New York Times: Thursday, September 26, 1996 Potential Flaw Seen In Cash Card Security By John Markoff A potential security flaw has been discovered that might make it possible to counterfeit many types of the electronic-cash ``smart cards'' that are now widely used in Europe and are being tested in this country by banks and credit card companies - including Visa and Mastercard. The types of smart cards that are potentially at risk include the kinds already employed in the Mondex cash card system and others used by European consumers. A cash card from Visa International Inc. was demonstrated in a highly publicized trial at last summer's Olympic Games in Atlanta. Chase Manhattan Corp.; Citibank, a unit of Citicorp, Mastercard International Inc., and Visa plan a test this year with 50,000 customers in New York City. Touted as the key to the cashless society of the near future, smart cards are credit card-sized packets that contain a microprocessor chip and a small amount of computer memory for storing bits of electronic information that represent money. At businesses equipped with the computerized devices that accept smart-card payments, the cards are supposed to be as good as cash - and as vulnerable to theft or loss as a $100 bill. But the cards have been promoted as tamper-proof, which is why computer scientists at Bell Communications Research, one of the nation's leading information-technology laboratories, are now sounding the alarm, saying that a sophisticated criminal might be able to tweak a smart-card chip to make a counterfeit copy of the monetary value on a legitimate card. ``If you're deploying these smart-card devices in a business or government electronic-payment system, then I think you need to look carefully at their actual security,'' said Richard Lipton, chief scientist at Bell Communications and a professor of computer science at Princeton University. Lipton and two colleagues at Bell Communications Research - or Bellcore - are about to publish a research paper on the potential smart-card flaw, which they recently discovered through theoretical research on the technology. No smart-card counterfeiting has been discovered yet, but Lipton and his team believe that such crimes are inevitable unless the technology is redesigned. The researchers have also been quietly notifiying the seven regional Bell telephone companies that jointly own Bellcore about their discovery. Bell companies including US West, and long-distance companies, including AT&T Corp., have been planning to market smart cards as a secure way to pay for long-distance calls without entering credit card numbers or generating the audit-trail of a phone bill. Despite the Bellcore warning, not all executives at companies using smart cards consider the theoretical threat a real danger. ``This is very speculative,'' said Chris Jarman, vice president of chip card technology at Mastercard, who had seen a draft of the Bellcore research paper. ``I have yet to see a smart-card scheme with a vulnerability,'' Jarman said. And even some industry executives, who said it was conceivable that individual smart cards might be at risk, contended that the vulnerability was not a threat to smart-card technology in general - any more than the occasional passing of a counterfeit $20 bill undermines the U.S. currency system. ``This is a significant event but it doesn't blow the industry apart,'' said William Barr, vice president of the Smart Card Forum, a trade organization of 230 U.S. companies and government agencies. Still, Barr conceded, ``this approach offers some ability to mount attacks that have not been anticipated.'' The Bellcore researchers, however, consider the potential flaw significant because it could short-circuit the data-scrambling software contained in many types of smart cards. The software is used to protect the card's secret code, which is designed to prevent counterfeiting. In theory, at least, the Bellcore researchers said that a smart card's security could be breached by forcing the microchip in the card to make a calculation error. This could be done in a number of ways, the researchers said, whether through sophisticated means like bombarding the card with radiation or perhaps cruder methods like placing it in a microwave oven. Once the card can be forced to make even a small calculating error, the researchers said that a mathematical formula they derived could use this error to extrapolate the secret data that authenticates the card when it is inserted in a merchant's card reader. The researchers suggested that in any system where it was possible to know about a calculation error it might be possible to exploit this newly discovered vulnerability. The Bellcore team is conducting further research into this possibility. ``These systems tend to have a fragile behavior,'' said another of the researchers, Richard A. DeMillo, who is vice president for information technology at Bellcore. ``Our technique is like tiny lever that makes it possible to pry open the vault that the secret information is stored in.'' U. S. Banker: Thursday, September 26, 1996 Mondex gets Cold, Hard Cash By Joseph Radigan The $ 119 million that National Westminster Bank plc and Midland bank plc raised this summer to fund their Mondex smart card program should provide at least some the capital they'll need to increase its acceptance. The capital was raised in conjunction with Mondex's spinoff from the two British banks that created the program as a joint venture five years ago. The new setup is being called "Mondex International," and besides NatWest and midland, which now hold minority stakes, it includes 15 other shareholding banks. One of them is Hongkong and Shanghai Banking Corp., which