[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[NEWS] Crypto-relevant wire clippings
- To: [email protected]
- Subject: [NEWS] Crypto-relevant wire clippings
- From: [email protected] (Dr.Dimitri Vulis KOTM)
- Date: Mon, 30 Sep 96 12:57:18 EDT
- Comments: Dole/Kemp '96!
- Organization: Brighton Beach Boardwalk BBS, Forest Hills, N.Y.
- Sender: [email protected]
New York Times: Thursday, September 26, 1996
Potential Flaw Seen In Cash Card Security
By John Markoff
A potential security flaw has been discovered that might make it possible to
counterfeit many types of the electronic-cash ``smart cards'' that are now
widely used in Europe and are being tested in this country by banks and
credit card companies - including Visa and Mastercard.
The types of smart cards that are potentially at risk include the kinds
already employed in the Mondex cash card system and others used by European
consumers.
A cash card from Visa International Inc. was demonstrated in a highly
publicized trial at last summer's Olympic Games in Atlanta. Chase Manhattan
Corp.; Citibank, a unit of Citicorp, Mastercard International Inc., and Visa
plan a test this year with 50,000 customers in New York City.
Touted as the key to the cashless society of the near future, smart cards
are credit card-sized packets that contain a microprocessor chip and a small
amount of computer memory for storing bits of electronic information that
represent money. At businesses equipped with the computerized devices that
accept smart-card payments, the cards are supposed to be as good as cash -
and as vulnerable to theft or loss as a $100 bill.
But the cards have been promoted as tamper-proof, which is why computer
scientists at Bell Communications Research, one of the nation's leading
information-technology laboratories, are now sounding the alarm, saying that
a sophisticated criminal might be able to tweak a smart-card chip to make a
counterfeit copy of the monetary value on a legitimate card.
``If you're deploying these smart-card devices in a business or government
electronic-payment system, then I think you need to look carefully at their
actual security,'' said Richard Lipton, chief scientist at Bell
Communications and a professor of computer science at Princeton University.
Lipton and two colleagues at Bell Communications Research - or Bellcore -
are about to publish a research paper on the potential smart-card flaw,
which they recently discovered through theoretical research on the
technology. No smart-card counterfeiting has been discovered yet, but Lipton
and his team believe that such crimes are inevitable unless the technology
is redesigned. The researchers have also been quietly notifiying the seven
regional Bell telephone companies that jointly own Bellcore about their
discovery. Bell companies including US West, and long-distance companies,
including AT&T Corp., have been planning to market smart cards as a secure
way to pay for long-distance calls without entering credit card numbers or
generating the audit-trail of a phone bill.
Despite the Bellcore warning, not all executives at companies using smart
cards consider the theoretical threat a real danger.
``This is very speculative,'' said Chris Jarman, vice president of chip card
technology at Mastercard, who had seen a draft of the Bellcore research
paper. ``I have yet to see a smart-card scheme with a vulnerability,''
Jarman said.
And even some industry executives, who said it was conceivable that
individual smart cards might be at risk, contended that the vulnerability
was not a threat to smart-card technology in general - any more than the
occasional passing of a counterfeit $20 bill undermines the U.S. currency
system.
``This is a significant event but it doesn't blow the industry apart,'' said
William Barr, vice president of the Smart Card Forum, a trade organization
of 230 U.S. companies and government agencies. Still, Barr conceded, ``this
approach offers some ability to mount attacks that have not been
anticipated.''
The Bellcore researchers, however, consider the potential flaw significant
because it could short-circuit the data-scrambling software contained in
many types of smart cards. The software is used to protect the card's secret
code, which is designed to prevent counterfeiting.
In theory, at least, the Bellcore researchers said that a smart card's
security could be breached by forcing the microchip in the card to make a
calculation error. This could be done in a number of ways, the researchers
said, whether through sophisticated means like bombarding the card with
radiation or perhaps cruder methods like placing it in a microwave oven.
Once the card can be forced to make even a small calculating error, the
researchers said that a mathematical formula they derived could use this
error to extrapolate the secret data that authenticates the card when it is
inserted in a merchant's card reader.
The researchers suggested that in any system where it was possible to know
about a calculation error it might be possible to exploit this newly
discovered vulnerability. The Bellcore team is conducting further research
into this possibility.
``These systems tend to have a fragile behavior,'' said another of the
researchers, Richard A. DeMillo, who is vice president for information
technology at Bellcore. ``Our technique is like tiny lever that makes it
possible to pry open the vault that the secret information is stored in.''
U. S. Banker: Thursday, September 26, 1996
Mondex gets Cold, Hard Cash
By Joseph Radigan
The $ 119 million that National Westminster Bank plc and Midland bank plc
raised this summer to fund their Mondex smart card program should provide at
least some the capital they'll need to increase its acceptance.
The capital was raised in conjunction with Mondex's spinoff from the two
British banks that created the program as a joint venture five years ago.
The new setup is being called "Mondex International," and besides NatWest
and midland, which now hold minority stakes, it includes 15 other
shareholding banks. One of them is Hongkong and Shanghai Banking Corp.,
which like Midland is owned by HSBC Group of London. In the U.S., Wells
Fargo & Co. and AT&T Corp.'s Universal Card Services Group paid a combined $
46.5 million for their 30% stake. The other investors include major banks in
Canada, australia and New Zealand. Another 23.5% remains to be sold for
roughly $ 1.5 million for each 1% interest.
Not all the new funds are going toward Mondex's future development. Some
will be used to compensate NatWest for the costs it incurred in leading the
original research and development.
NatWest's Michael Keegan became Mondex's chief executive as part of the
restructuring, replacing Tim Jones, a fellow NatWest executive who had been
Mondex's CEO through its startup phase. Jones is returning to NatWest as the
managing director for the London bank's electronic commerce group and will
keep a seat on the card association's board.
David Mills, who runs Midland Bank's retail banking business will stay on as
chairman of Mondex International, but he also has a seat on the board of
MasterCard's European affiliate, Europay. These two card associations, in
conjunction with Visa, are backing a smart card program that rivals
Mondex's. But Keegan says that this does not pose a conflict of interest. As
in the American credit card business, where banks are free to issue both
MasterCard and Visa, Keegan foresees a future in which Mondex members will
issue both Mondex and Europay smart cards.
Now that Mondex is in the process of collecting the financial fuel it will
need to fund its growth, the smart card organization's future revenue will
come mostly from annual dues paid by member banks, Keegan says. The
per-transaction interchange fee that supplies MasterCard and Visa with most
of their annual revenue is not practical for the low-value payments for
which smart cards are intended. Imposing a transaction fee on these would
make the system impractical. In addition, because Mondex attempts to
electronically mimic currency, most transactions will not settle through a
captive payments clearing system. The only settlement will take place on an
end-of-day basis when merchants or customers redeem their Mondex value at
their local banks.
San Francisco Chronicle: Thursday, September 26, 1996
Hundreds of Companies Have Smart Card Systems
By Laura Castaneda
The smart money is on smart cards -- even though most consumers have yet to
lay a finger on them.
Valerie Baptiste is one exception. The Wells Fargo secretary is
participating in a company experiment that lets her make purchases at 22 San
Francisco shops with a smart card.
Resembling credit cards, smart cards are embedded with computer chips. They
can store cash and other data such as medical history and credit
information.
''A big advantage is the convenience of not having to fumble around in my
purse for cash,'' said Baptiste as she was buying juice at The Wildflower
Cafe.
Hundreds of companies besides Wells Fargo, including several in the Bay
Area, have launched smart card pilot programs to try and cash in on the
cashless society of the future.
Getting merchants and customers to accept and use a new form of payment
won't happen overnight. But experts believe the widespread acceptance of
smart cards is inevitable.
