Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Almighty Buck United States

Federal Reserve To Use Internet For Money Transfer 318

An anonymous reader writes "According to the New York Post, the Federal Reserve (i.e. Alan Greenspan and Co.) is going to change the way that it transfers money between banks so that transfers now take place over the internet instead of via a private banking network. They aren't specifying the types of security measures that will be used (security through obscurity?) Am I the only one who thinks that this is a very bad idea? Might a DDOS attack on the Fed's computers bring down the entire banking system?" The banks have put some thought into security.
This discussion has been archived. No new comments can be posted.

Federal Reserve To Use Internet For Money Transfer

Comments Filter:
  • by Anonymous Coward on Sunday August 15, 2004 @03:23PM (#9975255)
    First transaction
  • VPN and PGP encrypt! (Score:5, Informative)

    by chevman ( 786211 ) on Sunday August 15, 2004 @03:24PM (#9975264)
    VPN and PGP encrypt. That's over the internet, but pretty damn secure - I work in the healthcare industry and PGP is pretty standard, usually over a VPN or secure FTP.
    • Possibly. (Score:5, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday August 15, 2004 @03:32PM (#9975327)
      I'm more worried about another slammer-type attack that floods the Internet.

      Besides, encryption and such are fine, but just keeping everyone else off your network (the old method) makes the security model much simpler.

      The more access there is, the more possible attacks there are. Which means that more attention has to be spent testing and checking these systems.

      Which means more jobs! So it isn't all bad. :)
      • Re:Possibly. (Score:5, Informative)

        by wfberg ( 24378 ) on Sunday August 15, 2004 @04:25PM (#9975625)
        There are multiple security risks to keep in mind
        a) the systems will be connected to the internet. Even if they are heavily firewalled, they will have to get their information somehow, so some port will be open listening for incoming requests; so watch out for buffer overrun exploits and spoofed packets.
        b) targetted denial of service attacks
        c) the network simply going down or being slowed; slammer slowed down the internet, not just a few machines. If that means some transactions get delayed, some people will be losing money.
        d) the traffic will be intercepted, and, if not decrypted, at least the volume of messages will be interesting information for corporate espionage (though the fact that unencrypted e-mail is used in business all the time makes this less of a priority).
        e) targetted BGP spoofing, DNS poisoning attacks and the like resulting in loss of service

        That's not to say a private network is always more secure (especially since on private networks less thought is given to authentication and things of that nature), but it does make life complicated.
      • Re:Possibly. (Score:5, Interesting)

        by vontrotsky ( 667853 ) on Sunday August 15, 2004 @04:26PM (#9975626)
        I'm more worried about another slammer-type attack that floods the Internet.

        While I think that is a completely valid and important concern, it overlooks something key. If terrorists/gangesters/whomever want to damage US financial systems, it's good thing that slammer type attacks are the first thing to come to mind. One of the things that made the WTC such an appealing target on 9/11 was that private corporate networks were dependant on services provide in the towers. The hijackers managed to take down the New York Stock echange for five (?) days, by damaging critical infrastructure. If putting the federal reserve system on the public internet, encourages DOS attacks and decreases the incentive to blow things up (including people), I'm all for it.

        Jeff
    • by paganizer ( 566360 ) <thegrove1@hotmail . c om> on Sunday August 15, 2004 @03:39PM (#9975373) Homepage Journal
      Not as secure as what they have.
      I worked on FRB hardware (back in 2001, so things might have changed a little). 486 CPU. 56k modem. essentially just a automated BBS style dial-in to the central systems, very cheap, uncomplicated, almost nothing that can screw up, and if it does, easy to fix; completely disconnected from local networks, info fed in by floppy (usually only a couple a day).
      So of course I can understand why they want to modernize; the maintenance budget for the whole system on a yearly basis probably hits $5,000.
      • by TykeClone ( 668449 ) <TykeClone@gmail.com> on Sunday August 15, 2004 @04:12PM (#9975546) Homepage Journal
        That was the old Fedline system. They are now in the process of phasing that out in favor of an internet based Fedline system.

        MICR files have already moved, but wires and such have not.

