I noticed a few comments specifically referencing FTP (and who can blame them since the HN title as of this moment specifically references it). In the first post of the series, the author refers to the server as a "Secure FTP" server, which can be confusing to read[0]. In later parts (and a little googling of my own), it's clear that the server is actually an SFTP server, not a plain-old FTP server.
It's still plenty archaic, but takes the headline's shock value down a small peg[1].
[0] It adds a mental pause -- a Secure ... FTP server. It hints that, possibly, it's a reference to a different aspect of the server's security (a non-technical person might refer to a server as being a "secure" server simply because it's protected by an ID and password, for instance).
[1] Based on my personal interaction with banks and software, as well as several friends who had previously been members of a few banks' IT departments, my first -- very sarcastic thought -- was "of course it works that way!"
My first job in 2005 was to take over an ACH processing system that was written for our company. It was all in Perl. :-P
ACH format is super weird .. tons of lines with 99999 on them as separators. And yes, we had to go through a bank to do any ACH transactions. They shipped us a router that setup an IPSec tunnel and it had a backup ISDN connection on it as well.
I wish ACH was more accessible. In many other countries, you give people your Name, Bank and Account number (Australia: BSB + Acct, NZ: it's one big number) and people can just send you money. Appears the next day, even on holidays. In the US we still have to photo checks with a phone app? WTF? I wrote a thing about our banking system here:
As an American expat living in a developing country it seems very weird to me how backwards the US ACH system is. Where I live now it's the same as the countries you mentioned, anyone can send money to your bank account using just the account number. And it appears in minutes. The banks even offer you an SMS alert when founds arrive and the sender can elect to send an SMS to alert the receiver to check their account for the received funds. Everyone uses it, including many (most?) businesses.
From what I understand, the desire for instantaneous transactions is has an inverse relation with how much money you have. Poorer countries are generally way, way ahead in mobile banking, because in a rich country you are supposed to keep around a month's salary in all your accounts, making transfers less urgent.
The way I understand it, it's a coordination issue - the bigger a market is, the longer it takes for a big change to be adopted by everyone.
Plausible stories are easy to make up. Lots of countries - probably most - with higher GDP per capita than the US have lower latency banking. The US has a large proportion of people who are worse off than the equivalents in many poorer countries, too.
Your perspective describes the underlying issue much clearly than those who talk about "leapfrogging".
The newer platforms (like mobile banking) were adopted in those (poorer) markets because they were cheaper to deploy relative to the technology that preceeded them, and perhaps more importantly, they had less inertia to overcome (against entrenched interests).
That, and how much existing infrastructure there is.
Many places leapfrogged directly to mobile phones (featurephones mostly) because there were little to no power and/or landline wiring present (and attempts at getting such infrastructure in place got disrupted by people stealing the wiring and selling it as scrap copper).
Swish allows to send using an arbitrary number (phone or arbitrarily assigned) rather than an actual account number.
It's also credits the recipient immediately. That's possible since all the participating banks have deposited a number of billions in a mutual fund designed to cover the losses in the case one of the banks runs out of money, and also probably by having an internal account to debit during the day.
They are tranfering money between the banks at one (or maybe a few) standard clearing runs involving the Riksbank, that works more or less like ACH. I think all of them are scheduled in the morning.
All Swedish banks are working onreplacing the payment infrastructure (the clearing. ) It's supposed to be finished in 2024 or something like that.
The major US banks created clearXchange to solve this problem, which was later sold and now rebranded to Zelle. It's near-instantaneous transfers for supported banks, and only needs a phone number or email address. (I think it's quaint in comparison that you need to give out your bank account number for other systems. Holding of account numbers is exactly the problem that modern mobile wallets worked so hard to solve with tokenization.)
The difference is, however, that you can assign a bank account a number that is unique within a given banking system.
Once you move into the realm of trying to tie an identifier you have no control over (and that has no reliable verification method for) to a place where money will go, you open yourself up to a smorgasbord of potential attack vectors, confusions and edge cases.
Bank account numbers are not unique across banks. Account number schemes aren't even uniform across banks. The only limitation is what fits within the ACH system. You need the combination of routing number (to identify the bank) and account number (to identify the individual within the bank).
Zelle associates the bank account to a email address and / or phone number. Creation of these associations is gated through the member banks. So you have all the controls you have for any other banking task.
You'll note of course that I said "banking system," and I said "you can assign a bank account a unique identifier." i.e. I can create a scheme where I can map a particular account to a globally unique number, with rules about who owns which ranges etc.
So if Alice provides Bob a globally unique identifier to their bank account, then that's where it's going.
If Alice gives Bob a token that is hopefully mapped to the account, then there's an additional layer that can go wrong.
Eve can compromise Alice's e-mail or phone number, and then try and convince their bank that their bank account should now be associated with that identifier. If it's a different bank, then presumably this request must be federated through the third party system. And hopefully the 'true' owner is not identified by sending an e-mail or SMS.
Or maybe Eve just creates a bunch of accounts and tries to associate them with a bunch of telephone numbers and e-mail addresses that she can compromise at will and waits for the money to roll in. This is obviously more likely if some people have more than one account, as it means that the mapping of account -> e-mail/phone no. can no longer be mandatory.
In your example it sounds like they've got some reasonable safeguards in place (like ensuring you have to de-register a mapping before you can register a new one), the only point I was trying to make is that yes, it can be done, but to be done safely it's much harder than just simply having an account number (including routing number/sort code/swift code etc.).
You lose the 1-1 mapping and it gives you yet another thing that you have to actively manage/remember how it's set up/remember to change when you change e-mail provider or your phone number changes.
It's a 1:1 association. When I changed banks and tried to sign up online, it kept giving me an error. I stopped by a branch, and my old bank had registered me at some point. The teller had to call support and remove my previous association before they could create the new one.
Also, the association is to receive, not to send. Sending is initiated by your bank, which obviously already knows your account number. You send from your bank account to an email or phone number, which Zelle then translates to the target bank account.
The weirdness is historical. The '9'*94 padding and the line lengths are basically holdovers from when the ACH format was constrained by the capacity of 9 track tapes.
In most of Europe (UK and IE are one exception still using SWIFT) you just need the IBAN (international bank account number). In a lot of cases the payment is instant, even between countries, and free.
Unlike the US the bank account number shouldn't be guarded with your life, so businesses often have it listed on their website.
its still not impelemnted everywhere, in croatia the exchange between banks is happening twice a day, i believe at 12h and 17h.
alot of people here dont like to buy stuff with CC so they transfer the money with internet banking, and also get a discount because that is treated as cash, and if the webshop is with another bank you have to wait to get a confirmation they received the money, or can try to send them transaction confirmation in PDF.
sometimes its anoying when you are ordering something expenensive and have to wait a bit longer because only after your payment do they order it from the distributor.
Any idea why the UK is still allowed to charge so much for outgoing Euro payments? It's reduced a lot, but my UK bank still charges £9 + their poor exchange rate.
I phoned up my bank and asked them how they calculate their fees and the exchange rate on foreign transactions. Needless to say, they couldn't give me an answer.
Even calling it archaic is too harsh. Granted, the batch-centric nature is not ideal (and it's hard to imagine a system with this kind of latency built in being designed today), but if you're designing a system based on batch processing then shipping files over SFTP is a pretty reasonable way to do it.
It's very easy to get stuck inside the developer bubble, where 'archaic' means 'something that was state-of-the-art four years ago (or in the web/design world, 3.5 minutes ago)'.
SFTP is a nice technology which I make quite frequent use of in my job and at home. The idea that I plug in my Yubikey, provide a passphrase to unlock the key, authenticate to my server which that's got a verifiable certificate installed, and the private key never leaves my Yubikey is about as state-of-the-art as I could ever ask for security-wise.
Granted, precisely how the SFTP site is secured isn't specified and there's plenty of ways to do that wrong, but as a technology, it's always impressed me how seamlessly it works once it's setup.
SFTP tends to be the go-to method of integrating software between organizations, especially ones that aren't used to building actual APIs. It's standardized, everyone knows how to use it, and it essentially boils down to: generate a file and upload it to a server. There's all sorts of problems with it, and it tends to be a pretty short sighted decision.
The biggest problem I've found is that there's no real feedback loop (for this class of integration, not sftp specific). Company A uploads a file -- often in the middle of the night -- and Company B processes that file some time later. Could be a minute, could be a day. Company B fails to process the file, possibly because of a change on their end, possibly because of a change on Company A's end. There's usually a bunch of back and forth, but ultimately the earliest you can determine if a fix works is a full 24 hours after the file was initially dropped. Both companies could create integration environments with shorter feedback loops to help, but ultimately its a problem of not getting an immediate response that the integration is working.
95% of my job involves writing software to integrate systems from different companies, and the integrations that involve SFTP are almost always the biggest pains. I've thought about writing an SFTP server that operated in real time, and either rejected bad files or had some other way of responding to the inputs. Never really found the time to do it, and ultimately it'd be patching a process that should have just been a well designed API from the start.
I was just going to say, working for one of the largest destributors in the world, this is still how many large corps buy stuff: by downloading a catalog through FTP and sending the order with XML. I know, shocking but not everyone is Amazon.
Amazon Vendor Central only has support for EDI (at least in the UK) - as in EDIFACT files sent over FTP.
If you want to do business with them you either need to talk that or be comfortable farming out to a 3rd party (I'm 1 day into a project where I'm finding all this out, and the hell of EDI file formats).
Most payment vendors are on SFTP at this point. Very few still use only FTPS. But then they do silly things with SFTP, like requiring both a password and the ssh key.
In the past I've done the same things, as some have mentioned already, as a form of two-factor authentication.
There were a few reasons for this that made a lot of sense:
(1) Private keys were being stored haphazardly -- people were not protecting them with passwords and occasionally they ended up on network drives. It's possible to enforce password policies for the hosts in question, but not possible to enforce 'how you protect/handle your private key' centrally[0].
(2) The second only applied to an environment I managed in the past, but we had many Linux hosts that were AD domain joined and authentication occurred directly via AD credentials (no local account authentication). The servers were configured to allow password-only login when the user had never connected to the host before. Once the user had connected the first time, the host would receive the public key for that user and future logins would only require the key[0].
[0] ... that latter part they failed to ever get working properly. It always prompted for both. Based on my conversations with the team managing the servers, there was zero priority assigned to fixing that problem -- they were resentful of the fact that the Linux (Debian, incidentally) hosts were domain joined and allowed domain authentication and they had a poor opinion of the security of using AD user accounts for authentication (nobody would make an argument other than Micro == small, soft == not hard or some other snark like that -- we had some BOFH over there).
That doesn't sound that unreasonable. Both satisfy the "something you know" and "something you have" portions of multi-factor authentication (respectively).
Considering that this is money on the line, the idea of banks actually taking security seriously is actually refreshing. Too bad they don't seem to apply those standards to their customers.
If you can duplicate it, then it's something you know, not something you have. Everything you know in sum-total is one meta-passphrase, even if it's a combination of key-files and other data.
The 'something you have' would have to be a specific hardware token (E.G. that VPN tunnel device someone else mentioned that is a black box you aren't allowed to open). Tamper resistance and physical security locks to ensure that connections /must/ route through a given location would be enough.
"If you can duplicate it, then it's something you know, not something you have."
By this logic, a typical door key is "something you know" rather than "something you have" (never mind the uselessness of memorizing one's key shape when it comes to actually unlocking a door).
Unless you're memorizing your private SSH keys (in which case I applaud your superior intellect), it's absurd to claim that said keys fall into "something you know".
It's a key pair, for SSH keys, which is what SFTP uses to tunnel the FTP protocol. You cannot derive the private key from the public key. So no, you cannot duplicate someone's private key unless you have access to their machine. In which case you could just install a keylogger.
Hardware tokens are vulnerable too, by your own admission. A 6 digit pin created by a token is still "something you know" even if it's only good for a couple of minutes.
Correct, you are. The later parts in the article, though, specifically call out SFTP by name. Based on the other comments and some searches I did before hitting that second part, I'm fairly certain they're actually using SFTP rather than FTPS, but having never actually touched the ACH system, I can't speak first-hand on that.
I've written an SFTP server (nodejs) that passes the files to the proper API this summer. No magic there and the user who doesn't have the resources to implement an API client is happy.
I came to ask the same question, I followed the comments link on the tfa and notice it linked back to HN 1200 days ago and that was one of the top questions.
not necessarily SFTP, always FTP in some form in the US. I have seen FTPS, I have also seen banks just use FTP by default without encryption (shocking? not really).
I had an integrator request this so I stood up a nodeJS server that only implements upload, not download. This way if they leaked their own password, a malicious actor is limited to forging data, and no real data can be leaked. Because it didn't work in FileZilla, they didn't want to use it. Worked at another company that shuffled data between big name gyms & health insurance companies, it also used CSV files sent over FTP in all directions, to my dismay. CSV isn't even a well defined format, and you get all kinds of impedance mismatches with different delimiter & escaping mechanisms, character encodings, BOM, etc. Other companies will just give you a SQL user & let you go to town mining their database directly. I don't understand whats so difficult about making an API, but sometimes it seems like no one wants to do it. You can't push back too much or they will just see you as a problem & decide not to integrate with you.
Funnily, you're complaining about csv formatting, guess you never worked with ACH formatting. It's cobol fixed length files. I implemented parsing/creation for this file format at two different companies. Hired on at one company, first day, my manager said, "hey, you have experience with ACH right? we have this project...". That's when you learn to start leaving stuff off your resume.
You can do a lot worse than ACH. It's hard to read, but it's simple and pretty well-defined.
What _really_ sucks is one-off fixed-width formats that aren't well defined, or that change suddenly (oh, you thought that field would always be populated? lol no.)
Yeah, ACH is surprisingly not-unpleasant, at least relative to nightmares like X12 EDI with its implicit looping constructs and billions of companion guides that supercede random parts of the base spec.
X12 EDI, been there earned the badge, both on the generating and receiving sides. 837, 834, 835 and others in health care - fun! Positional format, with situational meaning... really it is a fascinating format.
i wrote the X12 EDI stuff for a major clearwater distributor... also wrote the ACH stuff that dumped someone a file and their job was to upload it via SFTP to the bank. so many badges.
What _really really_ sucks is well-defined, reasonable, meticulously documented formats where all in-the-wild implementations stray from the spec in different ways :-/
Previously I had no experience with ACH but my current project is essentially reverse engineering a very proprietary version of NACHA and another file that is 400 fields long. Honestly the current parser does work but I can only assume due to some black magic or other voodoo.
Every time someone complains about file formats I bring up a similar story. It's hard to believe fixed width files are still being used today. Parsing these kind of files with 45 million records, each 600+ bytes is a huge pain. I chuckle when I think about the first time I dealt with these files and thought I could open them in an editor...
> It's hard to believe fixed width files are still being used today. Parsing these kind of files with 45 million records, each 600+ bytes is a huge pain. I chuckle when I think about the first time I dealt with these files and thought I could open them in an editor...
Depending on the business-application, fixed-width formats are fantastic because they allow for genuine O(1) random-access to records without needing to precompute an index first. Writing parsers for fixed-width formats is also much simpler, for example, because it eliminates ambiguity around null-terminators vs length-prefix in text/string/array data - for resource-constrained environments it's great because you can guarantee you won't need to dynamically-allocate buffers. I feel the only real arguments against fixed-width records are concerned with wasted space - which are mitigated if your system lets you compress them somehow - because they'll typically compress very, very well.
> I feel the only real arguments against fixed-width records are concerned with wasted space
Sometimes, fields can turn out to be too short. I have received a few letters from business with my last name truncated, because somebody way back when decided eight or nine characters are definitely enough for a surname.
Ha! I wrote an editor for fixed length files, it lets you map to a cobol copybook, or create the layout manually. I never released it. Anyone interested?
If it works on Windows, I'd love to give it a try! Our ERP system is written in COBOL and I have to deal with fixed-width files all the time. Does it also handle REDEFINES and level 88?
Ugh, reminds me of the time I had to integrate with a bunch of school software. They used csv over ftp (no auth). You just had to connect to the server and get the personal information of a district's students. Worse is you could google the URLs... I built a system that solved the problem but left shortly after it began to be integrated nationwide.
ACH needs to die. Its a very old system, and you have no clue if a transfer ever actually goes through. Only ACH rejects ever get sent back, and there isn't a definitive window in which you'll get that reject.
Why it's there in the first place is fairly excusable. It (at least) halves the number of datagrams. Why people still resist it I'm not so sure about.
But on the other hand, it's a complicated architectural decision. US military wants absolutely reliable communications? They invent TCP which relies a lot on acks. Swedish telecom company wants fast and absolutely reliable communicating systems? Cue throw hands in air with a "there's no guarantees even with socks so better to simply never assume your message arrived and instead focus on detecting anomalous behaviour." They invent Erlang where there are no acks for messages.
The lack of acks is why most companies receiving money through ACH will "season" the transactions for a set amount of time. Most of the returns occur in the first 3 business days so most seasoning periods are just around that long. The reality is you can receive a reject up until (I believe) 60 days after the transaction date. I've seen a lot of companies be a little smarter here and reduce the seasoning times for repeat users using the same source bank account. It is a fascinating system to work with every day. Wire transfers are their own bundles of fun too.
Now I finally know why my credit-union (which serves the high-technology industry exclusively) told me that they couldn't put a hold or otherwise segregate any cheques I deposit until they've cleared... because they have no way of knowing when/if they've cleared!
It's 60 days, + some possibility of up to 2 extra days at the end for Fed Reserve holidays, and then in cases of outright fraud, occasionally banks will ignore the rules and return stuff later than that.
never mind that most "API" are JSON (or some such) delivered over (S)HTTP anyways.
But yes, anything but HTTP is "old". In large part because of corporate firewall rules that block anything but HTTP traffic (and more often than not filter even that traffic).
>Because it didn't work in FileZilla, they didn't want to use it
Sounds like they didn't need much if any of what you did. They wanted X and you gave them Y. Y would require them to change the way they worked. Did they need query capability? Seems like they didn't and SFTP would have suited them better.
Honestly sounds to me like you went for an overly complex solution where something simple would have done just fine.
Our company and their company have a common customer. Neither of us need each other we want to make our customer happy. Customer would be happiest with realtime data but company B wants to send snapshots via sftp. So I setup an endpoint that speaks sftp. They even told me to "do something" to make it secure. Then they complained I used a port other than 22 and that it only worked on the command line. It sounds like the problem is the other company doesn't want to do any work / wants to send the file manually. I don't see how I went for an overly complex solution. I attempted to do exactly what they asked and they moved the target so of course I missed. In fact it's this company that is just trying to avoid doing any programming. But that comes with the territory. I respect your opinion but disagree with you
But but rewrite all the things in node.js!! Don't worry about understanding the file format, which is well established, or what the users of the file are actually doing with it, also well established, the important thing is node.js!!!
Frankly once they hear it's node.js the users should be bowing down to worship!!!!
Actually I wanted him to make an https API for us to query real time data. I would have used PHP to consume his API because it's easier to find developers on our end and synchronous code is easier to maintain when performance is not a concern
How else do you suggest you standup a sftp that cannot leak data even if the password is compromised? I'm all ears. Node is a runtime by the way and huge in what regard? The Linux codebase is also large.
It is a system administration problem, not write a new software problem.
You:
a) think about the scope of the problem and what you are trying to achive - you are blocking reads of the files by the uid/gid of the server. It is a known and solved problem. The tool is called chmod
b) think about the surface area of the attack - it should only be the SFTP server. We have ones that are very well known. I recommend the one that comes with OpenSSH but there are others.
c) think about business requirements - user's provisioning etc. That has been a solved problem for years - for the super-complex cases LDAP is used. For the simpler ones you can use PAM.
After thinking about that you just write the needed glue.
Seconding what kalleboo said, setting directory permissions has been a staple of file-sharing for decades. Setting up a node server to block read-access seems incredibly byzantine.
Good point but we also have to load balance this / have failover and provision users on the fly. I could have used messaging queues to provision PAM users on the whole cluster and this guy would have still complained because I used a non standard port. Not sure why that was a problem either but again we can't press back or question him. he would cancel the whole integration. Bottom line is our end user wanted real time data (presumably via an API)
A lot of FTP servers have provisions to essentially "ignore" the user and proxy into the directory. As far as load balancing is concerned, most FTP servers can handle very high throughput because of the simplicity of the protocol. If you really did want to load balance it, haproxy can do that just fine.
> we can't press back or question him. he would cancel the whole integration
This attitude will not serve you well. There's saying no, and then there's getting more information (requirements!?!) to then guide people to better decisions.
First thing that comes to my mind is a PAM plugin that generates a new root directory for the user when they log in, named something sane under a fixed hierarchy. A recursive walk can later pick them all up and clean up.
Reminds me of a time when I had to implement a parser for a certain kind of file to transfer money using an "API" provided by a financial institution in Asia. Yes we are using CSV too, also sent over SFTP. The file format is, unsurprisingly, ill-defined.
Yeah I added that but the particular node sftp implementation I used from github just simply didn't work with FileZilla. Only the command line. Don't know why.
Sure I don't care who wrote it if it works and passes our code review and the license matches. Plenty of crap software comes out of big name companies and plenty of random people on the street can write good code.
If you have no other alternative and can’t take the time to write it for yourself, and need something now, sure, go nuts and take something random off Github, PyPI, npm, or whatever.
But code that does not have upstream development and support is dead code. A piece of code in production is like an Internet connection or electrical or water hookup – it must be, so to speak, “connected” upstream to whoever is providing continuous upgrades and security/bug fixes. Otherwise, it is (to continue stretching the analogy) like a mystery battery or water barrel – it could go bad in many ways at any time and you wouldn’t know it until your equipment starts to fail because of low voltage or voltage spikes, or you start to die of legionnaires’ disease. And unlike a battery or water, there are only cursory, no good and thorough, ways to test their quality, and no way to test their age as measured by the way they interact with the ever-changing outside world.
I've always been overly eager to add dependencies to projects and while I know why it may not be good I was missing a good intuitive sense of why. This is such a good way to view it. Thanks!
Apparently, back in the days before ACH, banks met up at a parking lot in NYC every night and literally exchanged bags of paper checks.
There was a proposal build something better than ACH, but it was denied because the cost to upgrade the infrastructure would cost too much for small banks and credit unions.
I worked on the ACH system at the Federal Reserve Bank. When you're getting multi-gigabyte files from the Social Security Service daily that have many millions of transactions in them, you appreciate the NACHA format's compactness (~100 bytes each tx). We never transmitted files on insecure protocols like FTP, though.
I've worked on a similar system running on plain FTP (wasn't SFTP created just in something like 2000? So that it wouldn't have been an option back when the system was created) but it had no obvious security flaws because of this - all the FTP handled was the exchange of encrypted&signed files with encrypted&signed ACK messages, the same system might have been run over something like plain email.
Just sharing mine. My company customer consist of major international financial establishment.
As some simply can't go with certain open source project due to compliance, we settled with Tectia SSH[1]. Similar story with VPN and other security-related stuff.
Everything is SFTP with them. Even API json response lol
They mention that other regions' inter-bank money-transfer systems (e.g. the EU's) have been sped up to be same-day, or in some cases nearly instantaneous. The US ACH system lags behind, due to the sheer number of institutions that would be involved in a modernization effort. (There are a lot more US banks than there are UK/French/Canadian/Australian/etc. banks; I think in part because a bank that operates in 50 states is technically—and legally—50 banks, and each one maintains its own ACH infrastructure?)
The number of banks in the U.S. is a legacy of President Jackson, who campaigned (and won) against rechartering the Second Bank of the United States
https://en.wikipedia.org/wiki/Bank_War
From the founding until President Jackson's administration, debate about the extent of Federal power largely revolved around the legitimacy of a national bank. Long story short, the state sovereignty proponents won. And until very recently that victory stuck, even after the Civil War, the institution of the Federal Reserve, and the expansion of Commerce Clause powers. You didn't see any federally chartered banks until the Federal Credit Union Act of 1934, but there weren't any federally chartered banks which challenged the predominance of state chartered banks until the 1980s.
In general, and until very recently, Congress has abstained from directly regulating the banking industry. AFAIU, banks are subject to Federal law primarily indirectly via regulations promulgated by the Federal Reserve. But the Federal Reserve system is opt-in, and many smaller banks contract with larger banks to leverage the Federal Reserve transactional systems, and are therefore for the most part not subject to those rules.
It's all rather ironic because banking was one of the few areas of national commerce that was clearly contemplated to fall under federal regulatory powers, to some extent, during the time of the Constitution. Though opposed by Jefferson and Madison, the First National Bank was chartered in 1791. Yet now that federal powers have expanded to encompass every aspect of commerce, the legacy of the failure of the Second National Bank remains incredibly strong.
The NPR story touches on the real reason it won't be upgraded - because it would cannibalize the $30/transaction revenue banks get from wire transfers.
Seems like they wouldn't need to involve everyone. Just make it semantically similar to ACH, but for some institutions clear through the new infrastructure. Even a few banks forming a coalition would be enough to make it worthwhile.
It needs to involve everyone because the only way to get there is to force them, and forcing only some of banks is kind of unfair.
E.g. the EU got there by legal limits on transaction settlement time set by the first payment services directive, the infrastructure came into place only when the banks got the message that they have to improve the product or else (IIRC the law specified that after a couple years, customers would be entitled to compensation if their payments were "too slow"). Without the requirements, EU banks would still be happy to charge 10 eur for a 3 day payment, since that's obviously more profitable than charging cents or zero for same day payments, even if the payments would be running over fast&cheap infrastructure - case in point, UK banks, which charge extreme fees for EU EUR payments simply because they, as a non-EUR country, aren't forbidden by the EU to do so.
The problem is that no businesses want to spend money to fix something that isn’t broken. It’s the reason XP (or earlier!) is/are still around; “Why should we spend money updating to Windows 7 when 2000 works just fine?”
1/ See people encounter how these things work, because there's usually a sense of lost innocence about it. (If they stick around long enough they come to understand that dealing with hundreds of years of history is why glib "re-imagine everything" solutions tend to come a cropper).
2/ Continually discover that by the standards of the rest of the world, US banking is even more like banging rocks together.
Faster payments was able to work because the UK gov forced them to do it. The UK has the advantage of having a few very large banks (unlike the US that had around 15,000 different banks). The government was able to get the dozen or so banks to work together and get same day ACH working.
It's also a "push" system (and not a "pull" system like ACH) which has serious advantages -- you can send money to anyone given their sort code and account number, and those numbers do not need to be kept private.
With ACH if you have someone's routing number and account number you can pull money from their account without them needing to authorise it.
In the UK there is also a 'pull' system (Direct Debit) in which you instruct your bank that a given third party can regularly take money out of your account until further notice.
It's commonplace for bill payments, subscription services, etc.
It's not, SFTP is a binary protocol using SSH as transport layer. FTPS is plain old FTP over SSL/TLS. They're completely different protocols that have nothing in common except being used to transfer files.
The SSH file transfer protocol (chronologically the second of the two protocols abbreviated SFTP) transfers files and has a similar command set for users, but uses the Secure Shell protocol (SSH) to transfer files. Unlike FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted openly over the network. It cannot interoperate with FTP software.
This suggestion this term chronologically the second of the two protocols abbreviated SFTP is duplicitous.
Well regarding "TSL" I'm sure you mean TLS, and it's not just an alternative to SSL, it's an evolution to SSL. SSL nowadays is considered insecure and everything is using TLS.
About the SFTP vs FTPS, SFTP is a completely new protocol based on SSH. FTPS is the plain old FTP wrapped in a TLS/SSL socket.
If that is the case please explain the following scenario.
I wrote an editor that had FTP capabilities but it was based on the FTP RFC 913 specification using nothing but plain old sockets.
As a result, many user loved the FTP feature, but they asked for a version that would work over the SFTP protocol.
So I implemented an SFTP version of that editor by using OpenSLL to create a SSL socket. The editor just created a secure socket, but used the exact same FTP RFC 913 specification to talk to the server using that socket.
Ever user who asked for this change reported that it now worked perfectly with their SFTP (not TLS) server.
So how is that possible that my editor could implement the SFTP protocol with just a change to the way the socket was opened?
PS: If you don't believe me, you can trial that exact same SFTP (OpenSSL) editor from the link below and I'm pretty sure you'll find it still works with an SFTP server: http://www.zeusedit.com/download.html
Maybe your customer mistook their SFTP server for an FTPS server? I'm afraid I don't have a Windows machine to test your software on, but if you're curious I encourage you to set up an SSH server like OpenSSH (which provides SFTP as well) and try with that. I'd be really surprised if your FTPS implementation managed to work with it (unless OpenSSH's SFTP implements an FTPS fallback).
For us and our bank it's gpg encrypted and then transferred over SFTP.
Sure, the ACH file format is sort of sucky, but it's not like it's difficult. The lack of an ACK is super awful tho. Payroll has to call in 20m after sending to verify.
TLS is the only widely deployed standard cryptographic protocol which has ever protected any internet communication to any degree. For its many flaws and patchwork, there is nothing even competing in the category.
Yes. In my experience FTPS is a whole bucket of nope. I've never encountered a situation where we couldn't use SFTP.
The only time I've had FTPS work 'well' is when the client & server were both written by the same company (Tumbleweed) and they don't follow the RFC exactly.
It doesn't matter if the connection is secured if the data itself is not secured. Transport security is a red herring in a complex system.
If you are driving a car at 70mph around a mountain pass, even a really strong guard rail leaves the possibility that you could plummet ten thousand feet to your death. If, on the other hand, you were driving on the Bonneville salt flats at 45mph, there is much, much less danger.
Having spent a few years at a large energy company, I got quite used to the use of FTP servers to exchange--what else--csv files with data. And is a uploading/downloading a file to/from some ftp server really that different from POST/GETing an object to/from some REST service?
Some major news/market information provider solely made their data available to us through ftp. And used Amazon SNS to push a notification that something new is available on that ftp.
I used a SOAP service once, which had a single string-typed element. In that element went some XML, encoded as an XML string. I found out later that the original version used FTP drops, and all they did is wrap the FTP'd file as a string in the SOAP request.
So no, sometimes there's very little difference between the two. FTP is just another way to send data over a network. I mean, you could even write a custom FTP server that read the file directly into processing instead of dropping it on a file system and reading it from there in some other process.
I've implanted ACH file format and, worse, FedWire BAI2 file parsing… it's absolutely archaic. The worst part is that various partner banks will have differently erroneous variations of their implementation of the BAI2 spec… so we had to intentionally code buggy version to match the bugs they had on the other side… ridiculous.
FWIW, Swift (the company behind the interbank payment system) has been developing and pushing ISO 20012 as an XML-based long term replacement for their Swift message format, though it's not designed as a replacement for ACH.
For that, there was HBCI years ago (also XML); don't know if it's used much still.
There are several companies that provide an API on top of ACH. I work for one[1]. For high volume ACH (like a payroll company) it's usually cheaper to go through an API provider than it is to go directly through the bank. I'm not exactly sure why. Maybe because we handle technical support? We also have better reporting.
One of the challenges for banks is that there is an oligopoly on the software that runs the bank. There are 4 companies that provide the "core banking" software to most of the banks in the USA. The banks get stuck providing you with whatever services one of these four pieces of software is capable of.
From my experience it's extremely rare even for large companies to directly deal with ODFIs.
Typically there's AT LEAST one intermediary payment processor (like Chase Paymentech) involved in the TX.
The downside to this is merchant has to register with multiple processing entities but things like "send and forget" APIs (so no need to batch things manually) - which makes it easy to combine ACH and CC payment acceptance in the same system, reporting/reconciliation, out of the box UI merchant can use to look up transactions etc etc outweigh that inconvenience.
Our pricing is typically in the range of $.05-$.35 flat fee per transaction depending on various factors. The main one being your monthly transaction volume. We have a monthly minimum of $250.
We never charge basis points but places that do might make more sense for people who have low volume and low dollar amount transactions. I would say a lot of brick and mortar businesses fall into this category.
While "part 1" of this series says "FTP" (implying plain-text/unencrypted data), "part 2" [0] and "part 3" [1] both say "SFTP". This is "more correct", in my experience, as encryption is pretty much always used nowadays.
The exciting thing about all these crypto currencies to me, is that banks could roll their own private "exchange" currency to do near real time transfers to any other bank / account.
> banks could roll their own private "exchange" currency to do near real time transfers to any other bank
If only US banks already had access to some sort of shared currency they could use for such transfers!
Snark aside, this just seems like a horrible use for a crypto currency. Block chains are an interesting tool to solve a lack of trust when you're willing to give up some speed and convenience. Banks have full trust in themselves, the central banks, and the clearing houses that make the financial system work; they just need to update their systems to be faster.
When your problem is that you have trust and need speed, a solution which sacrifices speed to work in situations where you don't have trust is probably not a good option.
No bank has full trust of any other entity. It's not black and white. They use ratings (either Standard and Poor's or others) to determine the risk involved in a liability. Even the U.S. Government has a certain amount of risk.
>>>No bank has full trust of any other entity. It's not black and white.
Banks basically have full trust in each other and central banks, actually (for these kind of transactions, not investments or whatever). If you're a bank and you fuck up to the degree where you don't properly handle ACH and other transactions, guess what happens: you're no longer a bank, the government swoops in and takes over, and everything gets sorted out and you go to jail.
> No bank has full trust of any other entity. It's not black and white.
For interbank transfers, it is. That's simply how the financial system works.
> They use ratings (either Standard and Poor's or others) to determine the risk involved in a liability.
No. The reason why your $50 ACH transfer to your cousin takes so long to clear isn't that recipient bank is checking Standard and Poor's to see if Wachovia is good for it.
I dont understand why people hype up cryptocurrency for this purpose. The whole reason for existence of cryptocurrency is a way to achieve consensus without having a real central authority.
What's wrong with having the bank as a central authority in their own banking system?
I was referring to transfers between banks. I believe currently they go through the Federal Reserve in batches. A more distributed system could allow banks to transfer directly to/from each other in near real time.
Yup, most of the modern business world works by FTPing CSV files all over the place. Usually there is security in there somewhere. Sometimes it's XML. JSON? Maybe in 2030 or so.
>At Gusto, we rely heavily on the ACH network. For example, when a company runs payroll, we’ll use the ACH network to debit the company’s account to fund their employee’s pay. Once we’ve received these funds from the company, we’ll again use the ACH network to initiate credits into each of the employee’s accounts to pay them for their hard work.
Can you use ACH to initiate a transfer between two (third) parties (i.e. you not being one of them)? If not, what are the requirements to be a broker / escrow in between them?
> Can you use ACH to initiate a transfer between two (third) parties (i.e. you not being one of them)?
No, the closest you could come is what you quoted. You could issue the debit & credit actions together, but you'd be taking on the risk that the debit fails and the credit succeeds, leaving you short.
> If not, what are the requirements to be a broker / escrow in between them?
The Federal Reserve is the entity that is between all inter-bank ACH transactions. Essentially US banks hold an account with the Federal Reserve. When they send ACH payments for their customers, their Fed account is debited (and the other bank is credited). When they receive ACH payments for their customers, their Fed account is credited (and the other bank is debited).
Going from the UK to the US was like stepping back in time when it came to banking. I remember complaining about some aspects of UK banking - it's going to take a day for my transfer to complete!?! Now we have faster payments in the UK which complete in hours at most.
Meanwhile in the US I still had to pay my rent with a physical check because that was easier than figuring out the weird 'pay anyone' implementation my bank had.
> An addendum to the ACH protocol to support same-day ACH settlement is something that is almost unanimously desired by the ACH community. The good news is that NACHA, the governing organization behind ACH, has recently announced plans to roll out a same-day ACH protocol. The challenge is coordinating the adoption of the new protocol across all participating banks. Once fully implemented, the same-day ACH system would likely cut one day from the timelines outlined here.
This is why we need to provide better regulations for adapting better blockchain technologies in various industry sectors including this, banking. Also it's another away of sharing and saving infrastructure costs for bankings while providing better security than traditional banking systems like ACH. Perhaps ACH can be written in smart contract in safer way with security.
It's still plenty archaic, but takes the headline's shock value down a small peg[1].
[0] It adds a mental pause -- a Secure ... FTP server. It hints that, possibly, it's a reference to a different aspect of the server's security (a non-technical person might refer to a server as being a "secure" server simply because it's protected by an ID and password, for instance).
[1] Based on my personal interaction with banks and software, as well as several friends who had previously been members of a few banks' IT departments, my first -- very sarcastic thought -- was "of course it works that way!"