like Midland is owned by HSBC Group of London. In the U.S., Wells Fargo & Co. and AT&T Corp.'s Universal Card Services Group paid a combined $ 46.5 million for their 30% stake. The other investors include major banks in Canada, australia and New Zealand. Another 23.5% remains to be sold for roughly $ 1.5 million for each 1% interest. Not all the new funds are going toward Mondex's future development. Some will be used to compensate NatWest for the costs it incurred in leading the original research and development. NatWest's Michael Keegan became Mondex's chief executive as part of the restructuring, replacing Tim Jones, a fellow NatWest executive who had been Mondex's CEO through its startup phase. Jones is returning to NatWest as the managing director for the London bank's electronic commerce group and will keep a seat on the card association's board. David Mills, who runs Midland Bank's retail banking business will stay on as chairman of Mondex International, but he also has a seat on the board of MasterCard's European affiliate, Europay. These two card associations, in conjunction with Visa, are backing a smart card program that rivals Mondex's. But Keegan says that this does not pose a conflict of interest. As in the American credit card business, where banks are free to issue both MasterCard and Visa, Keegan foresees a future in which Mondex members will issue both Mondex and Europay smart cards. Now that Mondex is in the process of collecting the financial fuel it will need to fund its growth, the smart card organization's future revenue will come mostly from annual dues paid by member banks, Keegan says. The per-transaction interchange fee that supplies MasterCard and Visa with most of their annual revenue is not practical for the low-value payments for which smart cards are intended. Imposing a transaction fee on these would make the system impractical. In addition, because Mondex attempts to electronically mimic currency, most transactions will not settle through a captive payments clearing system. The only settlement will take place on an end-of-day basis when merchants or customers redeem their Mondex value at their local banks. San Francisco Chronicle: Thursday, September 26, 1996 Hundreds of Companies Have Smart Card Systems By Laura Castaneda The smart money is on smart cards -- even though most consumers have yet to lay a finger on them. Valerie Baptiste is one exception. The Wells Fargo secretary is participating in a company experiment that lets her make purchases at 22 San Francisco shops with a smart card. Resembling credit cards, smart cards are embedded with computer chips. They can store cash and other data such as medical history and credit information. ''A big advantage is the convenience of not having to fumble around in my purse for cash,'' said Baptiste as she was buying juice at The Wildflower Cafe. Hundreds of companies besides Wells Fargo, including several in the Bay Area, have launched smart card pilot programs to try and cash in on the cashless society of the future. Getting merchants and customers to accept and use a new form of payment won't happen overnight. But experts believe the widespread acceptance of smart cards is inevitable. ''I'm confident that the push will be on to make it happen because there are so many powerful entities interested in seeing cash go away,'' said Bruce Brittain of Brittain Associates in Atlanta, a consumer behavior research firm. David Poe, a director of Edgar Dunn & Co. in San Francisco, a management consulting firm that specializes in new product development, agreed. ''I think (smart card use) is going to be evolutionary as opposed to revolutionary,'' he said. Entities that want to cut down on the use of cash include big banks, credit card issuers, universities and the U.S. government. Why? Smart cards can save the cost of collecting, counting, securing and transferring cash. Most pilot programs feature smart cards that simply store cash, usually up to $ 20. The amount of each purchase is electronically deducted from the card at the point-of-sale. These kinds of smart cards are ideal for smaller transactions like parking, lunches, dry cleaning, convenience stores, vending machines and fast food. However, smart card technology is almost limitless. Combining computer chips and magnetic stripes allows a single card to be used as a cash, credit, debit and ATM card. Among the pilot programs in place: * Bank of America and Visa International are experimenting with employee-only stored value smart cards for purchases from company cafeterias and vending machines and some outside merchants. * Ohio and Wyoming plan to start using smart cards for food stamp and nutrition programs, and the U.S. Department of Defense is testing a multiapplication smart card at military bases in Hawaii. * The Washington, D.C., transit system plans to implement smart card technology for fares, and the Metropolitan Transit Commission, which serves 25 Bay Area transit services, is also considering launching smart card technology in about two years. * The University of Michigan, Western Michigan University, Washington University, the University of Minnesota, the University of North Carolina, Florida University and the University of San Francisco have smart cards for on- and off-campus in cafeterias, bookstores and restaurants. Smart cards are already widely used overseas. In Germany, more than 80 million people have been issued smart cards containing health insurance information. The potential market is huge, with more than half a billion smart cards expected to be in use worldwide by the year 2000, according to the Smart Card Forum, a group dedicated to accelerating the widespread acceptance of smart