[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[NEWS]
New York Times: Monday, October 21, 1996
Israelis Cite New Risk To Electronic Data Security
By JOHN MARKOFF
Two of Israel's leading computer scientists say they have found a way to more
easily decode and then counterfeit the electronic cash ``smart cards'' that
are now widely used in Europe and are being tested in the United States.
The researchers have begun circulating the draft of a paper that points out
higher security risks than those discovered last month by scientists at Bell
Communications Research.
The Bell researchers had reported that it might be possible to counterfeit
many types of the ``smart cards'' that are being tested by banks and
credit-card companies, including Visa and Mastercard.
The two Israeli scientists, Adi Shamir, a professor at the applied mathematics
department at the Weizmann Institute, and Eli Biham, a member of the faculty
of the computer-science department at the Technion, reported that in addition
to the so-called public key coding systems that were found vulnerable by the
Bellcore team, private key data coding systems such as the American Data
Encryption Standard, or DES, can be successfully attacked if a computer
processor can be made to produce an error.
The two Israelis made a draft of their research available via the Internet on
Thursday. In their paper the two wrote, ``We can extract the full DES key
from a sealed tamperproof DES encrypter'' by analyzing fewer than 200 encoded
messages.
Both public key and private key data-scrambling methods are based on the
difficulty involved in factoring large numbers. A public key system permits
two parties who have never met to exchange secret information. A private key
system requires that a secret key be exchanged beforehand.
Data-coding experts said that the new Israeli method might be a more practical
system than the previously announced Bellcore method, because unlike public
keys, which are frequently used only once per message, a private secret key
may be used repeatedly to scramble electronic transactions.
``This seems a lot closer to something that might actually be used,'' said
Matt Blaze, a computer researcher at AT&T Laboratories.
Smart cards have been promoted as tamperproof, which is why computer
scientists at Bellcore, one of the United States' leading
information-technology laboratories, sounded the alarm last month, saying that
a savvy criminal might be able to tweak a smart-card chip to make a
counterfeit copy of the monetary value on a legitimate card.
Executives at smart-card companies said at the time that the attack was
theoretical and that it would be impossible to make a smart card generate an
error without actually destroying the card.
However, Biham responded that he believed such hardware attacks were possible.
The cards are generally damaged by means of heat or radiation, which causes
the computer chip in the card to generate an error, which the Israeli
scientists used to obtain the code key and copy the card.
``I have ample evidence that hardware faults can be generated without too much
difficulty,'' he said in an electronic-mail message. ``As a consultant to some
high-tech companies, I had numerous opportunities to witness successful
attacks by commercial pirates on pay-TV systems based on smart cards.
``I know for a fact that some of these attacks were based on intentional clock
and power-supply glitches, which can often cause the execution of incorrect
instructions by the smart card.''
Other researchers said that the class of attacks demonstrated by the Bellcore
team and the Israelis had been known by some members of the tightly knit
community of cryptographers for several years, but the results had not been
published.
``Some of the smart-card manufacturers are well aware of this flaw,'' said
Paul Kocher, an independent Silicon Valley data-security consultant. ``But it
doesn't mean that they have fixed it.''
American Banker: Monday, October 21, 1996
Bank Regulations Are No Obstacle to E-Money Ventures
BY THOMAS P. VARTANIAN
Banks and holding companies have three strategic alternatives for delivering
new electronic products and services to customers: They can develop them
through internal expansion; acquire, whole or in part, companies that provide
them; or enter into joint ventures, networks, alliances, and partnerships.
Experts seem to believe the third approach provides banks with the optimal
array of business opportunities. But successful technology ventures require a
blend of business skills, savvy instincts, and an understanding of the legal
pitfalls.
Venture partners must be compatible in strategic goals, competitive vigor,
geography, cultural affinity, and social constitution. As the trend toward
technology-driven ventures develops, so must regulators correspondingly expand
their views of what constitutes permissible banking activities. As they do,
and as Internet commerce and electronic money transform the nature of banking
relationships and money, banks and bank holding companies should
constantly evaluate how investments in subsidiary corporations, partnerships,
joint ventures, and limited-liability companies may facilitate their
strategies to remain technologically competitive.