''I'm confident that the push will be on to make it happen because there are
so many powerful entities interested in seeing cash go away,'' said Bruce
Brittain of Brittain Associates in Atlanta, a consumer behavior research
firm.
David Poe, a director of Edgar Dunn & Co. in San Francisco, a management
consulting firm that specializes in new product development, agreed. ''I
think (smart card use) is going to be evolutionary as opposed to
revolutionary,'' he said.
Entities that want to cut down on the use of cash include big banks, credit
card issuers, universities and the U.S. government. Why? Smart cards can
save the cost of collecting, counting, securing and transferring cash.
Most pilot programs feature smart cards that simply store cash, usually up
to $ 20. The amount of each purchase is electronically deducted from the
card at the point-of-sale.
These kinds of smart cards are ideal for smaller transactions like parking,
lunches, dry cleaning, convenience stores, vending machines and fast food.
However, smart card technology is almost limitless. Combining computer chips
and magnetic stripes allows a single card to be used as a cash, credit,
debit and ATM card.
Among the pilot programs in place:
* Bank of America and Visa International are experimenting with
employee-only stored value smart cards for purchases from company cafeterias
and vending machines and some outside merchants.
* Ohio and Wyoming plan to start using smart cards for food stamp and
nutrition programs, and the U.S. Department of Defense is testing a
multiapplication smart card at military bases in Hawaii.
* The Washington, D.C., transit system plans to implement smart card
technology for fares, and the Metropolitan Transit Commission, which serves
25 Bay Area transit services, is also considering launching smart card
technology in about two years.
* The University of Michigan, Western Michigan University, Washington
University, the University of Minnesota, the University of North Carolina,
Florida University and the University of San Francisco have smart cards for
on- and off-campus in cafeterias, bookstores and restaurants.
Smart cards are already widely used overseas. In Germany, more than 80
million people have been issued smart cards containing health insurance
information.
The potential market is huge, with more than half a billion smart cards
expected to be in use worldwide by the year 2000, according to the Smart
Card Forum, a group dedicated to accelerating the widespread acceptance of
smart cards.
A Smart Card Forum poll found that almost two-thirds of respondents see
smart cards as a convenient option for carrying important personal
information, and 40 percent would prefer to use the cards instead of cash
for everyday purchases.
Another Smart Card Forum survey found that retailers see various benefits
such as gathering customer information, offering loyalty or ''frequent
shopper'' programs and electronic ticketing and couponing.
Despite high expectations, smart cards have a long way to go before they
become as popular as ATM cards.
Critics of smart cards, worried about privacy issues, liken the card's
ability to track a consumer's every purchase to Big Brother in George
Orwell's novel ''1984.''
There is also the classic ''chicken and egg'' problem: Merchants don't want
to spend the money for smart card equipment until they're in widespread use,
while consumers don't want to use smart cards until more merchants accept
them.
''It's going to be a tough sell for consumers,'' said Rob Palmer, owner of
The Wildflower Cafe, which has participated in the Wells Fargo pilot program
for about a year. ''Cash is very convenient.''
Palmer agreed to participate in the experiment because it was free. But he
said it may not be worth paying for later because smart card business only
accounts for about 2 percent of his transactions.
It costs about $ 500 per unit for a point-of-service terminal capable of
processing smart cards. It's unclear whether banks or merchants will
ultimately foot the bill. Many new debit and credit card terminals are also
incorporating smart-card capabilities.
The Smart Card Forum estimates that it costs 80 cents to $ 15 to manufacture
a card, depending on the size of the chip. Right now, banks and card issuers
are paying for the cards.
Eventually retailers could sell their own affinity cards.
Today, some cards can only be used once, others can be reloaded with more
cash. To be cost-effective, though, most people think they cards will have
to be reloadable and have more than one use.
To succeed, smart cards will have to offer clear benefits to merchants (such
as loyalty programs that generate repeat business) and to consumers (such as
discounts or special promotions).
The cash-only cards do not have any security features, so if you lose one,
it's easy for someone else to spend your money.
Cards that also have personal information will need to have security
features such as ''encryption,'' or electronic scrambling that protect
against unauthorized use.
In fact, a survey of the world's 10 largest central banks released earlier
this month by a task force of computer and security experts found that
security measures now used with electronic money are adequate to protect
consumers from fraud.
Companies are also starting to look at other smart card applications.
Microsoft Corp. is working with several other companies to develop open
standards that integrate smart cards with computers, so that you could
transfer money from your checking account onto a smart card using your PC.
The smart cards also could be used make purchases over the Internet. Many
people are afraid to use credit cards to buy things over the Internet
because they're afraid their account numbers will get stolen.
Yesterday, Mondex International Ltd. and CyberCash, Inc. announced an
agreement to produce smart cards that will let consumers purchase goods over
the Internet and download and transfer funds.
In 1998 Wells Fargo plans to roll out a multipurpose card made by Mondex
that will let people transfer money from their accounts to smart cards via
computer.
Such smart card technology will be like ''having an ATM in your own home,''
said Janet Hartung Crane, senior vice president for Wells Fargo.
American Banker: Thursday, September 26, 1996
Checkfree Sees On-Line Banking Tripling in 1997
By JENNIFER KINGSON BLOOM
Peter J. Kight, chief executive officer of Checkfree Corp., makes two
predictions about on-line banking.
He says that 1996 will be remembered as the year banks learned the power of
the technology, and that the number of consumers banking through electronic
channels will more than triple in 1997.
The statements carry more weight than they would have a year ago, because
Mr. Kight's company has transformed itself into a formidable force in the
interactive banking market.
Once known primarily as a processor of electronic bill payments, Checkfree
has acquired four companies this year, giving it a soup-to-nuts line of
electronic banking products and services. Behind the acquisitions lies Mr.
Kight's vision of banking's future. "Every major bank in the country will be
in the market with an electronic banking product within the next 18 months,"
Mr. Kight said. "It's following exactly the same curve as credit cards."
For Mr. Kight, these developments represent the culmination of 15 years of
hard work.
Just last week, Checkfree announced an agreement to acquire the processing
subsidiary of Intuit Inc., which will give it access to the latter company's
Quicken product, its customers, and bank partners.
"This is what I paid my dues for," Mr. Kight said. "This is what we built
the company to do."
On Wednesday, Checkfree announced partnerships with BellSouth, Capstead
Mortgage Co., and the Small Business Administration. The arrangements will
let the companies and the agency collect bill payments electronically.
Mr. Kight founded Columbus, Ohio-based Checkfree in 1981, when he was 24.
The previous year, he was managing a chain of fitness centers in the
Southwest. While pondering the best way to sell health club memberships, he
hit upon the concept of automatic monthly payments.
At the time, only a handful of companies -- most of them insurance providers
-- were collecting payments electronically.
By 1982, a year after he set up his electronic funds transfer service
company, Mr. Kight was named an "entrepreneur of the year" by Ernst & Young.
Last year, Checkfree went public.
This year the company has acquired Servantis Systems Inc. in Atlanta;
Interactive Services Corp. in Portland, Ore.; Security APL in Bloomfield,
Ill.; and Intuit Services in Downers Grove, Ill. "Each step, if you look at
it, has been one to strengthen our position and our strategic capabilities,"
Mr. Kight said.
Checkfree has kept its headquarters in Ohio, but the acquisition of
Servantis' campuslike setting in Atlanta has begged the question of whether
the offices might move. Intuit Services employees will remain in Illinois,
where the work force likely will expand.
Mr. Kight, 40, divides his time between Atlanta and Columbus and said he
will decide within a year whether to initiate a formal move.
The union of Checkfree and Intuit Services is something of a remarriage.
Checkfree was the original processor of payments emanating from Quicken
software before Intuit Inc. acquired National Payment Clearinghouse Inc.
National designed the banking connections for the rival Microsoft Money
personal finance package, and the rechristened Intuit Services Corp. went on
to handle the lion's share of payments for PC banking customers.
