It's still plenty archaic, but takes the headline's shock value down a small peg.
 It adds a mental pause -- a Secure ... FTP server. It hints that, possibly, it's a reference to a different aspect of the server's security (a non-technical person might refer to a server as being a "secure" server simply because it's protected by an ID and password, for instance).
 Based on my personal interaction with banks and software, as well as several friends who had previously been members of a few banks' IT departments, my first -- very sarcastic thought -- was "of course it works that way!"
ACH format is super weird .. tons of lines with 99999 on them as separators. And yes, we had to go through a bank to do any ACH transactions. They shipped us a router that setup an IPSec tunnel and it had a backup ISDN connection on it as well.
I wish ACH was more accessible. In many other countries, you give people your Name, Bank and Account number (Australia: BSB + Acct, NZ: it's one big number) and people can just send you money. Appears the next day, even on holidays. In the US we still have to photo checks with a phone app? WTF? I wrote a thing about our banking system here:
Plausible stories are easy to make up. Lots of countries - probably most - with higher GDP per capita than the US have lower latency banking. The US has a large proportion of people who are worse off than the equivalents in many poorer countries, too.
The newer platforms (like mobile banking) were adopted in those (poorer) markets because they were cheaper to deploy relative to the technology that preceeded them, and perhaps more importantly, they had less inertia to overcome (against entrenched interests).
Many places leapfrogged directly to mobile phones (featurephones mostly) because there were little to no power and/or landline wiring present (and attempts at getting such infrastructure in place got disrupted by people stealing the wiring and selling it as scrap copper).
It's also credits the recipient immediately. That's possible since all the participating banks have deposited a number of billions in a mutual fund designed to cover the losses in the case one of the banks runs out of money, and also probably by having an internal account to debit during the day.
They are tranfering money between the banks at one (or maybe a few) standard clearing runs involving the Riksbank, that works more or less like ACH. I think all of them are scheduled in the morning.
All Swedish banks are working onreplacing the payment infrastructure (the clearing. ) It's supposed to be finished in 2024 or something like that.
I consider it a huge marketing failure that this is such a little known capability.
Once you move into the realm of trying to tie an identifier you have no control over (and that has no reliable verification method for) to a place where money will go, you open yourself up to a smorgasbord of potential attack vectors, confusions and edge cases.
Zelle associates the bank account to a email address and / or phone number. Creation of these associations is gated through the member banks. So you have all the controls you have for any other banking task.
So if Alice provides Bob a globally unique identifier to their bank account, then that's where it's going.
If Alice gives Bob a token that is hopefully mapped to the account, then there's an additional layer that can go wrong.
Eve can compromise Alice's e-mail or phone number, and then try and convince their bank that their bank account should now be associated with that identifier. If it's a different bank, then presumably this request must be federated through the third party system. And hopefully the 'true' owner is not identified by sending an e-mail or SMS.
Or maybe Eve just creates a bunch of accounts and tries to associate them with a bunch of telephone numbers and e-mail addresses that she can compromise at will and waits for the money to roll in. This is obviously more likely if some people have more than one account, as it means that the mapping of account -> e-mail/phone no. can no longer be mandatory.
In your example it sounds like they've got some reasonable safeguards in place (like ensuring you have to de-register a mapping before you can register a new one), the only point I was trying to make is that yes, it can be done, but to be done safely it's much harder than just simply having an account number (including routing number/sort code/swift code etc.).
You lose the 1-1 mapping and it gives you yet another thing that you have to actively manage/remember how it's set up/remember to change when you change e-mail provider or your phone number changes.
Also, the association is to receive, not to send. Sending is initiated by your bank, which obviously already knows your account number. You send from your bank account to an email or phone number, which Zelle then translates to the target bank account.
Unlike the US the bank account number shouldn't be guarded with your life, so businesses often have it listed on their website.
All European countries have it.