In January 1996, the Office of the Comptroller of the Currency explained its
current position regarding the ways in which the operating subsidiaries of
national banks may co-venture with nonregulated entities in the development
and delivery of new technological products and services. In that decision, the
OCC approved the contribution of a merchant credit card business by a group of
affiliated national banks to a technology company, in exchange for a
collective 40% equity interest in that company. Other initial shareholders in
the transaction included a venture capital fund, a telecommunications company,
and management of the company.
The newly formed operating subsidiary planned to complete a public offering
and further reduce the banks' ownership interests subsequent to this initial
transaction.
Similarly, the OCC approved in March a national bank operating subsidiary's
participation in a joint venture that was 50% owned by 31 depository
institutions, including four national banks.
The venture was to provide automated teller machine and point of sale services
to depository institutions in the northwest United States and western Canadian
provinces. It also would operate a transaction switch, transmit information to
other networks pursuant to gateway agreements, provide ATM and POS-related
services to owners and members, and furnish net settlement information.
These authorizations reflected a flexible approach to two critical factors:
the list of activities that national banks may legally engage in; and the
manner in which they can be so engaged.
With respect to the latter point, the OCC will make exceptions to its
traditional requirement that national banks control at least 80% of their
operating subsidiaries and permit minority investments in subsidiaries if
certain conditions regarding the activities and independence of the subsidiary
are met. The OCC seems to recognize such subsidiaries will be a necessary
vehicle for national banks to remain competitive in technologically driven
markets.
The Board of Governors of the Federal Reserve System is similarly
accommodating. On May 21, it authorized Cardinal Bancshares to acquire Five
Paces Software Inc. through a wholly owned thrift subsidiary, Security First
Network Bank, and thereby engage nationwide in data processing activities
relating to financial services over the Internet. The Fed noted that all of
Five Paces' data processing and transmission activities "are provided in
connection with transactions in accounts maintained by a financial
institution. "
The agency had previously determined that "the development, production, and
sale of software that allows a customer to conduct banking transactions using
personal computers (is permissible because it) is closely related to banking."
On Feb. 6, the Fed approved the acquisition by Royal Bank of Canada of 20% of
the voting shares of Meca Software LLC. The Fed relied on Section 225.25(b)(7)
of Regulation Y, which permits bank holding companies to provide data
processing and data transmission services, facilities (including software),
data bases, or access to such services, facilities or data bases by any
technological means, so long as the data to be processed or furnished are
"financial, banking or economic in nature."
Interestingly , the central bank disregarded the fact that Meca conducted
nonfinancial activities. It concluded that those software products --
including games, computer security programs, a medical reference library, and
a program providing basic legal forms -- did not have dedicated employees or
resources, produced only 7% of the company's revenues and would not be
upgraded, enhanced or promoted. Therefore, they would not preclude approval.
Similar limitations on nonfinancial data processing and transmission services
facilitated the Fed's approval of a de novo subsidiary of Compagnie Financiere
de Paribas on Feb. 26 to produce integrated billing software programs for
digital mobile telephone networks.
It remains to be seen how the Federal Reserve or the OCC will respond to
requests to engage in technological activities that are not directly
financial, banking, or economic in nature. However, the agencies seem to be
signalling a willingness to be expansion-minded.
The Fed issued an order July 1 allowing four banks in Ohio and Pennsylvania
through their ATM affiliate, Electronic Payment Services Inc., to provide data
processing and other services relating to the distribution of tickets, gift
certificates, prepaid telephone cards, and other documents.
Proposals regarding joint ventures in electronic money, smart card systems,
and PC hard-drive currencies are pending. The regulators are becoming attuned
to new types of regulatory issues and concerns.
For example, in its Cardinal Bancshares order, the Fed said it expects
acquisitions such as Five Paces to "enhance consumer convenience by expanding
the availability of electronic banking services and by making those services
available in new ways." But it warned that defects in security policies or
procedures would be considered unsafe and unsound banking practices because of
the risks associated with the provision of services over the Internet.
Not since Jesse James was practicing his entrepreneurial skills has bank
security become such a regulatory concern. Since no human can exist in
cyberspace, and identification and verification of parties over the Internet
may be subject to manipulation, the Fed is clearly telling banks to take
prudent steps and utilize state-of-the-art cryptography to discourage and
prevent computer break-ins, counterfeiting, theft of accounts and identities,
systemic attacks and informational warfare.
A fair enough admonition -- one that many banks can satisfy only by working
with partners and unaffiliated entities.
But entrepreneurial business venturers do not mix easily with regulation.
While a bank's joint-venture partner may be a high-quality technology company,
it may not be accustomed to the kind of regulatory examination, intervention,
and enforcement that banks know. This issue must be resolved at the inception
of a joint venture to avoid subsequent disputes.
Given the way current laws work, nonbanks may want to join with a bank holding
company affiliate rather than a bank subsidiary to avoid the liability that
can attach to an "institution-affiliated party," such as a subsidiary of an
insured bank.
Traditional concepts of due diligence will also have to be substantially
augmented and modified to adequately evaluate businesses in cyberspace. No
longer will physical reviews of corporate documents and officer interviews
suffice. Bank acquirers and co-venturers will have to thoroughly consider the
extent to which electronic breaches, theft, counterfeiting and manipulation of
systems have occurred or can occur.
Given the ever-increasing technological capacity available to cyberspace
pirates, security protocols will have to efficiently accommodate new
generations of technological upgrades. Off-line, unaccountable smart cards may
have to be upgraded by the originator or issuer through virus- like
transmissions spread card-to-card and card-to-terminal.
Similarly, the encrypted identifying marks of electronic money may need to be
regularly reformatted in order to limit the amounts that can be counterfeited
or duplicated.
In the intellectual property area, an acquired or co-ventured technology
business may only be worth what it costs if the products and services and
their underlying software and programs are adequately protected or protectable
under copyright, trademark, and patent laws.
Given the dizzying rate at which such filings are occurring in electronic
banking and commerce, it is equally critical to determine that any technology,
products, or services being acquired do not violate pending or issued licenses
in any jurisdiction in the world. The Internet is a worldwide marketing
mechanism, and users will have to consider the laws and customs of a multitude
of jurisdictions -- even those where they may never have done business or
intended to do business.
In any joint venture, affiliation, or alliance, the contracting parties must
determine who "owns" the customer. But in the world of cyberspace, where
traditional identities and boundaries no longer apply, ownership and access
issues will be even more important, particularly when a venture is unwound or
dissolved.
Banks have traditionally sought to share information between and among
affiliates for marketing purposes. Where the affiliate is not a controlled
subsidiary, however, such sharing may be problematic and even illegal under
state privacy laws.
As electronic commerce and smart card products begin to be introduced and gain
acceptance, certain brands will naturally become more prominent and
recognized. Unlike the branding issues that are important to companies in the
consumer products area, these electronic products will have to fight for
market share among consumers who put a premium on confidence and trust.
Banks will have to find ways to continue to accommodate the financial as well
as emotional elements of the relationship that exists between an individual
and his or her money. Brands and logos that evoke confidence and trust will be
extremely valuable, and should be treated accordingly in the business ventures
that develop.
Technology co-ventures must have workable and verifiable policies and
procedures concerning disaster recovery. How an organization deals with
traditional crashes, power losses, and breaches will indicate its capability
in this area. No financial institution that relies on public trust and
confidence can tolerate the loss of business information or customer data,
particularly if it keeps customers from their money, electronic or otherwise,
for some period of time.
Odds are that many banks will not be able - or prefer not - to "go it alone."
The landscape is already filled with dozens of alliances and joint ventures,
and the business is still in its infancy. At the same time, banks should not
be too quick to dilute or share their long-standing consumer trust and
confidence. They have as much to give as they do to gain in technology joint
ventures, and they should negotiate accordingly.
---
<a href="mailto:[email protected]">Dr.Dimitri Vulis KOTM</a>
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps