[NEWS] Crypto-relevant wire clippings

[dlv@bwalk.dm.com (Dr.Dimitri Vulis KOTM)]

AP Online: Sunday, September 15, 1996

Card Raises Privacy Issues

By PATRICIA LAMIELL

Big Brother is not watching. Or is he?

Fears resembling those of the omniscient machine that spies on people in
their homes in George Orwell's novel, ''1984,'' have found their way
into a new technology entering the marketplace -- smart cards.

These credit cards embedded with computer chips can store information
from shoe size to credit history. But critics claim these cards will be
used to compile dossiers on the people who use them.

And now it's up to the Smart Card Forum, a family of companies driving
development of smart card technology, to convince the public that Big
Brother isn't watching, for smart cards are protected and confidential.

''There's a huge amount of misunderstanding, and that creates a huge
amount of fear, about whether these products are going to decrease
people's privacy or otherwise leave them unprotected,'' said John Burke,
the forum's attorney and a partner at the law firm of Foley, Hoag &
Eliot in Washington, D.C.

Starting Monday in San Francisco, members of the Smart Card Forum will
meet to discuss the latest technology and marketing programs necessary
to put a smart card in every household. In many ways, smart cards
resemble credit and debit cards that the market has grown accustomed to
using. With a simple swipe, they too can substitute cash when buying
everything from subway tokens to clothing and the purchase price is
electronically deducted from the card using a special machine.

But the smart card takes the technology further, embedding a computer
chip into the card. that gives it much more memory and enables it to do
simple math and process information, like keeping a bank balance or
tracking frequent flier miles.

The huge potential scope of the smart card has prompted some concerns
about the privacy rights of users. By tracking small purchases,
telephone and transportation records, they can document a person's
everyday movements.

That information could be useful to everyone from employers and family
members to law enforcement officials and banks. Marketers might be very
interested in records of purchases made with smart cards.

But privacy experts question whether third parties should gain access to
see such information.

The American Civil Liberties Union of New Jersey is fighting a state
proposal to encode fingerprints on smart card drivers licenses on the
premise that it would treat as criminals people who are not suspected of
a crime.

''We also oppose the requirement that other data be included'' on New
Jersey drivers licenses, said David Rocah, an ACLU staff attorney in
Newark, ''unless precautions are made to insure that third parties will
not have access to that data.''

Others, however, counter the questions of privacy, claiming that owners
can control what information goes onto them and with whom it is shared.
They also point out that the information is electronically scrambled, or
''encrypted, '' making it very difficult to steal.

The Smart Card Forum is working to create privacy guidelines that can
keep pace with the fast-developing industry. Federal regulators, such as
the Office of the Comptroller of the Currency, the Federal Reserve and
the Federal Deposit Insurance Corp., are all considering whether and how
to regulate smart cards.

Smart cards are a huge business for companies like Texas Instruments
Inc. and Motorola Inc., which make the chip. They could also be a boon
for banks and other financial institutions that issue the cards for a
fee, and for payments-systems networks like Visa and MasterCard, which
earn a percentage of each transaction.

''This is a huge, huge market,'' said Peter Hill, executive vice
president for technology at Visa International, one of the 225 corporate
members of the forum. ''Cash transactions world-wide total about $8
trillion a year, of which 80 percent are for $10 or less.''

A number of big banks have run pilot programs to test consumers'
acceptance of the cards. Some have teamed up with Visa and MasterCard to
do market tests in Swindon, England, Canberra, Australia, and at the
1996 Summer Olympic Games in Atlanta. A test is planned by MasterCard,
Visa, Chase Manhattan Corp. and Citicorp, in New York's Upper West Side
later this year.

So far the pilot projects, which have put about 50,000 smart cards in
circulation worldwide, have had mixed results. Many worry consumers will
not incorporate the cards into purchases they now make with cash, and
that has left merchants wary about the cards also.

To move beyond the arena of small purchases, members of the Smart Card
Forum are developing technology to allow people to use home computers to
pay for Internet purchases with these cards, and to download cash onto a
smart card. Personal-computer makers have begun including chip readers
in PCs for these purposes.

Also in development are scores of non-financial applications, such as
keeping drivers license and medical information, transferring government
welfare or medical benefits, and making airline and hotel reservations.

