A US government report has criticised security on Federal Reserve banks' computer systems and networks.
The Government Accountability Office (GAO) produced the report on the systems that sell Treasury notes at auctions on Thursday.
Addressed to Federal Reserve System chairman Ben Bernanke, the GAO said the dozen Federal Reserve banks that serve as fiscal agents for the Treasury Department's Bureau of the Public Debt had failed to implement adequate security controls to support networks used in Treasury actions.
An in-depth review of these systems done between March and May this year revealed several shortcomings the Fed should address, in the areas of user authentication, authorised access, and protection of sensitive data through encryption.
"Without proper safeguards, the speed and accessibility that create the enormous benefits of the computer age may allow individuals and groups with malicious intent to gain unauthorised access to systems and use the access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other sites," warned the GAO in its report entitled Federal Reserve Needs to Address Treasury Auction Systems.
According to the report, the Federal Reserve banks processed $4.5 trillion in issuances, about $4.2 trillion in redemptions and about $128 billion in interest payments during fiscal year 2005, largely by using a number of online applications, some web-based.
The Federal Reserve bank networks provide access on a distributed basis to Treasury mainframe applications for auctions. One application is said to be used by about 670 users via the Internet while other applications serve 22 brokers and dealers at competitive auctions, who connect to it via workstations installed in the dealers' offices by the Federal Reserve banks.
According to the GAO, security weaknesses associated with the networks and applications include: a failure to consistently identify and authenticate users to prevent unauthorised access, failure to restrict user privileges to necessary and appropriate access, lack of strong encryption to protect sensitive data in storage and on networks, and inadequate log and audit monitoring or maintaining secure configurations on servers and workstations.
"Key servers and Federal Reserve bank workstations were missing patches that could prevent an attacker from gaining remote access," the report said. "In addition, the Federal reserve banks were running a database management system and network devices that were no longer supported by the vendor."
The GAO will supply the Fed with specific recommendations to address security weaknesses.