Up next: Payment Services Directive 2 - API access to bank accounts. This is going to be interesting.
alot of people here dont like to buy stuff with CC so they transfer the money with internet banking, and also get a discount because that is treated as cash, and if the webshop is with another bank you have to wait to get a confirmation they received the money, or can try to send them transaction confirmation in PDF.
sometimes its anoying when you are ordering something expenensive and have to wait a bit longer because only after your payment do they order it from the distributor.
It's very easy to get stuck inside the developer bubble, where 'archaic' means 'something that was state-of-the-art four years ago (or in the web/design world, 3.5 minutes ago)'.
SFTP is a nice technology which I make quite frequent use of in my job and at home. The idea that I plug in my Yubikey, provide a passphrase to unlock the key, authenticate to my server which that's got a verifiable certificate installed, and the private key never leaves my Yubikey is about as state-of-the-art as I could ever ask for security-wise.
Granted, precisely how the SFTP site is secured isn't specified and there's plenty of ways to do that wrong, but as a technology, it's always impressed me how seamlessly it works once it's setup.
The biggest problem I've found is that there's no real feedback loop (for this class of integration, not sftp specific). Company A uploads a file -- often in the middle of the night -- and Company B processes that file some time later. Could be a minute, could be a day. Company B fails to process the file, possibly because of a change on their end, possibly because of a change on Company A's end. There's usually a bunch of back and forth, but ultimately the earliest you can determine if a fix works is a full 24 hours after the file was initially dropped. Both companies could create integration environments with shorter feedback loops to help, but ultimately its a problem of not getting an immediate response that the integration is working.
95% of my job involves writing software to integrate systems from different companies, and the integrations that involve SFTP are almost always the biggest pains. I've thought about writing an SFTP server that operated in real time, and either rejected bad files or had some other way of responding to the inputs. Never really found the time to do it, and ultimately it'd be patching a process that should have just been a well designed API from the start.
Amazon Vendor Central only has support for EDI (at least in the UK) - as in EDIFACT files sent over FTP.
If you want to do business with them you either need to talk that or be comfortable farming out to a 3rd party (I'm 1 day into a project where I'm finding all this out, and the hell of EDI file formats).
There were a few reasons for this that made a lot of sense:
(1) Private keys were being stored haphazardly -- people were not protecting them with passwords and occasionally they ended up on network drives. It's possible to enforce password policies for the hosts in question, but not possible to enforce 'how you protect/handle your private key' centrally.
(2) The second only applied to an environment I managed in the past, but we had many Linux hosts that were AD domain joined and authentication occurred directly via AD credentials (no local account authentication). The servers were configured to allow password-only login when the user had never connected to the host before. Once the user had connected the first time, the host would receive the public key for that user and future logins would only require the key.
 ... that latter part they failed to ever get working properly. It always prompted for both. Based on my conversations with the team managing the servers, there was zero priority assigned to fixing that problem -- they were resentful of the fact that the Linux (Debian, incidentally) hosts were domain joined and allowed domain authentication and they had a poor opinion of the security of using AD user accounts for authentication (nobody would make an argument other than Micro == small, soft == not hard or some other snark like that -- we had some BOFH over there).
That doesn't sound that unreasonable. Both satisfy the "something you know" and "something you have" portions of multi-factor authentication (respectively).
Considering that this is money on the line, the idea of banks actually taking security seriously is actually refreshing. Too bad they don't seem to apply those standards to their customers.
The 'something you have' would have to be a specific hardware token (E.G. that VPN tunnel device someone else mentioned that is a black box you aren't allowed to open). Tamper resistance and physical security locks to ensure that connections /must/ route through a given location would be enough.
By this logic, a typical door key is "something you know" rather than "something you have" (never mind the uselessness of memorizing one's key shape when it comes to actually unlocking a door).
Unless you're memorizing your private SSH keys (in which case I applaud your superior intellect), it's absurd to claim that said keys fall into "something you know".
Hardware tokens are vulnerable too, by your own admission. A 6 digit pin created by a token is still "something you know" even if it's only good for a couple of minutes.
What _really_ sucks is one-off fixed-width formats that aren't well defined, or that change suddenly (oh, you thought that field would always be populated? lol no.)
Depending on the business-application, fixed-width formats are fantastic because they allow for genuine O(1) random-access to records without needing to precompute an index first. Writing parsers for fixed-width formats is also much simpler, for example, because it eliminates ambiguity around null-terminators vs length-prefix in text/string/array data - for resource-constrained environments it's great because you can guarantee you won't need to dynamically-allocate buffers. I feel the only real arguments against fixed-width records are concerned with wasted space - which are mitigated if your system lets you compress them somehow - because they'll typically compress very, very well.
Sometimes, fields can turn out to be too short. I have received a few letters from business with my last name truncated, because somebody way back when decided eight or nine characters are definitely enough for a surname.
I have no idea why it is and why people are so resistant to adopting ACKs.
But on the other hand, it's a complicated architectural decision. US military wants absolutely reliable communications? They invent TCP which relies a lot on acks. Swedish telecom company wants fast and absolutely reliable communicating systems? Cue throw hands in air with a "there's no guarantees even with socks so better to simply never assume your message arrived and instead focus on detecting anomalous behaviour." They invent Erlang where there are no acks for messages.
Have we gotten to the point where anything not HTTP is considered old?
But yes, anything but HTTP is "old". In large part because of corporate firewall rules that block anything but HTTP traffic (and more often than not filter even that traffic).
Sounds like they didn't need much if any of what you did. They wanted X and you gave them Y. Y would require them to change the way they worked. Did they need query capability? Seems like they didn't and SFTP would have suited them better.
Honestly sounds to me like you went for an overly complex solution where something simple would have done just fine.
Frankly once they hear it's node.js the users should be bowing down to worship!!!!
a) think about the scope of the problem and what you are trying to achive - you are blocking reads of the files by the uid/gid of the server. It is a known and solved problem. The tool is called chmod
b) think about the surface area of the attack - it should only be the SFTP server. We have ones that are very well known. I recommend the one that comes with OpenSSH but there are others.
c) think about business requirements - user's provisioning etc. That has been a solved problem for years - for the super-complex cases LDAP is used. For the simpler ones you can use PAM.
After thinking about that you just write the needed glue.
This attitude will not serve you well. There's saying no, and then there's getting more information (requirements!?!) to then guide people to better decisions.
But code that does not have upstream development and support is dead code. A piece of code in production is like an Internet connection or electrical or water hookup – it must be, so to speak, “connected” upstream to whoever is providing continuous upgrades and security/bug fixes. Otherwise, it is (to continue stretching the analogy) like a mystery battery or water barrel – it could go bad in many ways at any time and you wouldn’t know it until your equipment starts to fail because of low voltage or voltage spikes, or you start to die of legionnaires’ disease. And unlike a battery or water, there are only cursory, no good and thorough, ways to test their quality, and no way to test their age as measured by the way they interact with the ever-changing outside world.
Apparently, back in the days before ACH, banks met up at a parking lot in NYC every night and literally exchanged bags of paper checks.
There was a proposal build something better than ACH, but it was denied because the cost to upgrade the infrastructure would cost too much for small banks and credit unions.
I mean, either is fine, I would just imagine that if it was FTP at some point, moving to FTPS wouldn't be unreasonable.
As some simply can't go with certain open source project due to compliance, we settled with Tectia SSH. Similar story with VPN and other security-related stuff.
Everything is SFTP with them. Even API json response lol
They mention that other regions' inter-bank money-transfer systems (e.g. the EU's) have been sped up to be same-day, or in some cases nearly instantaneous. The US ACH system lags behind, due to the sheer number of institutions that would be involved in a modernization effort. (There are a lot more US banks than there are UK/French/Canadian/Australian/etc. banks; I think in part because a bank that operates in 50 states is technically—and legally—50 banks, and each one maintains its own ACH infrastructure?)