cards. A Smart Card Forum poll found that almost two-thirds of respondents see smart cards as a convenient option for carrying important personal information, and 40 percent would prefer to use the cards instead of cash for everyday purchases. Another Smart Card Forum survey found that retailers see various benefits such as gathering customer information, offering loyalty or ''frequent shopper'' programs and electronic ticketing and couponing. Despite high expectations, smart cards have a long way to go before they become as popular as ATM cards. Critics of smart cards, worried about privacy issues, liken the card's ability to track a consumer's every purchase to Big Brother in George Orwell's novel ''1984.'' There is also the classic ''chicken and egg'' problem: Merchants don't want to spend the money for smart card equipment until they're in widespread use, while consumers don't want to use smart cards until more merchants accept them. ''It's going to be a tough sell for consumers,'' said Rob Palmer, owner of The Wildflower Cafe, which has participated in the Wells Fargo pilot program for about a year. ''Cash is very convenient.'' Palmer agreed to participate in the experiment because it was free. But he said it may not be worth paying for later because smart card business only accounts for about 2 percent of his transactions. It costs about $ 500 per unit for a point-of-service terminal capable of processing smart cards. It's unclear whether banks or merchants will ultimately foot the bill. Many new debit and credit card terminals are also incorporating smart-card capabilities. The Smart Card Forum estimates that it costs 80 cents to $ 15 to manufacture a card, depending on the size of the chip. Right now, banks and card issuers are paying for the cards. Eventually retailers could sell their own affinity cards. Today, some cards can only be used once, others can be reloaded with more cash. To be cost-effective, though, most people think they cards will have to be reloadable and have more than one use. To succeed, smart cards will have to offer clear benefits to merchants (such as loyalty programs that generate repeat business) and to consumers (such as discounts or special promotions). The cash-only cards do not have any security features, so if you lose one, it's easy for someone else to spend your money. Cards that also have personal information will need to have security features such as ''encryption,'' or electronic scrambling that protect against unauthorized use. In fact, a survey of the world's 10 largest central banks released earlier this month by a task force of computer and security experts found that security measures now used with electronic money are adequate to protect consumers from fraud. Companies are also starting to look at other smart card applications. Microsoft Corp. is working with several other companies to develop open standards that integrate smart cards with computers, so that you could transfer money from your checking account onto a smart card using your PC. The smart cards also could be used make purchases over the Internet. Many people are afraid to use credit cards to buy things over the Internet because they're afraid their account numbers will get stolen. Yesterday, Mondex International Ltd. and CyberCash, Inc. announced an agreement to produce smart cards that will let consumers purchase goods over the Internet and download and transfer funds. In 1998 Wells Fargo plans to roll out a multipurpose card made by Mondex that will let people transfer money from their accounts to smart cards via computer. Such smart card technology will be like ''having an ATM in your own home,'' said Janet Hartung Crane, senior vice president for Wells Fargo. American Banker: Thursday, September 26, 1996 Checkfree Sees On-Line Banking Tripling in 1997 By JENNIFER KINGSON BLOOM Peter J. Kight, chief executive officer of Checkfree Corp., makes two predictions about on-line banking. He says that 1996 will be remembered as the year banks learned the power of the technology, and that the number of consumers banking through electronic channels will more than triple in 1997. The statements carry more weight than they would have a year ago, because Mr. Kight's company has transformed itself into a formidable force in the interactive banking market. Once known primarily as a processor of electronic bill payments, Checkfree has acquired four companies this year, giving it a soup-to-nuts line of electronic banking products and services. Behind the acquisitions lies Mr. Kight's vision of banking's future. "Every major bank in the country will be in the market with an electronic banking product within the next 18 months," Mr. Kight said. "It's following exactly the same curve as credit cards." For Mr. Kight, these developments represent the culmination of 15 years of hard work. Just last week, Checkfree announced an agreement to acquire the processing subsidiary of Intuit Inc., which will give it access to the latter company's Quicken product, its customers, and bank partners. "This is what I paid my dues for," Mr. Kight said. "This is what we built the company to do." On Wednesday, Checkfree announced partnerships with BellSouth, Capstead Mortgage Co., and the Small Business Administration. The arrangements will let the companies and the agency collect bill payments electronically. Mr. Kight founded Columbus, Ohio-based Checkfree in 1981, when he was 24. The previous year, he was managing a chain of fitness centers in the Southwest. While pondering the best way to sell health club memberships, he hit upon the concept of automatic monthly payments. At the time, only a handful of companies -- most of them insurance providers -- were