To Diane Wetherington, MasterCard's senior vice president for smart
cards, the Forum's biggest task is not the social and legal issues
surrounding the smart card, but getting consumers to use it for any and
all financial transactions down to the 10-year-old's weekly allowance
and merchants to accept it.

''The technology works, the product works,'' she said. ''Now it is up to
the marketing associations and companies to really try to create global
products from these.''


American Banker: Monday, September 16, 1996

FUTUREBANKING

SET a Big Win for the Card Associations

By JEFFREY KUTLER

Whether for superstitious reasons or just to avoid the inevitable
groans, experts in data security were long reluctant to use a certain,
pertinent pun. But now it can be officially uttered: SET is set.

Secure Electronic Transactions, the Internet payment protocol hashed out
by MasterCard, Visa, and a sometimes unruly bunch of technology
providers, went up on the card associations' Web sites in June in what
was labeled as its final form.

In other words, the standard was ready for prime time. Software
developers could begin incorporating it in systems being designed for
electronic transactions. And thus began something of a race to make
SET-- secured card payments a reality, at least in a test mode, by
yearend. The principals were too busy and running too fast to celebrate
their hard-won accomplishment. There was far more work to be done, and
in their haste to get to it they may never have adequately explained the
document's true significance.

The SET advocates met their objective. Getting past their internal
divisions, they wrote specifications for on-line credit card
transactions and were unanimous in their endorsement. Relying on data
encryption and digital certification of buyers, sellers, and bank
processors, they erected several barriers to electronic thievery.

They did not make the Net safe for all commercial and monetary activity.
Nor did they silence a number of critics who still raise warning-flags
about the Internet's inherent vulnerabilities, even those addressed by
SET.

The development of the protocol was well-chronicled. Probably too well
from the standpoint of MasterCard and Visa, which had hoped that their
mid- 1995 move to cooperate -- on the assumption that payment security
should not be a competitive venue -- would lead to a rapid conclusion of
amicable, low-profile deliberations. The diplomatic initiative derailed
in the fall of 1995 when Microsoft Corp., sitting on Visa's side of the
table, failed to reconcile with the opposing camp that included two of
Microsoft's market adversaries, International Business Machines Corp.
and Netscape Communications Corp.

After a couple of months of fence-mending, the negotiations were
declared back on track Feb. 1. Within a month the working draft of SET
was completed, supposedly drawing the best features from the initially
separate MasterCard and Microsoft-Visa proposals.

As the June deadline approached, most of the organizations directly
involved in SET -- they included GTE Corp., Science Applications
International Corp. (SAIC), and companies associated with the data
encryption leader RSA Data Security Inc. -- announced they would provide
products and services implementing the protocol.

Verifone Inc. hit the ground running June 18 with a comprehensive
electronic commerce package that it said would be the "first
implementation" of SET, supported by numerous strategic allies from the
SET circle and beyond. Said Verifone's Internet commerce division chief
Roger B. Bertman, "This will help the industry benefit more quickly from
increased Internet transaction volumes and allow us all to begin
learning by doing."

Verifone had reportedly pressed to join the SET team, only to run up
against the members' desire to stay small. But Verifone was very plugged
in, and Mr. Bertman's "learning by doing" could have been their motto.
By implication, publication of SET was just one more beginning.

At the heart of SET is data encryption technology, specifically that
provided and championed by RSA of Redwood City, Calif. In the encryption
field, science meets commerce. The plodding of the scientific method
tempers businesses' drive to get products to the market.

Further complicating any venture into encryption -- the mathematical
technique for scrambling messages to prevent unauthorized reading -- is
the overhang of public policy. RSA and its progeny have chafed at
federally imposed limits on cryptographic systems, particularly on the
length of the code-defining keys they can export. While most financial
activities are not hindered by the government's concern about "strong
encryption," any banking or payment-related activity is surely to be
scrutinized by that industry's regulatory establishment.

It is only 20 years since the advent of public key cryptography.
Improvements have been continuous, at least theoretically enabling the
guardians of secure data to stay a step ahead of criminal pursuers. That
SET could come together in a few months of concentrated effort is
testimony to the strength and durability of the concept.