In general, and until very recently, Congress has abstained from directly regulating the banking industry. AFAIU, banks are subject to Federal law primarily indirectly via regulations promulgated by the Federal Reserve. But the Federal Reserve system is opt-in, and many smaller banks contract with larger banks to leverage the Federal Reserve transactional systems, and are therefore for the most part not subject to those rules.
It's all rather ironic because banking was one of the few areas of national commerce that was clearly contemplated to fall under federal regulatory powers, to some extent, during the time of the Constitution. Though opposed by Jefferson and Madison, the First National Bank was chartered in 1791. Yet now that federal powers have expanded to encompass every aspect of commerce, the legacy of the failure of the Second National Bank remains incredibly strong.
E.g. the EU got there by legal limits on transaction settlement time set by the first payment services directive, the infrastructure came into place only when the banks got the message that they have to improve the product or else (IIRC the law specified that after a couple years, customers would be entitled to compensation if their payments were "too slow"). Without the requirements, EU banks would still be happy to charge 10 eur for a 3 day payment, since that's obviously more profitable than charging cents or zero for same day payments, even if the payments would be running over fast&cheap infrastructure - case in point, UK banks, which charge extreme fees for EU EUR payments simply because they, as a non-EUR country, aren't forbidden by the EU to do so.
1/ See people encounter how these things work, because there's usually a sense of lost innocence about it. (If they stick around long enough they come to understand that dealing with hundreds of years of history is why glib "re-imagine everything" solutions tend to come a cropper).
2/ Continually discover that by the standards of the rest of the world, US banking is even more like banging rocks together.
With ACH if you have someone's routing number and account number you can pull money from their account without them needing to authorise it.
It's commonplace for bill payments, subscription services, etc.
So they do have a lot in common.
But before we start to discuss that point lets at least agree SFTP is some sort of FTP protocol over SSL?
But it says:
SSH File Transfer Protocol
The SSH file transfer protocol (chronologically the second of the two protocols abbreviated SFTP) transfers files and has a similar command set for users, but uses the Secure Shell protocol (SSH) to transfer files. Unlike FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted openly over the network. It cannot interoperate with FTP software.
This suggestion this term chronologically the second of the two protocols abbreviated SFTP is duplicitous.
EDIT: I think you will find FTPS is based on TSL not SSL. TSL is an alternative to SSL.
About the SFTP vs FTPS, SFTP is a completely new protocol based on SSH. FTPS is the plain old FTP wrapped in a TLS/SSL socket.
that is correct. That was my typo :(
> SFTP is a completely new protocol based on SSH.
If that is the case please explain the following scenario.
I wrote an editor that had FTP capabilities but it was based on the FTP RFC 913 specification using nothing but plain old sockets.
As a result, many user loved the FTP feature, but they asked for a version that would work over the SFTP protocol.
So I implemented an SFTP version of that editor by using OpenSLL to create a SSL socket. The editor just created a secure socket, but used the exact same FTP RFC 913 specification to talk to the server using that socket.
Ever user who asked for this change reported that it now worked perfectly with their SFTP (not TLS) server.
So how is that possible that my editor could implement the SFTP protocol with just a change to the way the socket was opened?
PS: If you don't believe me, you can trial that exact same SFTP (OpenSSL) editor from the link below and I'm pretty sure you'll find it still works with an SFTP server: http://www.zeusedit.com/download.html
Sure, the ACH file format is sort of sucky, but it's not like it's difficult. The lack of an ACK is super awful tho. Payroll has to call in 20m after sending to verify.
TLS is the only widely deployed standard cryptographic protocol which has ever protected any internet communication to any degree. For its many flaws and patchwork, there is nothing even competing in the category.
Actually sftp (ssh) tends to be a lot more popular than FTPS (TLS) because of the whole FTPS NAT catastrophe that sftp doesn't have.
The only time I've had FTPS work 'well' is when the client & server were both written by the same company (Tumbleweed) and they don't follow the RFC exactly.
If you are driving a car at 70mph around a mountain pass, even a really strong guard rail leaves the possibility that you could plummet ten thousand feet to your death. If, on the other hand, you were driving on the Bonneville salt flats at 45mph, there is much, much less danger.
Secure your data. Then paint the bike shed.
Some major news/market information provider solely made their data available to us through ftp. And used Amazon SNS to push a notification that something new is available on that ftp.
So no, sometimes there's very little difference between the two. FTP is just another way to send data over a network. I mean, you could even write a custom FTP server that read the file directly into processing instead of dropping it on a file system and reading it from there in some other process.
For that, there was HBCI years ago (also XML); don't know if it's used much still.
One of the challenges for banks is that there is an oligopoly on the software that runs the bank. There are 4 companies that provide the "core banking" software to most of the banks in the USA. The banks get stuck providing you with whatever services one of these four pieces of software is capable of.
Typically there's AT LEAST one intermediary payment processor (like Chase Paymentech) involved in the TX.
The downside to this is merchant has to register with multiple processing entities but things like "send and forget" APIs (so no need to batch things manually) - which makes it easy to combine ACH and CC payment acceptance in the same system, reporting/reconciliation, out of the box UI merchant can use to look up transactions etc etc outweigh that inconvenience.
We never charge basis points but places that do might make more sense for people who have low volume and low dollar amount transactions. I would say a lot of brick and mortar businesses fall into this category.
Sometimes simple just works.
That would look like
If only US banks already had access to some sort of shared currency they could use for such transfers!
Snark aside, this just seems like a horrible use for a crypto currency. Block chains are an interesting tool to solve a lack of trust when you're willing to give up some speed and convenience. Banks have full trust in themselves, the central banks, and the clearing houses that make the financial system work; they just need to update their systems to be faster.
When your problem is that you have trust and need speed, a solution which sacrifices speed to work in situations where you don't have trust is probably not a good option.
Banks basically have full trust in each other and central banks, actually (for these kind of transactions, not investments or whatever). If you're a bank and you fuck up to the degree where you don't properly handle ACH and other transactions, guess what happens: you're no longer a bank, the government swoops in and takes over, and everything gets sorted out and you go to jail.
It works pretty well.
For interbank transfers, it is. That's simply how the financial system works.
> They use ratings (either Standard and Poor's or others) to determine the risk involved in a liability.
No. The reason why your $50 ACH transfer to your cousin takes so long to clear isn't that recipient bank is checking Standard and Poor's to see if Wachovia is good for it.
What's wrong with having the bank as a central authority in their own banking system?
It is only an issue if there is sufficient lack of trust that the involved fear such a thing would happen.
Otherwise a block chain is overkill.
If I don't have to worry about the physical cash, there's no real reason for me to use a bank. They're a hanger on of a bygone era.
Can you use ACH to initiate a transfer between two (third) parties (i.e. you not being one of them)? If not, what are the requirements to be a broker / escrow in between them?
No, the closest you could come is what you quoted. You could issue the debit & credit actions together, but you'd be taking on the risk that the debit fails and the credit succeeds, leaving you short.
> If not, what are the requirements to be a broker / escrow in between them?
The Federal Reserve is the entity that is between all inter-bank ACH transactions. Essentially US banks hold an account with the Federal Reserve. When they send ACH payments for their customers, their Fed account is debited (and the other bank is credited). When they receive ACH payments for their customers, their Fed account is credited (and the other bank is debited).
Meanwhile in the US I still had to pay my rent with a physical check because that was easier than figuring out the weird 'pay anyone' implementation my bank had.
> An addendum to the ACH protocol to support same-day ACH settlement is something that is almost unanimously desired by the ACH community. The good news is that NACHA, the governing organization behind ACH, has recently announced plans to roll out a same-day ACH protocol. The challenge is coordinating the adoption of the new protocol across all participating banks. Once fully implemented, the same-day ACH system would likely cut one day from the timelines outlined here.
Between the two ACH is clearly better.