Home page logo

isn logo Information Security News mailing list archives

Electronic financial networks: How safe are they?
From: InfoSec News <isn () c4i org>
Date: Tue, 30 Oct 2001 03:39:32 -0600 (CST)


By Jim Hopkins

Tens of billions of dollars were bottled up at the Bank of New York
for 3 days after World Trade Center telephone systems collapsed on
Sept. 11. The bank, a linchpin on Wall Street, electronically
transfers money and stock and bond trades among investment firms and
more than 7,000 banks worldwide over high-speed telephone lines. After
those lines were cut, it was hours before some Bank of New York
customers could determine the status of their accounts. Had bonds they
sold been delivered to buyers? Had buyers paid? The crisis threatened
to saddle clients with millions of dollars in extra finance charges.
That day, the bank immediately switched to emergency backup systems
outside Manhattan. By week's end, operations returned to near normal.

Still, the incident underscores the U.S. financial system's dependence
on a handful of key electronic payment networks and those networks'
vulnerability to attack. After Sept. 11, the FBI put banking and
finance on a list of seven industries to be on highest alert to

Short of nuclear war, nothing could shut down the payment networks for
good, finance and computer experts say. But they could be hampered for
hours, or days, as the Bank of New York incident showed.

About $3.5 trillion pours daily through three major payment networks
that dwarf the Bank of New York's. The networks, run by banks and the
government over high-speed phone lines, converge at just 10 secret
data-processing centers nationwide. They transmit everything from
direct-deposit paychecks to utility bill payments to huge corporate
transfers in the USA and abroad.

Domino effect

If terrorists simultaneously destroyed all 10 hubs either severing the
phone lines running to them or mounting a massive cyberattack they
could destabilize the U.S. economy until new systems were created,
experts say.

Given enough delay, companies and consumers could default on loans.
Corporations could not access cash. And the liquidity crisis could
cascade through the global economy. "You would be bringing the
financial system to its knees," says Maureen Burton, a finance
professor at California State Polytechnic University.

It is no secret that the financial system is vulnerable. A 1997
presidential commission on U.S. defense said electronic payment
networks are inviting targets for terrorists and other criminals.
Together, they "seem to present a serious physical vulnerability" to
the financial system because there are "few if any alternatives
available to provide those services in the event of a disabling
catastrophe," the commission said in its final report.

To date, no one has succeeded in taking down the largest U.S.-based
payment networks, officials of the biggest say.

Yet the commission noted that financial institutions are loath to
publicize "intrusions" of individual computer networks, doing so might
shake consumer confidence. Vivek Wadhwa, CEO of Relativity
Technologies, a bank computer consulting firm, says he is "sure there
have been many instances that have not been reported" involving bank
computer systems.

While the government, Wall Street and the electronic payments industry
maintain they have enough geographic diversity and backup systems,
they are studying ways to bolster security. The New York Clearing
House, which runs a major payment network, is reviewing its
operations. For several reasons, including a desire to disperse
geographically, investment banks are moving operations out of the
concentrated financial district of Manhattan. And industry officials
such as Jill Considine, CEO of the Depository Trust & Clearing Corp.,
are reconsidering the wisdom of concentrating so many tech workers and
telecommunications systems in Lower Manhattan.

Vulnerable networks

Money has been transferred electronically since at least 1918 when the
Federal Reserve which manages the nation's money supply started using
a private telegraph system. Computer networks accelerated the trend.
Three major systems have become the U.S. economy's financial arteries:

* Automated Clearing House Network. The cooperative run by banks, Visa
and the Federal Reserve transfers $20 trillion a year over leased
phone lines among U.S. consumers, banks and companies. Most of the 7
billion annual transactions are small payments that occur regularly,
such as direct-deposit paychecks and Social Security checks. There are
10 main and backup centers in New York City, Phoenix, New Jersey and
other U.S. locations kept secret for security reasons.

* Fedwire. Run by the Federal Reserve, Fedwire moves more than $570
trillion a year between U.S. banks, mostly for big companies. Nearly
70% passes through the district run by the New York Fed, based in
Lower Manhattan. Again, the network runs over leased phone lines
converging at three "geographically dispersed" data-processing
centers, the Fed says. Those centers also run the Fed's portion of the
Automated Clearing House Network.

* CHIPS. The Clearing House Inter-Bank Payment System serves
international banking and handles almost $300 trillion annually. It is
run by the New York Clearing House, a cooperative owned by 59 banks.
CHIPS' phone lines converge at a main office in New York. There is a
backup center in New Jersey. The centers also run the cooperative's
portion of the Automated Clearing House Network.

The three systems were not interrupted on Sept. 11, officials say.
Eight banks near the World Trade Center had to establish new data
lines to CHIPS after they relocated that day. That delayed payment
transfers for several hours. But the financial impact was minimal.

Rebuilding: Hours or days?

There is little consensus on the time needed to resurrect networks
after a catastrophe. The National Automated Clearing House
Association, a trade group that sets industry standards, says it could
be done in a few hours. Backup systems exist. Lost data could be
recovered from copies kept at multiple locations.

If all 10 data centers were destroyed, a new network could be up
within hours, says William Nelson, executive vice president of the
clearing house trade group. He wouldn't be more specific.

He says that is possible because big banks use similar systems to
store and transmit data and could resend data believed lost to a new
network housed at existing bank processing centers.

But given the delays seen at the Bank of New York, computer and
finance experts say it could take many hours, or days, to reconstruct
networks. It could take 24 hours to resurrect the work done by just
one of the 10 data centers, says computer security expert Michael
Erbschloe of Computer Economics.

Nelson's time estimate "seems pretty fast to me," adds University of
Louisville finance professor Russ Ray, who has studied Fedwire and

Nelson admits he has never considered a scenario under which all 10
centers are destroyed. "I think you're talking about something that
would be really, really hard to imagine," he says. Then, he adds, "I
guess the World Trade Center disaster was hard to imagine, too."

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
  • Electronic financial networks: How safe are they? InfoSec News (Oct 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]