      • by LippyTheLip ( 582561 ) on Sunday August 15, 2004 @04:28PM (#9975639)
        I used to work at the FRB Boston on the staff of the Financial Service Policy Committee, the body that sets policy for the services that the Fed provides to US banks.

        This article is totally misleading. The Fed is not going to be transferring money over the Internet. Clearing and settlement will continue to take place over dedicated, leased, secured IP lines or in data centers with military-level security.

        The change being made is how individual commercial banks interface with the computers at the Fed in order in initiate wire transfers and transmit data for bulk transaction processing. FedLine for the Web is a great improvement over the MS-DOS-based systems that are currently in use for small and medium-sized banks. Through these systems, banks do a variety of things, including initiate wire transfers, check intraday overdraft balances, submit batch files for overnight ACH payments processing, and many others. More info here [frbservices.org] on what the Fedline is and the various ways of accessing it. The Fed had been developing FedLine for Windows, but abandoned that in the late 90's. Doing this over the web is no more risky than online banking for the consumer, except that the sums are greater -- but so are the benefits -- as long as precautions are taken, such as one-time-use TANs (transaction authorization numbers), certificates, etc.
      • by ender- ( 42944 )
        Well as of the summer of 2003, the credit union I worked for still used a 486 running DOS and a manually dialed 9600bps modem to connect to fedline.
        The resulting floppy was then used to ftp the data to from my workstation to the main host [server].

        Of course, there WAS a hardware crypto-card in the machine. If it got turned off [soft-booting was ok], it required 3 top level executives to come in and enter the keys to get the machine to boot up again.

        It was an interesting combination of old-skool and new te
    • Cardboard boxes (Score:4, Interesting)

      by Dlugar ( 124619 ) on Sunday August 15, 2004 @03:46PM (#9975407) Homepage
      Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. (Gene Spafford)
      The problem isn't the security of the data that's encrypted--the armored truck isn't going to have any problems--but what about the cardboard box?

      Just as an example, the computer that the data is being sent to has to be connected to the Internet. How secure is this computer from attacks? If someone breaks into that computer, can they get to the unencrypted data?

      Dlugar
    • VPN and PGP encrypt. That's over the internet, but pretty damn secure - I work in the healthcare industry and PGP is pretty standard, usually over a VPN or secure FTP.

      I dunno...if some average person conducts their transactions via VPN/PGP almost noone would care. Now if you know that breaking into the encryption could result in embezzlment of BILLIONS of dollars, then perhaps a lot of people might want to cash in...

    • I know that technologies exist to make the transfers secure, but it still seems like a *STUPID* idea.

      An internet-like network, sure.. But having intra-bank transfers going over the same networks that us common folks use is a bad idea. We'll hear about the banks going offline, becuase someone picked the wrong IP to DDoS. There's people out there with mad bandwidth. I have 3Gb available myself. If I were to stop all the servers, and fill up those lines with garbage traffic going towards the bank's
    • At least when they head out on the old internet, they know that there are threats and will take action. In a private network they'd be more likely to be lulled into a false sense of security and prhaps have intrusions that they are not aware of.
  • Mmmmm! (Score:5, Funny)

    by Anonymous Coward on Sunday August 15, 2004 @03:26PM (#9975288)
    Shocking. To think they'd use the INTERNET instead of analog phone lines!
    • If you were to see the current Fedline system you'd see that they had no choice. They're basically stuck using old DOS machines and require ISA slots for the encryption boards. The Fed has to move forward on something because these encryption boards are getting harder and harder to find.

      Right around 2000, they were going to port the existing system to a Windows NT platform, but didn't get it to work.

      • Well, I'm sure the resources available to the Fedline people would stretch to developing a custom encryption board if they really wanted to continue in the same way just with newer computers. That's really not a big issue and there are any number of engineering firms out there that could handle the job of developing a replacement encryption card.

        No, they just want to do what everyone else is doing and use the Internet. But the real question is whether or not something as fundamentally fragile as the In
        • Encrypted data is encrypted data - and the amount of data transmissions won't affect anyone else.

          The $64,000 question is whether or not they've got the security thing figured out - and I think that the people running Fedline (as opposed to the rest of the FRB or government) have that as one of their highest interests.

          Up until now, all of the services that are available on Fedline for the Web are "not critical" - services that don't transfer money.

  • DDOS paranoia (Score:5, Insightful)

    by rokzy ( 687636 ) on Sunday August 15, 2004 @03:27PM (#9975294)
    what makes you think "using the internet" equates to "having a server completely open to the public with no backup processes"? in the UK you can do your taxes online, I guess if they get DDOS'd no one will have to pay?
    • by mrsev ( 664367 ) <mrsev AT spymac DOT com> on Sunday August 15, 2004 @03:30PM (#9975313)
      what makes you think "using the internet" equates to "having a server completely open to the public with no backup processes"? in the UK you can do your taxes online, I guess if they get DDOS'd no one will have to pay? .....Hey thanks for the tip!
    • The UK Bank clearing service BACS also process bulk direct debit and direct credit transactions over the internet. Transactions are encrypted then tramsitted over the interweb. Users each get a smartcard and a PIN. If you aheva direct debit set up with any big company in the UK it was probably sent over the web to bacs.

      It's possible to take someone's bank account and sort code over a web page, set up a direct debit mandate on their account and start collecting monthly subscription payments without any pap

  • The military already uses the Internet for their stuff. It's largely disconnected from the public Internet, so denial-of-service attacks can't reach the important stuff.

    Why shouldn't the banking industry uses industry-standard equipment and protocols? I'm sure that you can buy a lot of redundant routers at Frys for the price of one of their private-network routers.
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday August 15, 2004 @03:36PM (#9975350)
      Well, they have DOS systems connected to a private network.

      The weird thing is that they're looking at moving to the Internet to get away from the limitations of their DOS system.

      Why don't they keep the current, private network and just upgrade the machines and the software on that? Why do the upgrade AND move to a less secure network?
      • by jimicus ( 737525 ) on Sunday August 15, 2004 @04:00PM (#9975485)
        Why don't they keep the current, private network and just upgrade the machines and the software on that? Why do the upgrade AND move to a less secure network?

        Years ago, when computers first started coming in to general use, every small business wanted a computer. Not because they had any specific problem they thought the computer could fix, but simply because they wanted to "computerise the business".

        My mother (now semi-retired) spent many years running a small accounting business, and attempted to computerise her office several times in the late '80s and early '90s. Failed several times, too. With one notable exception (Sage for DOS), it's only in the last 8 years or so that computing packages for small-business accounting have been any good. For many years, my mother (and her staff) prepared accounts by hand then typed them up - that was the "computer system". Damned if I can think what benefit that brought apart from producing nice-looking accounts.

        Bottom line is, back then people wanted to put things on computers because computers were "The Thing". Now, the US Federal Reserve wants to use the Internet because the Internet is "The Thing".

        Whether or not this is a sound basis for such important decisions is another matter altogether...
  • by BrownDwarf ( 615206 ) on Sunday August 15, 2004 @03:30PM (#9975314)
    I have to believe that -- if strong accounting controls are built in -- the proposal would be a step in the right direction. A DOS attack slows transfers, which pretty much puts us back to where we are now. The bigger risk is someone illegally diverting funds to an account -- and spending the money before they are caught. Preventing that from happening is the point of maintaining strict access standards and a clear audit trail.
  • by Mudcathi ( 584851 ) on Sunday August 15, 2004 @03:32PM (#9975331) Journal
    "You've got money!"
  • by Omega1045 ( 584264 ) on Sunday August 15, 2004 @03:33PM (#9975336)
    I know that the US Government owns many class A ip ranges, and that some of these they do not route traffic in/out from. Basically, the US Military has a "public" private network. I would image that the same type of measure could me taken here. It would be fairly easy to firewall this at various points if the ip classes are huge.
  • by aelbric ( 145391 ) on Sunday August 15, 2004 @03:35PM (#9975343)
    Wonder how long it will be until they see:

    Transaction complete.
    Confirmation: All your bank accounts belong to us!
  • Fascinating (Score:2, Funny)

    by Arcanix ( 140337 )
    The biggest concern isn't the 13-year-old who hacks into the Fedwire and sends himself some money -- it's terrorism.

    Gee, a terrorist is a bigger threat than a script kiddie, who'd have thought?
  • by unassimilatible ( 225662 ) on Sunday August 15, 2004 @03:38PM (#9975370) Journal
    If it's safe to vote and select the leaders of the free world on the Internet, then surely it's, uh, oh nevermind...

  • Why? (Score:2, Insightful)

    by 511pf ( 685691 )
    There just seems to be no good reason to do this. They claim that they're doing this to get rid of their DOS-based system. The application has nothing to do with the network transport mechanism. They could just as easily re-write the existing application to use private lines as they could to use the Internet. This project was apparently driven by the vice president of national marekting at the Fed. Why does this position even exist? Does the Fed have any competitors at all? For those of you that have
  • Why marketing? (Score:3, Insightful)

    by schneidafunk ( 795759 ) on Sunday August 15, 2004 @03:41PM (#9975384)
    Why is "Laura Hughes, vice president of national marketing" in charge instead of computer experts?
  • by Anonymous Coward on Sunday August 15, 2004 @03:42PM (#9975390)
    (Formerly known as PayPal)
  • by Bruha ( 412869 ) on Sunday August 15, 2004 @03:46PM (#9975409) Homepage Journal
    All this money is wired around and such but where do the actual money shipments take place. I mean eventually you would think that these guys would have to settle somewhere in hard currency or at the point you have to use this system you just settle it all via numbers on the internet. But that's even more confusing because the hard currency is still in the banks. It makes no sense.
    • Most money isn't physical. It's all done through accounts.

      When a bank creates money by issuing a loan, they don't print money, they just add a few digits to a counter in a program. Most times, this money is moved around via checks or wire transfers, moving money that never existed in the first place between "places"

      This is the same thing just on a higher scale.
      • "Most money isn't physical. It's all done through accounts."

        My understanding of the matter --learned at the US equivalent of high school, admittedly-- is that there is, in fact, some physical money stuff going on, but not for every transaction of course. Transactions within a bank don't need a physical counterpart; transactions between banks do, and the transfers can be physically settled weekly or so, in actual money trucks, or accounted as debt, but in principle a physical settlement is done, as the 'vi

    • by Oligonicella ( 659917 ) on Sunday August 15, 2004 @04:12PM (#9975549)
      Wrongo. The Fed is a warehouse. Each bank has an account. Wire transfers change digits in two accounts. No physical money moves. Unneeded.

      I thought the people here were computer and accounting literate.
      • Banks used to settle accounts with real money. At least that was what I was told when I was researching the history of American currency. For an example, see the $100,000 Bank Transfer Note [frbsf.org].
        • Not any more. Really, most of the money exists just as data in computers. That's a fine method to use. Remember, all that money is is a representation of work that has been done, a method of "storing" value. Rather than bartering for goods and services directly, which doesn't work well (you may have something I want but I don't necessiarly have something you want) we store value in a commonly agreed upon medium.

          Orignally it was precious substances, gold and silver being the most common, but salt and others
    • Check out my sig. He said that just last year.
  • Suppose they have their own, private network. It would need wires running all around the country. Nobody could DoS it from the Internet, but if someone tried to take it down, all they would have to do is cut a few wires!

    Now suppose they do it over the Internet. Someone DoSs a major backbone. I can't check my email, but the Fed has a lot of HIGHLY payed engineers rerouting their traffice over a satelite connection, or over a bunch of long-distance dial-ups to route around the busted backbone. In fact, they
  • The truth? (Score:3, Funny)

    by vuvewux ( 792756 ) on Sunday August 15, 2004 @03:49PM (#9975424)
    Do not try to transfer the money online. That's impossible. Instead only try to realize the truth. There is no money online. Then you'll see that it is not the money you transfer online, it is only yourself.
    • The truth might be that there is no money at all. But since we all agree that there is money, well... there is.

      Gives me chills every time I think about what happens if the illusion collapses.
  • Not all that bad... (Score:4, Informative)

    by Anonymous Coward on Sunday August 15, 2004 @03:51PM (#9975436)
    From the deep memory:

    Disclaimer: This is OLD stuff and might be different today. But, banks are stodgy and don't like to change things that work.

    Most banks don't use the Fed wire for transfers all day long. They use private networks, like SWIFT to conduct their business. c.f Swift money transfer [google.com]

    Back in the days before the internet, SWIFT used to require that you had an office in lower Manhatten (e.g. Wall Street) with a HIGH RANKING bank officer there. If something went wrong (and you stopped processing transfers for some reason), the SWIFT officers could meet and discuss the issue with you. They might float your bank for the day, keeping you from going under if it was something like broken computer equipment and not an insolvency issue.

    Computers and networks got much better, and with SWIFT's desire to be truly global, that's no longer required.

    So, what happens is that the banks all over the world do millions of transactions all day long on the SWIFT network, and no money really moves, it's just a bunch of credits and debits. Then, at an agreed upon time, they "fess up" and pay their outstanding balance (or get paid) on the Fed wire (or others methods in other countries).

    SWIFT also provides the banks with a general message service like sending a TELEX.
    • Old or not, it's wrong. SWIFT is for international transfer, not domestic. Banks use Fed wire all day long.
    • and to my knowledge, always has been and has specialised in international transfers. There are also supra-national groupings that whilst smaller than SWIFT facilitate rapid payments within their partenrs, such as the TARGET system operated by the European Central Bank for low-cost Euro payments in the Euro-zone (and some count5ries outside).

      SWIFT is an irrevocable payment transfer system. It doesn't guarantee liquidity, that is up to the Fed in the US, or whatever is the local Central Bank. For info on i

  • None of this "Funds will be available by 12pm next business day" crap. I'm sure we've all had at least one NSF charge at the bank because of the funds available thing.
  • Gives me images of the normally quiet halls of the federal reserve, where suddenly the walls open ATM slots and start poring billions in cash willy nilly.

    And the chairman, walking away mid-shin in bills, trying to look not guilty.
  • The old FedLine terminals have needed replacing for years.

    With the advent of Check 21, banks will now be able to exchange check images instead of physical documents for presentment. The existing Fedline infrastructure (old DOS machines on 16KBS modems (at best)) is insufficient to handle this kind of traffic.

    Fedline for the web has been "happening" for some time now - each application in Fedline is being ported over to their web application suite.

  • by buckhead_buddy ( 186384 ) on Sunday August 15, 2004 @04:28PM (#9975638)
    Much has been made of the evil of monopolies on Slashdot (from Microsoft dominating the desktop to Apple regulating music formats).

    The Federal Reserve is a private corporation operated and owned by private banks and given special monopoly existence by congress back on Christmas Eve in 1913. This is a very scary monopoly that has (perhaps unconstitutionally) usurped Congress's power to coin, issue, and regulate the American money supply.

    While I won't attempt to proffer all of the observations (probably labeled as "tinfoil hat theories" because neither political party wants to call them into question) I will point out a very human readable web page that highlights some of these issues in a phone call to the Federal Reserve Bank of San Francisco [rense.com].

    I realize that the Internet is a public network and that the Fed has every right to switch its internals over to using it. But it will likely cause two bits of controversy.

    First, they are a private corporation so if the receive a private set of Class A IP addresses or other special treats it will expose some flaws in the public vs. private issues of control of the internet. (This is probably of more interest to slashdotters.)

    Second, The Fed may be exposing tremendous auditability and accounting problems that don't exist on the private network. While their books and procedures are publicly audited, they have simply "lost" money (both physical and transactional). The paranoid would suspect that perhaps they've been inspired by the Diebold voting systems which can apparently cause votes to simply come and go in an unaccountable manner. The less paranoid should still see that this change will need a great deal more publicly auditable security to keep robber barrons from simply coming up with a new means of screwing over those of us who rely on cash & credit.

    I can understand the need to migrate from old proprietary technolgies to new ones, but this migration should be watched VERY closely and where possible should be opened up for further audit and regulation.
    • Let's see if I can blast through your tin foil hat:

      First it is not "a private corporation operated and owned by private banks" Frequently Asked Questions about the Fed [federalreserve.gov]

      "The Federal Reserve System is not "owned" by anyone and is not a private, profit-making institution. Instead, it is an independent entity within the government, having both public purposes and private aspects."

      Second, there is no confusion over public / private control over the internet. It is publicly controlled. Congress can revoke IC
    • The Federal Reserve is a private corporation operated and owned by private banks and given special monopoly existence by congress back on Christmas Eve in 1913. This is a very scary monopoly that has (perhaps unconstitutionally) usurped Congress's power to coin, issue, and regulate the American money supply.

      See http://en.wikipedia.org/wiki/Federal_Reserve_Syst e m [wikipedia.org] for non-hysterical/factually inaccurate information about the Federal reserve.

    • The Federal Reserve is a private corporation operated and owned by private banks and given special monopoly existence by congress back on Christmas Eve in 1913. This is a very scary monopoly that has (perhaps unconstitutionally) usurped Congress's power to coin, issue, and regulate the American money supply.

      I can't get into wether it is constitutional or not (I'm not american), truth is that your federal reserve is doing one hell of a good job.

      The federal reserve is actually one of my favourite example
      • I agree that the Fed's independence is a good thing and has been well preserved. Some of the reason for its success is that it's run by the very rich and they have shown an enlightened self-interest that a healthy American economy is good for their own pocketbooks. That's not cynical; that's probably one of the best ways to manage a money system.

        It is an awkward entity though. It can offer small dividends to investors which is something that other independent government authorities don't do (Supreme Court
  • Obscurity (Score:3, Insightful)

    by 42forty-two42 ( 532340 ) <bdonlan@@@gmail...com> on Sunday August 15, 2004 @04:34PM (#9975672) Homepage Journal
    They aren't specifying the types of security measures that will be used (security through obscurity?)

    Obscurity does not decrease security in and of itself. If you have a truly secure system, obscurity may increase the security somewhat. However, if your system is insecure, obscurity won't stop a determined adversary.
  • by eric76 ( 679787 ) on Sunday August 15, 2004 @04:40PM (#9975705)
    They aren't specifying the types of security measures that will be used (security through obscurity?) Am I the only one who thinks that this is a very bad idea?

    Of course you're not the only one that thinks that is a very bad idea. There are hordes of technical people who think in terms of bad slogans.

    The problem with "security through obscurity" is that when that is your primary, or only, protection, it is usually very poor security.

    On the other hand, if you start with very good security and don't publish any details of additional steps, and you guard your network as if everyone does know the details anyway, then obscurity enhances your security.

    In other words, obscurity does not provide much security, but it can enhance your security.

  • Am I the only person here that finds it scarier that they were relying on PCs running DOS than that they are moving to web applications on the internet?

    As some have observed, with these kinds of transactions, denial of service is probably a bigger threat than fraud. These are huge transactions between banks that you couldn't exactly route into you Citibank personal checking account and withdraw at the nearest ATM, and they can be reversed if something goes wrong.

    So the question is, is the risk of some

  • by Zebra_X ( 13249 ) on Sunday August 15, 2004 @04:49PM (#9975751)
    transfers now take place over the internet instead of via a private banking network.

    A private banking network is the ultimate level of security through obscurity. In such a closely "protected environment" one could get away with being very lazy, but we don't know if they have or not, becuase it's private. All we DO know is that it seems to have work reliably for a long time. Generally, this would give me faith in the architects ability to construct a well built, resilient network.

    Might a DDOS attack on the Fed's computers bring down the entire banking system?" The banks have put some thought into security.

    Not likely. A well thought out network pan can prevent this from happening.

    They aren't specifying the types of security measures that will be used (security through obscurity?)

    Why should they? For "peer review"? I'm thinking that the banks have this one covered. In their case it is in their best interests to have the best security possible. In fact, I read somewhere that banking institutions are testing the use of entangled particles for use in secure transactions, sorry no link.

    Am I the only one who thinks that this is a very bad idea?

    Probably not, but I think so far they have done a good job, I'm not worried.
  • by MikeDawg ( 721537 ) on Sunday August 15, 2004 @04:49PM (#9975754) Homepage Journal

    I work for a decent sized bank data processing center. We have been using the web-based FedLine for quite some time now. We do transfers to and from the Federal Reserve in Minneapolis (sp?), St. Louis, and Kansas City. We have been trying to migrate from the old modem based FedLine method.

    I feel as confident about the web-based system, as I do about non-web based version, that we have used in the past. The old system is very outdated, it connects to the Fed at 9600 Baud or less, and there really is no reason as to avoid the web-based version, as opposed to the old dial-in version. I think they would both be as succeptible (sp?) to any sort of hacking attempts, just two different methods.

    This is really not a big deal, and its really not all that new. I for one will be happy when the Fed moves away from their old FedLine though.

    • I work for a small community bank, and we use both the old FedLine for DOS system as well as the new FedLine for the Web. Currently, the Fedline/Web has a decent amount of the features of the old DOS system, but is still lacking certain ones that the Fed has refused to do over the internet for some time due to security.

      The DOS based system uses a 19.2k modem connection back to the Fed, and the data is encrypted using a Jones Futurex hardware encryption board. Security is rather tight, requiring both a loca
  • by seanvaandering ( 604658 ) <.moc.liamg. .ta. .gnirednaav.naes.> on Sunday August 15, 2004 @05:05PM (#9975841)
    Might a DDOS attack on the Fed's computers bring down the entire banking system?"

    7--Core Principle VII:
    The system should have a high degree of security and operational reliability and should have contingency arrangements for timely completion of daily processing.


    Let me quoth for those who don't read the articles:

    Fedwire Data Centers
    Three data processing centers support the Fedwire services. One site supports the primary processing environment with on-site backup. A second site serves as an active, "hot" backup facility with on-site backup. A third site serves as a "warm" backup facility. The three data processing centers are located a considerable distance from each other (i.e., hundreds of miles) in order to mitigate the effects of natural disasters, power and telecommunication outages, and other wide-scale, regional disruptions. In addition, all three data centers have appropriate security and include various contingency features, such as redundant power feeds, environmental and emergency control systems, dual computer and network operations centers, and dual customer service centers.


    Take a read through it, and its a really dry read by the way, it looks like they've got it pretty much figured out. Good luck finding those servers and then trying to DDOS them out of existance. Then again, if someone almost got the worldwide DNS root servers offline, then this could be just a drop in the bucket...
  • Just hope that they won't transfer money like in the movies - One dollar at a time :)
  • This is just WRONG (Score:3, Interesting)

    by Anonymous Writer ( 746272 ) on Sunday August 15, 2004 @05:24PM (#9975925)

    During the early days of the Web, before Java, scripting languages, and Active X controls, people knew that running remote code on your computer was simply wrong. Now look at all the viruses and worms that propagate through the Internet simply because remote code can be loaded onto a computer and run so easily.

    Any banking network must be completely physically separate from the Internet. And It must use an entirely different system, incompatible with the internet as well, using different hardware and protocols, just in case somewhere along the line some connection is inadvertently made. This would provide the same "security through obscurity" that Linux and Mac users enjoy in an internet full of Windows viruses.

    Any attempt to somehow integrate banking with the existing Internet will eventually result in security breaches. No matter what kind of encryption or even hardware methods of security are implemented, there will constantly be new vulnerabilities discovered if there is any physical line of access from the public internet.

    Hardware firewalls have already been proven to be succeptible to network attacks via DNS [slashdot.org]. Some people have a clue about this, given the example of a two headed hard drive [slashdot.org] previously mentioned on Slashdot, to physically separate the hard drive writing process from public access.

    • Any banking network must be completely physically separate from the Internet. And It must use an entirely different system, incompatible with the internet as well, using different hardware and protocols, just in case somewhere along the line some connection is inadvertently made.

      You're suggesting that they design all new hardware and software for the banking system? For example, a bank on a dialup line wouldn't use POTS, but would use a line totally seperated from the TELCO network? And, the MODEM would
  • Why is this needed? why cant they just use the private networks?
    The private bank networks have seem to have worked fine for the last decade or two, so why fix it if it aint broke? hell the internet is the LAST option I'd go with for transfers, the fact the internet has an open nature, if they're using a Secure VPN then I dont see too much of an issue, but why change from a private system without any known issues to a system that is open to the entire world and the public no less? isnt this a flawed idea?
    or
  • by Whatchamacallit ( 21721 ) on Sunday August 15, 2004 @05:42PM (#9976013) Homepage
    The early (DarpaNet) Internet was designed by the US Government as a cold war computing network. It was to remain intact in the event of one or more portions of the network being obliterated in a nuclear attack. Multiple point to point connections that could re-route to reach a destination.

    Today's Internet is much more dependent on large pipelines and due to increased traffic is more vulnerable. Worms like Code Red and others effectively shutdown the Internet making it essentially useless. This lasted for days and weeks as new viruses spun off from the older viruses.

    The question would be not so much the security of the Fed's connectivity but the reliability of that connectivity. Say you have another worm outbreak due to some flaw in WinXP SP2 that causes the Internet to literally flood with massive amounts of traffic that ends up consuming 90% of the bandwidth and ends up bottlenecking and strangling the connections in highly populated areas. The Internet as it exists today needs a serious upgrade in the next few years in regards to bandwidth, encryption, and protocols.

    Just look at what happened in NYC to both the cell phone networks and the landline's when 911 happened. They were so overwhelmed by the network traffic that many people could not make a phone call. Millions of people in NYC picked up the phone and Millions more outside NYC tried to call family and friends in NYC.
  • Internet Based? (Score:3, Informative)

    by Karma Farmer ( 595141 ) on Sunday August 15, 2004 @05:55PM (#9976075)
    I haven't read the entire FedLine manual, but I don't see anywhere that says this is going to be on the internet -- only that it will use Internet Based Technologies.

    If they're running an Encrypted VPN over leased lines on an airgapped network, then this story is nothing but "Fed to update network protocols to TCP/IP, just like everyone else has done."
  • by nusratt ( 751548 ) on Sunday August 15, 2004 @06:09PM (#9976161) Journal
    First read the comment from the guy who works at the Fed, where he talks about what kind of data WILL now be going over the public net.

    Question: in view of everything which has changed in the last three years regarding powers to do secret searches and wire-taps without a warrant, how does this news change what kinds of banking data will now be secretly sniffable by the DHS & FBI without technically violating inter-agency restrictions?
  • by cosmic_0x526179 ( 209008 ) on Sunday August 15, 2004 @06:12PM (#9976180)
    Sometime between now and new years, the Fed will activate a new business function (based on the Check21 law, passed by Congress in 2003). That will allow banks (who wish to do so) to 'truncate' the paper-passing of physical checks and send an image of the check (along with the MICR scanned data). Those images will be in B/W TIFF files. Now, any bank that handles a sizeable number of checks per day, is going to have quite a bit of data to move in the evening. The fed-cutoff times that have been posted, make it monetarily adventagious to the banks to get the data moved sooner rather than later. And who do you think has the biggest pipes to move some of that data ?

    Why the internet of course. google Check21 to see more info on how this in being handled. Oh, and don't expect your checks to take 2-3 days to clear cross country anymore.

    Ray
  • by ajv ( 4061 ) on Sunday August 15, 2004 @07:53PM (#9976661) Homepage
    Carriers are notorious at bad security, particularly on PVC's and other "private" links. You enter this cloud and they claim it's secure.

    Going over the Internet is no different than using a modern frame PVC or ATM link, particularly if you're using C&W infrastructure as their GIN architecture *is* the Internet with VPNs over it.

    Properly risk assessed, and with appropriate key management, going over the Internet has only one major failing - quality of service. If you can work around that by using multiple providers, there is nothing really wrong with using the Internet as a transaction medium.
  • by eyepeepackets ( 33477 ) on Sunday August 15, 2004 @09:48PM (#9977162)
    ...a short while ago to set up a checking account and the nice woman sits me down across from her desk, swivels her LCD so I can see it and, what the F**K, it's running MS product! I politely said, "Ummm, something came up" and left.

    I've heard it said that any system is only as strong as its weakest link.

Ma Bell is a mean mother!

Working...