"Essentially, Intuit enabled Checkfree to really prove the efficacy of
electronic bill payment," Mr. Kight said of the early days. "If it hadn't
been for Intuit and the link of Checkfree and Quicken, we wouldn't have
gotten to the point where we could prove to the banks that this really does
work.
"Even though the banks didn't like the fact that we and Intuit did that
without them, at the time, they weren't doing it. So what we did is we
proved it, to get them to pay attention."
What followed was a fairly messy divorce, in which Intuit withdrew its
business from Checkfree, and Checkfree sued Intuit for patent infringement.
Mr. Kight said he managed to stay friendly with key Intuit executives. He
and Scott Cook, Intuit's founder and chairman, had "a great deal of mutual
respect," he said.
The relationships proved central to the recent acquisition. A telephone call
at the beginning of this year from Mr. Kight to Intuit chief executive
officer William V. Campbell started the ball rolling.
Mr. Kight said a news article about technology companies jockeying for
position in electronic commerce prompted him to pick up the phone.
He said he told Mr. Campbell: "You've got stress at your bill payment
service, but you're growing like crazy. I'm growing like crazy. You're
signing up banks, I'm signing up even more banks. Maybe if we work together
... and he said, 'I think you're right.' And that started it."
Mr. Kight said he and Mr. Cook agreed each company would do best to focus on
its core competency: Checkfree on transaction processing, Intuit on its
software.
"Part of Intuit's strategy didn't work too well, which was signing up more
banks" for its processing service, Mr. Kight said. "But part of its strategy
worked extremely well -- the power of Quicken working with the banks."
The acquisition will boost Checkfree's bank customers to 181, and the number
of individuals for whom it processes transactions to 1.2 million.
Seeing 1996 as a turning point, Mr. Kight said he hopes bankers will
accelerate their moves into electronic banking now that they have easier
access to Quicken.
Until now, banks that wanted to be compatible with Quicken had to become
customers of Intuit Services.
Checkfree's main competitor today is Visa Interactive. Looming on the
horizon is Integrion Financial Network, a partnership of 15 banks and IBM.
"Right now, we're 100% supportive of Integrion, but to the extent that
Integrion chooses to work in our business, we'll be very tough competitors,"
Mr. Kight said.
Mr. Kight and numerous industry observers are still trying to make sense of
Integrion. Phoebe Simpson, an electronic commerce analyst at Jupiter
Communications in New York, said: "It's going to boil down to Checkfree and
Visa Interactive in the long run. It's yet to be determined whether
Integrion plans to build an entire payment processing unit."
But David E. Weisman, who covers the same ground for Forrester Research in
Cambridge, Mass., said it will be a three-way race.
He said "Checkfree's in good position here because they've got more volume"
than Visa or Integrion.
John A. Russell, chief spokesman for Integrion member Banc One Corp. in
Columbus, Ohio, called the Intuit acquisition a "good move" for Checkfree --
of which Banc One is a longtime customer -- as well as a competitive boost.
"It's key for Checkfree to do exactly what they're doing, and that's to get
big quickly so they can realize the economies of scale in this manufacturing
process," he said. Mr. Kight agreed that such economies of scale would serve
his company well as on-line banking gains vogue.
"I don't believe that the Internet is going to happen quite as fast as the
Internet-focused people believe it's going to," Mr. Kight said.
"I think there's going to be a trend toward banks providing more service to
their customers (when they) can connect directly to the bank without the Web
being involved. I think we're going to see that evolution over the next
three or four years."
But, Mr. Kight added, "I do believe that electronic banking is absolutely on
a critical mass-adoption curve as we speak."
Success and growth haven't changed Mr. Kight's down-to-business mentality.
When asked how he celebrated last week's deal closing, Mr. Kight said, "By
getting on a plane and flying to Chicago to meet with the ISC work force."
---
<a href="mailto:[email protected]">Dr.Dimitri Vulis KOTM</a>
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps