Please, stop cringing. I work in this field. It's secure, I upload file to the banks SFTP, yes, Secure FTP. And the NACHA file is PGP encrypted with the bank's public key. Firewalls are in place, the bank only opens up to a specific host within our network and denies everyone access. We open up a port for only the transfering host to the banks SFTP. Their SFTP is not a regular SFTP that you can just browse. They have a folder with -wx permission. You can cd into it, place file but you can't read it. Stop cringing. Banks are not that incompetent.
I used to work for an ACH organization in security, as the guy who set up the credentials, submitted the firewall changes, configured the FTP server, created the PGP keys, troubleshoot connectivity, you name it, all this. I know too much about the subject and I would say "its been 5 years I'm sure they have made it better" but after spending those years there, I know that statement is false.
To say it's secure is a stretch, so say it's completely unsecure is also inaccurate. There were multiple improvements I recommended to the service, but I think I only got 1 or 2 approved. Lets just say this, the front door is secure, but the once you're inside, its not so great. It's not incompetency, its just we (the security guys) are always fighting an uphill battle against change.
Also, I could tell you worst stories about other services all the banks use that would make anyone cringe worst than this, some simple cross bank privilege escalation, oh yeah and the developers said thats not really going to happen... I resigned within a month of that.
Access to the FTP servers are IP restricted and everything is encrypted in transit and at rest on the server via PGP. In my organization the transfers where via FTPS not SFTP, big distinction, the FTPS implementations can be not as secure by default as SFTP.
But yes, once it's on the ACH processors servers it's their responsibility and not your compliance issue. They will pass an audit, but from a security point of view, they could do it better in a few areas.
(throwaway account)
We had to get/put data to a bank. Our software architect suggested FTP. He even knew we had fancy XML gateways to enforce security and validation. WHY?!?
Other story: I've add access to a FTP server which also served as a way to submit JCL at an escalated privilege to an IBM server!
Mostly "enterprise" security is a joke; it depends on the people not the technology.
Thank you. If it's SFTP, then it's a different beast and that changaes a lot.
Yes, I know the difference between FTP and SFTP. In this case the technical details are important: SFTP is effectively a bolt-on file transfer protocol which requires an already established (authenticated) connection. It is most easily used with SSH, but as far as I recall, it could be implemented to work from any protocol that has the concept of a session. (And if my memory serves me right, SILC implemented it as a logical replacement for DCC.)
The other security measures you list also make me feel better. From other posters I have already learned that NACHA transfers have an integrity check file which may be, in some systems, ignored. If the files are indeed PGP encrypted, then that may be less of an issue. The message integrity checks in PGP are certainly robust. :) [Corruption-in-transit becomes a moot point, and the same applies for route hijacking.]
I give you wholehearted thanks, and want to offer an apology for my earlier tone. However, I still have a reason to cringe.