collecting payments electronically. By 1982, a year after he set up his electronic funds transfer service company, Mr. Kight was named an "entrepreneur of the year" by Ernst & Young. Last year, Checkfree went public. This year the company has acquired Servantis Systems Inc. in Atlanta; Interactive Services Corp. in Portland, Ore.; Security APL in Bloomfield, Ill.; and Intuit Services in Downers Grove, Ill. "Each step, if you look at it, has been one to strengthen our position and our strategic capabilities," Mr. Kight said. Checkfree has kept its headquarters in Ohio, but the acquisition of Servantis' campuslike setting in Atlanta has begged the question of whether the offices might move. Intuit Services employees will remain in Illinois, where the work force likely will expand. Mr. Kight, 40, divides his time between Atlanta and Columbus and said he will decide within a year whether to initiate a formal move. The union of Checkfree and Intuit Services is something of a remarriage. Checkfree was the original processor of payments emanating from Quicken software before Intuit Inc. acquired National Payment Clearinghouse Inc. National designed the banking connections for the rival Microsoft Money personal finance package, and the rechristened Intuit Services Corp. went on to handle the lion's share of payments for PC banking customers. "Essentially, Intuit enabled Checkfree to really prove the efficacy of electronic bill payment," Mr. Kight said of the early days. "If it hadn't been for Intuit and the link of Checkfree and Quicken, we wouldn't have gotten to the point where we could prove to the banks that this really does work. "Even though the banks didn't like the fact that we and Intuit did that without them, at the time, they weren't doing it. So what we did is we proved it, to get them to pay attention." What followed was a fairly messy divorce, in which Intuit withdrew its business from Checkfree, and Checkfree sued Intuit for patent infringement. Mr. Kight said he managed to stay friendly with key Intuit executives. He and Scott Cook, Intuit's founder and chairman, had "a great deal of mutual respect," he said. The relationships proved central to the recent acquisition. A telephone call at the beginning of this year from Mr. Kight to Intuit chief executive officer William V. Campbell started the ball rolling. Mr. Kight said a news article about technology companies jockeying for position in electronic commerce prompted him to pick up the phone. He said he told Mr. Campbell: "You've got stress at your bill payment service, but you're growing like crazy. I'm growing like crazy. You're signing up banks, I'm signing up even more banks. Maybe if we work together ... and he said, 'I think you're right.' And that started it." Mr. Kight said he and Mr. Cook agreed each company would do best to focus on its core competency: Checkfree on transaction processing, Intuit on its software. "Part of Intuit's strategy didn't work too well, which was signing up more banks" for its processing service, Mr. Kight said. "But part of its strategy worked extremely well -- the power of Quicken working with the banks." The acquisition will boost Checkfree's bank customers to 181, and the number of individuals for whom it processes transactions to 1.2 million. Seeing 1996 as a turning point, Mr. Kight said he hopes bankers will accelerate their moves into electronic banking now that they have easier access to Quicken. Until now, banks that wanted to be compatible with Quicken had to become customers of Intuit Services. Checkfree's main competitor today is Visa Interactive. Looming on the horizon is Integrion Financial Network, a partnership of 15 banks and IBM. "Right now, we're 100% supportive of Integrion, but to the extent that Integrion chooses to work in our business, we'll be very tough competitors," Mr. Kight said. Mr. Kight and numerous industry observers are still trying to make sense of Integrion. Phoebe Simpson, an electronic commerce analyst at Jupiter Communications in New York, said: "It's going to boil down to Checkfree and Visa Interactive in the long run. It's yet to be determined whether Integrion plans to build an entire payment processing unit." But David E. Weisman, who covers the same ground for Forrester Research in Cambridge, Mass., said it will be a three-way race. He said "Checkfree's in good position here because they've got more volume" than Visa or Integrion. John A. Russell, chief spokesman for Integrion member Banc One Corp. in Columbus, Ohio, called the Intuit acquisition a "good move" for Checkfree -- of which Banc One is a longtime customer -- as well as a competitive boost. "It's key for Checkfree to do exactly what they're doing, and that's to get big quickly so they can realize the economies of scale in this manufacturing process," he said. Mr. Kight agreed that such economies of scale would serve his company well as on-line banking gains vogue. "I don't believe that the Internet is going to happen quite as fast as the Internet-focused people believe it's going to," Mr. Kight said. "I think there's going to be a trend toward banks providing more service to their customers (when they) can connect directly to the bank without the Web being involved. I think we're going to see that evolution over the next three or four years." But, Mr. Kight added, "I do believe that electronic banking is absolutely on a critical mass-adoption curve as we speak." Success and growth haven't changed Mr. Kight's down-to-business mentality. When asked how he celebrated last week's deal closing, Mr. Kight said, "By getting on a plane and flying to Chicago to meet with the ISC work force." --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps