[ISN] Electronic financial networks: How safe are they?

From: InfoSec News (isnat_private)
Date: Tue Oct 30 2001 - 01:39:32 PST

  • Next message: InfoSec News: "[ISN] Win-XP vs Red Hat 7.2"

    By Jim Hopkins
    Tens of billions of dollars were bottled up at the Bank of New York
    for 3 days after World Trade Center telephone systems collapsed on
    Sept. 11. The bank, a linchpin on Wall Street, electronically
    transfers money and stock and bond trades among investment firms and
    more than 7,000 banks worldwide over high-speed telephone lines. After
    those lines were cut, it was hours before some Bank of New York
    customers could determine the status of their accounts. Had bonds they
    sold been delivered to buyers? Had buyers paid? The crisis threatened
    to saddle clients with millions of dollars in extra finance charges.
    That day, the bank immediately switched to emergency backup systems
    outside Manhattan. By week's end, operations returned to near normal.
    Still, the incident underscores the U.S. financial system's dependence
    on a handful of key electronic payment networks and those networks'
    vulnerability to attack. After Sept. 11, the FBI put banking and
    finance on a list of seven industries to be on highest alert to
    Short of nuclear war, nothing could shut down the payment networks for
    good, finance and computer experts say. But they could be hampered for
    hours, or days, as the Bank of New York incident showed.
    About $3.5 trillion pours daily through three major payment networks
    that dwarf the Bank of New York's. The networks, run by banks and the
    government over high-speed phone lines, converge at just 10 secret
    data-processing centers nationwide. They transmit everything from
    direct-deposit paychecks to utility bill payments to huge corporate
    transfers in the USA and abroad.
    Domino effect
    If terrorists simultaneously destroyed all 10 hubs either severing the
    phone lines running to them or mounting a massive cyberattack they
    could destabilize the U.S. economy until new systems were created,
    experts say.
    Given enough delay, companies and consumers could default on loans.
    Corporations could not access cash. And the liquidity crisis could
    cascade through the global economy. "You would be bringing the
    financial system to its knees," says Maureen Burton, a finance
    professor at California State Polytechnic University.
    It is no secret that the financial system is vulnerable. A 1997
    presidential commission on U.S. defense said electronic payment
    networks are inviting targets for terrorists and other criminals.
    Together, they "seem to present a serious physical vulnerability" to
    the financial system because there are "few if any alternatives
    available to provide those services in the event of a disabling
    catastrophe," the commission said in its final report.
    To date, no one has succeeded in taking down the largest U.S.-based
    payment networks, officials of the biggest say.
    Yet the commission noted that financial institutions are loath to
    publicize "intrusions" of individual computer networks, doing so might
    shake consumer confidence. Vivek Wadhwa, CEO of Relativity
    Technologies, a bank computer consulting firm, says he is "sure there
    have been many instances that have not been reported" involving bank
    computer systems.
    While the government, Wall Street and the electronic payments industry
    maintain they have enough geographic diversity and backup systems,
    they are studying ways to bolster security. The New York Clearing
    House, which runs a major payment network, is reviewing its
    operations. For several reasons, including a desire to disperse
    geographically, investment banks are moving operations out of the
    concentrated financial district of Manhattan. And industry officials
    such as Jill Considine, CEO of the Depository Trust & Clearing Corp.,
    are reconsidering the wisdom of concentrating so many tech workers and
    telecommunications systems in Lower Manhattan.
    Vulnerable networks
    Money has been transferred electronically since at least 1918 when the
    Federal Reserve which manages the nation's money supply started using
    a private telegraph system. Computer networks accelerated the trend.
    Three major systems have become the U.S. economy's financial arteries:
    * Automated Clearing House Network. The cooperative run by banks, Visa
    and the Federal Reserve transfers $20 trillion a year over leased
    phone lines among U.S. consumers, banks and companies. Most of the 7
    billion annual transactions are small payments that occur regularly,
    such as direct-deposit paychecks and Social Security checks. There are
    10 main and backup centers in New York City, Phoenix, New Jersey and
    other U.S. locations kept secret for security reasons.
    * Fedwire. Run by the Federal Reserve, Fedwire moves more than $570
    trillion a year between U.S. banks, mostly for big companies. Nearly
    70% passes through the district run by the New York Fed, based in
    Lower Manhattan. Again, the network runs over leased phone lines
    converging at three "geographically dispersed" data-processing
    centers, the Fed says. Those centers also run the Fed's portion of the
    Automated Clearing House Network.
    * CHIPS. The Clearing House Inter-Bank Payment System serves
    international banking and handles almost $300 trillion annually. It is
    run by the New York Clearing House, a cooperative owned by 59 banks.
    CHIPS' phone lines converge at a main office in New York. There is a
    backup center in New Jersey. The centers also run the cooperative's
    portion of the Automated Clearing House Network.
    The three systems were not interrupted on Sept. 11, officials say.
    Eight banks near the World Trade Center had to establish new data
    lines to CHIPS after they relocated that day. That delayed payment
    transfers for several hours. But the financial impact was minimal.
    Rebuilding: Hours or days?
    There is little consensus on the time needed to resurrect networks
    after a catastrophe. The National Automated Clearing House
    Association, a trade group that sets industry standards, says it could
    be done in a few hours. Backup systems exist. Lost data could be
    recovered from copies kept at multiple locations.
    If all 10 data centers were destroyed, a new network could be up
    within hours, says William Nelson, executive vice president of the
    clearing house trade group. He wouldn't be more specific.
    He says that is possible because big banks use similar systems to
    store and transmit data and could resend data believed lost to a new
    network housed at existing bank processing centers.
    But given the delays seen at the Bank of New York, computer and
    finance experts say it could take many hours, or days, to reconstruct
    networks. It could take 24 hours to resurrect the work done by just
    one of the 10 data centers, says computer security expert Michael
    Erbschloe of Computer Economics.
    Nelson's time estimate "seems pretty fast to me," adds University of
    Louisville finance professor Russ Ray, who has studied Fedwire and
    Nelson admits he has never considered a scenario under which all 10
    centers are destroyed. "I think you're talking about something that
    would be really, really hard to imagine," he says. Then, he adds, "I
    guess the World Trade Center disaster was hard to imagine, too."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 03:59:49 PST