As in academic tradition, what is tested and proven wins out.
MasterCard's and Visa's pre-SET attempts, Secure Electronic Payment
Protocol and Secure Transaction Technology, "didn't incorporate enough
of preexisting security standards," said Allan M. Schiffman, chief
technology officer of Terisa Systems Inc., a Los Altos, Calif., company
formed in 1995 by RSA and several other investors to develop secure
systems for Internet commerce.

"In dealing with crypto, it's nice for stuff to be out and analysts to
take a shot at it," said Mr. Schiffman, whose company was intimately
involved in SET and said back in April that it would build the protocol
into its client and server toolkits. "Older standards that aren't broken
are what crypto-developers want."

SET's reliance on the proven didn't stop the sniping.

Lee H. Stein, chairman of First Virtual Holdings Inc. in San Diego,
designed his Internet commerce system such that payment data flow via a
private communications channel rather than the World Wide Web. First
Virtual is not yet ready to bank on encryption. SET may be a step in the
right direction, but it didn't sway Mr. Stein.

"Sensitive financial information is never to be on the Internet," Mr.
Stein said at the Cyberpayments '96 conference in Dallas in June. "Has
anyone here yet seen a hierarchical, encryption-based certification
authority working at the consumer level?"

Jerome Svigals, a California-based consultant and long-time advocate of
smart cards, criticized the lack of portability of the customer
certificates required for an SET transaction. Designed to be embedded in
a personal computer, the certificates, or digital signatures, might
better comport with the credit card transaction model by being stored on
smart cards.

Aharon Friedman, chairman and chief product developer of Digital Secured
Networks Technology Inc. in Englewood Cliffs, N.J., has expressed
concern about the software-only nature of SET. He said it requires a
hardware component to be fully secure.

Mr. Friedman, a one-time SAIC research physicist who founded his network
security company last year, also said too much of an SET message is in
clear text or subjected to "hash functions" that do not provide the high
security levels of encryption.

"Unlike hardware, software can be bypassed using a computer," Mr.
Friedman said. He has suggested that a hardware-based approach be
incorporated into SET at "a more elementary level" so that all the text
can be encrypted.

"He put it aggressively," Mr. Schiffman said of Mr. Friedman. "What he
says is not wrong, but it was not unaccounted for" in SET revisions.

Other SET defenders have pointed out that the three aforementioned
critics have vested interests in, respectively, off-Internet payments,
smart cards, and hardware. Mr. Friedman said he is a few months away
from a hardware-software solution that would be economical for PCs and
even laptop computers, but he was not ready to talk about specific
pricing.

More fundamentally, the SET group had to grapple with classic questions
of appropriateness. The security measures had to fit the potential
crimes, at a reasonable cost.

As new electronic payment media develop, "people are going to realize
that they can't guarantee 100% security," Geoffrey Baehr, a top network
technology official at Sun Microsystems Inc., said at a banking
conference earlier this year. "Instead, they will aim their development
work at 100% acceptance of risk, and assume there is always some amount
of fraud.

"It happens, and there isn't much you can do about it other than best
efforts."

Focusing on the framework for card payments, the SET group put its best
efforts toward standards for transaction software and the ever-critical
authentication of cardholders, merchants, and banks, based on the
digital certificates issued and maintained by "trusted parties." A big
selling point is that merchants don't see buyers' credit card numbers;
the system transparently validates them.

RSA Data Security has a central, commercial interest in how SET develops
and has taken on an associated, almost public-service responsibility for
coordination.

"SET is definitely the way to go to secure bank card transactions," said
Kurt Stammberger, RSA's director of technology marketing. "We believe it
will be huge. Otherwise we wouldn't have built a toolkit around it."

Indeed, the "RSA Encryption Engine" brand will be on Verifone's software
products -- vGate, vPOS, and vWallet -- the first of what should be many
SET-related licenses.

Because there will be a proliferation of on-line products, especially
the virtual wallets at the consumer level, Mr. Stammberger said "RSA's
role will be to make sure all the wallet implementations talk to all the
merchant implementations and the banks."

"Building cryptography is not trivial, but getting all the right people
talking to each other can be even more of a challenge," Mr. Stammberger
said.

Meanwhile, Verisign Inc., spun off by RSA 17 months ago, is going after
the certification piece of the business. In July it announced it was
chosen by Visa International to provide Internet authentication through
the member banks. Building a global infrastructure for the
encryption-based certification product it calls Digital ID, Verisign
views the Visa deal as a big mass-market opening for digital signatures.

"The financial services industry is leading the charge in bringing
Internet commerce to the consumer," said Verisign president and chief
executive officer Stratton Sclavos, who has also signed breakthrough
licensing pacts with Microsoft and Netscape. He expects market
availability of his "high-volume, scalable-to-the-millions" product "as
soon as SET is ready," by early next year.

MasterCard designated the CyberTrust unit of GTE Corp., one of its
partners in the SET project, as its private-label certificate provider.
The announcement, within days of Visa-Verisign in late July, prompted
some one- upmanship. MasterCard senior vice president Steve Mott
predicted GTE would be "bigger, better, and faster" in the market.

Visa U.S.A. president Carl Pascarella wanted to underscore that the
Verisign-GTE face off means healthy competition, not a return to the
earlier SET dissension.

He said the card associations rejected the idea of a single
certification authority because it could have been monopolistic. And
while Visa members can now choose Verisign, and MasterCard members GTE,
they could also be their own "CA" or pick from other suppliers.

"Visa and MasterCard agreed to pursue different certification options,"
he said. "The technology will be more robust, and it will minimize the
impact on issuers and acquirers.

"Things are changing so fast, we don't want to be in the position of
driving stakes into the ground. Our concern right now is to protect the
banks, and SET does that."



The Miami Herald: Monday, September 16, 1996

Firm Hopes Facial "Signature" to be Foolproof

Don't look for twenty-something computer nerds at Identification
Technologies International in Coral Gables. ITI, a high-tech firm
founded in 1993, is run by David Bendel Hertz, an energetic
septuagenarian.

Hertz has held executive engineering positions at RCA and Celanese, has
been a partner at the consulting firm McKinsey & Co. in New York and has
taught business and law at the University of Miami.

His latest venture focuses on a facial recognition system, with
applications from building access to internet banking.

"We are a start-up business, a research and development company," says
Hertz, 77. "And now we're becoming an operative company."

Hertz saw an opportunity in 1994. Conventional facial recognitions
systems "were too slow and took too much computer memory," he says. And
stored on a hard drive, the data were vulnerable to hackers.

Hertz calls his solution One-to-One. It uses a camera to take a person's
photo and compares it to a facial "pixel signature." The signature uses
only 96 bytes of memory -- as opposed to 500 to 2,000 bytes in
conventional systems -- and can be easily stored on a smart card. Hertz
insists that even the most intelligent hacker won't be able to break
into the system because the data is not available on a central computer
system and a stolen smart card will not match the thief's facial
characteristics.

Hertz allows that ITI has spent more than $1 million so far, half from
him and half from Peipers, a New York investment company.

ITI offers its system in the form of a small black box, containing the
camera and connected to a computer. One-to-One uses little memory
because it focuses on specific characteristics, such as the position of
the eyes and the form of the mouth, while older systems store a
photo-like image of the face.

"When we started," Hertz says from a University of Miami test lab, "the
first thing we did was ask a plastic surgeon if there are sufficient
differences between faces.

"'Every face is different,' he answered. But what about identical twins,
we wanted to know. "The surgeon said there are enough differences in
their faces that some people -- like their mother -- always can
recognize them."

Using biometrics, the branch of biology that deals with data
statistically and by mathematical analysis, One-to-One can recognize
these differences as well as a mother.

A niggling problem, however, is that the system may not recognize a
characteristic that is not part of your signature, such as a new haircut
or even a smile.

So far, ITI has made 50 units, mostly for testing and evaluation. Priced
at $2,000-$3,000, two of the units have been sold to Westinghouse
Security Electronics, which does not manufacture facial recognition
systems. Jorge Sousa, director of product development at Westinghouse's
systems division, based in Santa Clara, Calif., says he is "convinced
that biometrics has a future," and that his company is keenly interested
in ITI's product.

Citicorp is currently testing Hertz's system on its ATMs, and AktivNet,
a Miami company, has agreed to try out 400 units in 1997 on its
communications kiosks in airports and hotels geared to business
travelers.

Hertz has also presented One-to-One to the National Security Agency,
which he says "exhibited high-level interest."

ITI is being marketed in Europe, South Africa and the Middle East by a
Dutch company, Digistration. Hertz sees customers ranging from airports
to welfare agencies to sports arenas. "The market is large and growing
every day," he says.

David Leibowitz, managing director and analyst at Burnham Securities in
New York, also sees a rising interest in sophisticated security systems.
"There is every likelihood that more creative devices will be needed,"
said Leibowitz, who added that with the rise in crime and theft, "The
security market is growing at a dramatic pace."

Leibowitz points out that the security market can include everything
from barbed-wire fences to combination locks to the high-tech devices
manufactured by such companies as Sensormatic, Checkpoint and Knogo .
"Should ITI's product prove itself in tests and go on to succeed in
real-world applications," he said, "there is a good chance there would
be a market for it." But he cautioned that between now and then,
competitors may have developed similar or more innovative systems that
affect ITI's potential to market its product.

Hertz plans to hire 10 additional employees to market and distribute ITI
products. They will join the 12 people currently on staff, an
international group including a computer programmer, biomedical
scientist and mathematical analyst.

Their work has far-reaching implications: Hertz envisions a day when ITI
develops systems and products that, for example, has the capability to
"detect people in a crowd," to catch fugitives or help find missing
persons.


Retail Banker International: August 22, 1996

Chase Builds "Best Biometric"

CHASE MANHATTAN is currently testing biometric voice printing for retail
banking applications in two pilots in the New York area. The bank said
these tests will be concluded before year-end, and could lead to the
introduction of biometric voice printing in several retail channels as
early as 1997.

The two pilots now in progress are testing voice printing at branch
offices, the most challenging environment for voice printing, due to
ambient noise and distortion. Branch customers pick up a phone on the
teller line and verify their identities instantly, saving the teller the
time needed to check the validity of each customer's bank card.

But the system's most dynamic application will be in remote delivery,
and especially in phone banking, where customers' identities can be
automatically verified as soon as they speak, allowing phone reps to
call up all account data instantaneously. The bank expects to roll out
voice printing first in high-risk wholesale operations, like funds
transfer and treasury services, before introducing it to the retail side
of the bank.

"Voice is the best biometric," said Elizabeth Boyle, Chase VP for
strategic implementation in New York. First, voice printing offers
security in all channels, an advantage that techniques like
fingerprinting and dynamic signature analysis do not enjoy. This means
that customers can use the system for remote transactions and can open
accounts without visiting a branch, for example.

Second, customers are most comfortable with voice printing, which is
considered far less intrusive that fingerprinting, for instance, and is
completely invisible over the phone. Lastly, voice printing is the most
effective security system, yielding the lowest percentage of false
positives, and just as important, the lowest rate of false negatives.
"We do not want to be in the position of telling customers that they are
not who they are," Boyle explained.

Chase's voice printing pilots use technology developed by Votan of
Pleasantville, California, a firm currently under registration for an
initial public offering valued at $30 million. Direct mutual funds
provider Fidelity Investments is also working on the implementation of
voice printing technology, and Citibank is currently running voice
pilots by four separate vendors.

Boyle said that twelve months ago, Chase decided against multiple-
vendor pilots, believing the technology was changing too rapidly to make
this approach economical.


New York Times: Monday, September 16, 1996

Testing Whether Internet Readers Will Pay

By MIKE ALLEN

After extending its grace periods four times, The Wall Street Journal
Interactive Edition says it will bar freeloaders from its World Wide Web
site beginning Saturday.

The results are being watched as a bellwether for prospects of charging
for access to Web sites. Because of The Journal's fame and its high
proportion of business users, founders of other sites figure that if The
Journal does not succeed, they may have no chance of charging in the
foreseeable future.

Today's Web is a money pit, with sites getting some revenue from
advertisers but virtually none from users.

Nick Donatiello, a market researcher who surveys consumer attitudes
about new technologies, said subscription fees might work in a special
case like The Journal, but would remain rare.

``Consumers can surf the whole Web for less than $20 a month, so it's
hard to convince them that they should pay for one little slice out of
this enormous pie,'' said Donatiello, the president of Odyssey LP, a
research firm in San Francisco. ``Paying for content is going to be
dwarfed by having advertisers pay, not because the Web has a culture of
free content, but because television has a culture of
advertising-supported content.''

A message on the Journal's site (http://www.wsj.com) says, ``Avoid the
rush and convert now to a paid subscription.'' The interactive Journal
is charging $49 a year, or $29 to those who take the print Journal,
which runs $164 a year.

Neil F. Budde, the editor of the interactive edition, said many people
were philosophically opposed to paying for information on the Web. But
he said others would subscribe because of the site's features like
Briefing Book, which offers news about a company, charts of stock
performance and five years of financial data.

``These are not the people who have been on the Internet since Day
One,'' he said. ``These are newer people, people who are in business,
who say it's worth it not to have to look four different places on the
Internet'' to find information that the Journal site pulls together.

About 650,000 people registered during the interactive Journal's trial
period. Thomas Baker, the business director of the interactive edition,
said surveys of those users indicated 10 to 30 percent were willing to
pay.

``If, at the end of the year, we had 20,000 to 25,000, that would be
good,'' Baker said. ``We're realists. Our expectations are fairly
modest. We look at this as a magazine start-up, and even successful
magazines take a while to ramp up.''

Baker said only 20 to 25 percent of those surveyed subscribed to the
print Journal. ``That helped allay people's fear of the cannibalization
of the print readership,'' he said.

When the site opened in April, it offered free access through July 31.
That was extended to Aug. 31, then Sept. 21. The deadline to register
was May 31, then June 30, then Aug. 1.

There is still a loophole: Access to the on-line Journal is free through
Dec. 31 to those who download the Microsoft Corp.'s Web browser,
Internet Explorer. Also free: two-week trials of the Journal site.

Barron's, a weekly that like the Journal is published by Dow Jones &
Co., thought big when it announced its Web site in May, saying it
planned to charge $99 a year for basic access, and even more for premium
areas like an Investors Workstation.

That would have made it the most expensive mass-market site on the Web.
The plan has been rethought. Barron's Online (http://www.barrons.com)
has remained free, and a spokesman said the future subscription price
had not been determined.

The Web site of The New York Times requires users to register but does
not charge. About 600,000 have signed up since the site
(http://www.nytimes.com) opened in January.

``Our view is that market share is a more important criterion for
success than whether you can get a few people to pay for the service,''
said Martin A. Nisenholtz, the president of The New York Times
Electronic Media Co. ``But we continue to evaluate our users'
willingness to pay for information on line.''

The other best-known news sites, including those from CNN, USA Today,
The Washington Post and The Los Angeles Times, are open to all. ESPN's
site (http://espnet.sportszone.com) charges $39.95 a year for access to
premium areas, including columnists. But that service, too, is free
until the end of the year through Microsoft Explorer.

Microsoft, meanwhile, has found an old-fashioned way to get some income
from its on-line magazine, Slate: sell paper copies.

Slate on Paper went on sale this month in many Starbucks coffee
boutiques, and mail subscriptions are available. The 62-page digest of
the on-line version is produced in Microsoft's print shop.

The paper Slate is $29.95 a year. That's $10 more than the on-line
version will be when it starts charging for access on Nov. 1.

The site (http://www.slate.com) was started in June with great fanfare
from traditional media, but it continues to be skewered in the on-line
world. The September issue of Wired magazine inaugurated the Kinsley
Deathwatch, a pool to predict when Michael Kinsley, Slate's editor, will
return from Redmond, Wash., to the other Washington.

Slate on Paper, which includes about one-third of the Web version,
includes an editors' note heralding ``the transmutation of all-digital
Slate to the fusty comfort of analog paper and ink.''

``To the best of our knowledge, Slate on Paper is the first Webzine to
reverse the process,'' the note says. ``Some say it is fitting for two
companies so closely associated with the image of Seattle - Microsoft
and Starbucks - to be be joining forces. Others say it is beyond
parody.'' A parody site, Stale (http://www.stale.com), pretends to offer
a printed version, ``thereby defeating the purpose of being on the
Web.''

Rogers Weed, Slate's publisher, said the print edition was ``a bridge to
the people that aren't on the Internet today.''

But how many Starbucks customers want Chechnya with their frappuccino?
Even some of the chain's employees are puzzled. ``This is Starbucks
coffee,'' said Carol Hensler, who worked at a store in Richmond, Va.
``We only have coffee and coffee products.''

---

<a href="mailto:dlv@bwalk.dm.com">Dr.Dimitri Vulis KOTM</a>
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps