who thinks that this is a very bad idea? Might a DDOS attack on the Fed's computers bring down the entire banking system?" The banks have put some thought into security.
I've read that the Fed is a privately owned, for-profit bank that creates "money" by issuing loans to other banks. Oh, and the interest charged on the loans must be paid for in "money" that can only be created by issuing more loans.
Can someone shed some light on this?
I have to believe that -- if strong accounting controls are built in -- the proposal would be a step in the right direction. A DOS attack slows transfers, which pretty much puts us back to where we are now. The bigger risk is someone illegally diverting funds to an account -- and spending the money before they are caught. Preventing that from happening is the point of maintaining strict access standards and a clear audit trail.
Not as secure as what they have.
I worked on FRB hardware (back in 2001, so things might have changed a little). 486 CPU. 56k modem. essentially just a automated BBS style dial-in to the central systems, very cheap, uncomplicated, almost nothing that can screw up, and if it does, easy to fix; completely disconnected from local networks, info fed in by floppy (usually only a couple a day).
So of course I can understand why they want to modernize; the maintenance budget for the whole system on a yearly basis probably hits $5,000.
Why, yes, I AM a Pagan Libertarian.
A privately-held and privately-run corporation, governing America's own financial system ... it needs to be un-done, people.
Get rid of the Fed (and let the government control its money again), and you'll find yourself, suddenly, with a lot of happy Americans, and a lot less animosity towards Americans, around the world.
And a lot fewer wars too.
Seriously, Americans. You've been gypped! Do something about it!
Just as an example, the computer that the data is being sent to has to be connected to the Internet. How secure is this computer from attacks? If someone breaks into that computer, can they get to the unencrypted data?
Dlugar
Computer Go: Writing Software to Play the Ancient Game of Go
All this money is wired around and such but where do the actual money shipments take place. I mean eventually you would think that these guys would have to settle somewhere in hard currency or at the point you have to use this system you just settle it all via numbers on the internet. But that's even more confusing because the hard currency is still in the banks. It makes no sense.
Why don't they keep the current, private network and just upgrade the machines and the software on that? Why do the upgrade AND move to a less secure network?
Years ago, when computers first started coming in to general use, every small business wanted a computer. Not because they had any specific problem they thought the computer could fix, but simply because they wanted to "computerise the business".
My mother (now semi-retired) spent many years running a small accounting business, and attempted to computerise her office several times in the late '80s and early '90s. Failed several times, too. With one notable exception (Sage for DOS), it's only in the last 8 years or so that computing packages for small-business accounting have been any good. For many years, my mother (and her staff) prepared accounts by hand then typed them up - that was the "computer system". Damned if I can think what benefit that brought apart from producing nice-looking accounts.
Bottom line is, back then people wanted to put things on computers because computers were "The Thing". Now, the US Federal Reserve wants to use the Internet because the Internet is "The Thing".
Whether or not this is a sound basis for such important decisions is another matter altogether...
I'm more worried about another slammer-type attack that floods the Internet.
While I think that is a completely valid and important concern, it overlooks something key. If terrorists/gangesters/whomever want to damage US financial systems, it's good thing that slammer type attacks are the first thing to come to mind. One of the things that made the WTC such an appealing target on 9/11 was that private corporate networks were dependant on services provide in the towers. The hijackers managed to take down the New York Stock echange for five (?) days, by damaging critical infrastructure. If putting the federal reserve system on the public internet, encourages DOS attacks and decreases the incentive to blow things up (including people), I'm all for it.
Jeff
transfers now take place over the internet instead of via a private banking network.
A private banking network is the ultimate level of security through obscurity. In such a closely "protected environment" one could get away with being very lazy, but we don't know if they have or not, becuase it's private. All we DO know is that it seems to have work reliably for a long time. Generally, this would give me faith in the architects ability to construct a well built, resilient network.
Might a DDOS attack on the Fed's computers bring down the entire banking system?" The banks have put some thought into security.
Not likely. A well thought out network pan can prevent this from happening.
They aren't specifying the types of security measures that will be used (security through obscurity?)
Why should they? For "peer review"? I'm thinking that the banks have this one covered. In their case it is in their best interests to have the best security possible. In fact, I read somewhere that banking institutions are testing the use of entangled particles for use in secure transactions, sorry no link.
Am I the only one who thinks that this is a very bad idea?
Probably not, but I think so far they have done a good job, I'm not worried.
I work for a decent sized bank data processing center. We have been using the web-based FedLine for quite some time now. We do transfers to and from the Federal Reserve in Minneapolis (sp?), St. Louis, and Kansas City. We have been trying to migrate from the old modem based FedLine method.
I feel as confident about the web-based system, as I do about non-web based version, that we have used in the past. The old system is very outdated, it connects to the Fed at 9600 Baud or less, and there really is no reason as to avoid the web-based version, as opposed to the old dial-in version. I think they would both be as succeptible (sp?) to any sort of hacking attempts, just two different methods.
This is really not a big deal, and its really not all that new. I for one will be happy when the Fed moves away from their old FedLine though.
YOU'RE WINNER !
Another lame blog
Might a DDOS attack on the Fed's computers bring down the entire banking system?"
7--Core Principle VII:
The system should have a high degree of security and operational reliability and should have contingency arrangements for timely completion of daily processing.
Let me quoth for those who don't read the articles:
Fedwire Data Centers
Three data processing centers support the Fedwire services. One site supports the primary processing environment with on-site backup. A second site serves as an active, "hot" backup facility with on-site backup. A third site serves as a "warm" backup facility. The three data processing centers are located a considerable distance from each other (i.e., hundreds of miles) in order to mitigate the effects of natural disasters, power and telecommunication outages, and other wide-scale, regional disruptions. In addition, all three data centers have appropriate security and include various contingency features, such as redundant power feeds, environmental and emergency control systems, dual computer and network operations centers, and dual customer service centers.
Take a read through it, and its a really dry read by the way, it looks like they've got it pretty much figured out. Good luck finding those servers and then trying to DDOS them out of existance. Then again, if someone almost got the worldwide DNS root servers offline, then this could be just a drop in the bucket...
During the early days of the Web, before Java, scripting languages, and Active X controls, people knew that running remote code on your computer was simply wrong. Now look at all the viruses and worms that propagate through the Internet simply because remote code can be loaded onto a computer and run so easily.
Any banking network must be completely physically separate from the Internet. And It must use an entirely different system, incompatible with the internet as well, using different hardware and protocols, just in case somewhere along the line some connection is inadvertently made. This would provide the same "security through obscurity" that Linux and Mac users enjoy in an internet full of Windows viruses.
Any attempt to somehow integrate banking with the existing Internet will eventually result in security breaches. No matter what kind of encryption or even hardware methods of security are implemented, there will constantly be new vulnerabilities discovered if there is any physical line of access from the public internet.
Hardware firewalls have already been proven to be succeptible to network attacks via DNS. Some people have a clue about this, given the example of a two headed hard drive previously mentioned on Slashdot, to physically separate the hard drive writing process from public access.
The early (DarpaNet) Internet was designed by the US Government as a cold war computing network. It was to remain intact in the event of one or more portions of the network being obliterated in a nuclear attack. Multiple point to point connections that could re-route to reach a destination.
Today's Internet is much more dependent on large pipelines and due to increased traffic is more vulnerable. Worms like Code Red and others effectively shutdown the Internet making it essentially useless. This lasted for days and weeks as new viruses spun off from the older viruses.
The question would be not so much the security of the Fed's connectivity but the reliability of that connectivity. Say you have another worm outbreak due to some flaw in WinXP SP2 that causes the Internet to literally flood with massive amounts of traffic that ends up consuming 90% of the bandwidth and ends up bottlenecking and strangling the connections in highly populated areas. The Internet as it exists today needs a serious upgrade in the next few years in regards to bandwidth, encryption, and protocols.
Just look at what happened in NYC to both the cell phone networks and the landline's when 911 happened. They were so overwhelmed by the network traffic that many people could not make a phone call. Millions of people in NYC picked up the phone and Millions more outside NYC tried to call family and friends in NYC.
First read the comment from the guy who works at the Fed, where he talks about what kind of data WILL now be going over the public net.
Question: in view of everything which has changed in the last three years regarding powers to do secret searches and wire-taps without a warrant, how does this news change what kinds of banking data will now be secretly sniffable by the DHS & FBI without technically violating inter-agency restrictions?
They tend to be looking at the wrong things in my opinion. I'm 15, and I recently just set up my first bank account with Lloyds TSB- and nearly got arrested. The *really* competent manager filled out the forms by hand, then typed them onto a program on win 2k, then printed them out, checked them by hand (as in, pencil), then typed them in again, and finally printed them out and filed them. This involved going out of the room a lot. When she was typing them up on screen, she turned the screen my way so that I could see what was going on. At one point she turned the screen away, and said "Sorry, I have to turn the screen away now, incase any other users' details come up". I said "That's okay- I don't want to see anyone else's bank details- if I did, I would have put a keylogger on the computer when you were out of the room, as there aren't any CCTV cameras in here, only a motion detecter and pressure plates under the windows." She looked at me. "I locked the computer when I went out of the room" "I know. A key logger is a physical device- the cable run for the computer setup is in front of me. The keyboard cable goes in the left end. The computer is situated by your right foot, around a 90 bend. I know the average lengths of PS/2 cables- the extension joint should be around my elbow. It would take about 15 seconds to pop the cable run cover off, plug one end of the key logger into the extension, the other into the cable from the keyboard, and put the cable run cover back on. I could come back a week later to this room, and while you were out of the room take the keylogger out, and go home with it. I would then have you username and password, and all the details you'd- or any one else - had typed into this computer, and could wreak fun in your name." She looked at me, very strangely "Uh....Please excuse me...I'm just going to get another form..." She came back about 30 minuets later, holding a tax form, and seemed to be sweating... So, yar, banks. 5 security cameras in the lobby room where all the tellers were- it was about as big as our bathroom- covering every square inch of it, at the same time as having the 2 cm thick glass that makes up the tellers window' held on by 4 small wood screws that went through into a wooden frame (i.e. you hit that with a shotgun, and the plate glass falls backwards). Complex burglar alarm system- with the box inside a set of double doors that make up the entrance. Very thick internal wooden doors complete with steel front- and with simple warded locks that had 3 pins. I wonder if they'll have the most obscurely paranoid system of transfer- 4096 bit cypher, etc, etc- and the super user account would be "admin" - and have a password of "admin".... Off topic: A friend of mine somehow managed to enter his password badly 6 times while drunk. He now thinks he's IP banned, as slashdot.org dosen't respond to anything- pings, nowt. He's emailed banned@slashdot.org, but no response as yet. I don't think he has a network connection problem, and he's *really* annoyed at not being the only geek in Suffolk to not have access to ./. Has anyone had any similar problems? His email is basically anything you like @sdonag.plus.com (like, say, slashdot@sdonag.plus.com). Help?
My UID is prime. Is yours?
...a short while ago to set up a checking account and the nice woman sits me down across from her desk, swivels her LCD so I can see it and, what the F**K, it's running MS product! I politely said, "Ummm, something came up" and left.
I've heard it said that any system is only as strong as its weakest link.
Everything in the Universe sucks: It's the law!
Well as of the summer of 2003, the credit union I worked for still used a 486 running DOS and a manually dialed 9600bps modem to connect to fedline.
The resulting floppy was then used to ftp the data to from my workstation to the main host [server].
Of course, there WAS a hardware crypto-card in the machine. If it got turned off [soft-booting was ok], it required 3 top level executives to come in and enter the keys to get the machine to boot up again.
It was an interesting combination of old-skool and new tech...
The visa check-card transactions were also fed through a manually dialed 9600bps modem.
God I hated that job...
Ender-
Nothing to see here