Agence France Presse: Tuesday, October 1, 1996 Swiss Socialists Call for Abolition of Banking Secrecy BERN-- Socialist members of the Swiss parliament tabled a motion calling for abolition of banking secrecy to combat tax evasion, on Tuesday. The motion urged the government to act quickly to remove article 47 of federal banking law which lays down penalties of six months in prison and/or a fine of 50,000 Swiss francs (40,000 dollars) for any breach of banking secrecy. The penalties may be enforced against anyone who works, or has worked, in the banking sector. The law was approved in 1934 to protect people, notably Jews, being persecuted by Hitler's Nazi party in Germany who risked the death penalty for trying to protect their assets in foreign banks and other institutions. "At the time this law was adopted against the activities of the Gestapo (German Nazi police) I would have voted in favour," said member of parliament Jean Ziegler who tabled the motion in the name of the socialist group. "But today it has resulted in total protection and serves only to facilitate the flight of capital from the Third World and tax evasion." The intention was to enable Switzerland to "adopt the European norm" concerning banking secrecy, he said. Removal of the penalties would not in any way affect normal "commercial confidentiality", he said. Late on Monday members of parliament voted unanimously in the national council to set up an independent enquiry to investigate Switzerland's financial dealings, notably in gold, with Nazi forces before and during World War II and what has become of assets placed by the persecuted in bank accounts, and through insurance policies and lawyers. Banking secrecy is to be lifted for the members of this commission to enable them to investigate accounts in private banks and in the central bank. International Herald Tribune: Tuesday, October 1, 1996 Waging Cyberwar: Is the World Ready? Steve Lohr It was the OPEC meeting in May 2000 that started the crisis. The oil-price hawks, led by Iran, demanded a sharp cutback in production to drive prices up to ''at least $60 a barrel." The stormy gathering of the Organization of Petroleum Exporting Countries ended on May 4, with a shouting match between the Iranian and Saudi Arabian oil ministers. Over the next two weeks, Iran and its allies mobilized troops and fired on Saudi warships. But they also unleashed an arsenal of high-technology weapons to try to destabilize the Saudi government and prevent the United States from intervening. A huge refinery near Dhahran was destroyed by an explosion and fire because of a mysterious malfunction in its computerized controls. A software ''logic bomb'' caused a ''new Metro-Superliner'' to slam into a misrouted freight train near Laurel, Maryland, killing 60 people and critically injuring another 120. The Bank of England found ''sniffer'' programs running amok in its electronic funds transfer system. And a ''computer worm'' started corrupting files in the Pentagon's top-secret force deployment data base. The opening scenes from a Hollywood script or a new Tom Clancy novel? No, these are excerpts from a role-playing game conducted last year at the government's National Defense University in Washington. The goal was to generate some serious thinking about ''information warfare.'' Today, there are a lot of people thinking seriously about information warfare, not only at the Pentagon and the CIA but also in the executive offices of banks, securities firms and other companies. Once dismissed as the stuff of science fiction, high-tech information warfare is fast becoming a reality. Defense and intelligence officials believe that enemy nations, terrorists and criminal groups either already have the capability to mount information warfare strikes or soon will. Criminals are quickly progressing beyond the vandalism and petty theft associated with teenage hackers and into robbery and extortion schemes ranging up to millions of dollars, corporate executives and private investigators say. In the future, they fear, information warfare assaults could be made against commercial networks like the banking system or utilities in several states. Yet there is a heated debate among experts in this emerging field about whether the kinds of catastrophic incidents cited in the National Defense University war game are imminent threats or worst-case nightmares. ''A couple of years ago, no one took information warfare seriously,'' said Howard Frank, director of the information technology office at the Defense Advanced Research Project Agency, or DARPA. ''But the more you learn about it, the more concerned you become.'' Others reply that the worst threats mentioned are mostly speculation. ''Information warfare is a risk to our nation's economy and defense,'' said Martin Libicki, a senior fellow at the National Defense University. ''But I believe we will find ways to cope with these attacks, adjust and shake them off, just as we do to natural disasters like hurricanes.'' Experts on both sides of the debate do agree that the growing reliance on computer networks and telecommunications is making the nation increasingly vulnerable to ''cyber attacks'' on military war rooms, power plants, telephone networks, air traffic control centers and banks. John Deutch, the director of Central Intelligence, told Congress in June that such assaults ''could not only disrupt our daily lives, but also seriously jeopardize our national and economic security.'' ''The electron, in my view,'' Mr. Deutch warned, ''is the ultimate precision-guided weapon.'' Last July, President Bill Clinton created a Commission on Critical Infrastructure Protection to craft a coordinated policy to deal with the threat. Within the government, information warfare tactics and intelligence are highly classified issues. But the CIA has recently created an Information Warfare Center. And the National Security Agency intends to set up an information warfare unit staffed by as many as 1,000 people, with both offensive and defensive expertise, as well as a 24-hour response team, according to a staff report by the Senate Permanent Subcommittee on Investigations, which was initiated by Senator Sam Nunn, Democrat of Georgia. This budding warfare industry is an eclectic field indeed, ranging from computer scientists whose work is funded by the government to hackers-for-hire who specialize in theft, extortion and sabotage. In his Senate testimony, Mr. Deutch said the CIA had determined that cyber attacks are now ''likely to be within the capabilities of a number of terrorist groups,'' including the Hezbollah in the Middle East. The weapons of information warfare are mostly computer software, like destructive logic bombs and eavesdropping sniffers, or advanced electronic hardware, like a high-energy radio frequency device, known as a HERF gun. In theory, at least, these weapons could cripple the computer systems that control everything from the electronic funds transfer systems of banks to electric utilities to battlefield tanks. For the military, information warfare raises the prospect of a new deal for America's adversaries. Cyberwar units could sidestep or cripple conventional weaponry, undermining the advantage the United States holds. ''Even a third-tier country has access to first-class programmers, to state-of-the-art computer hardware and expertise in this area,'' said Barry Horton, principal deputy assistant secretary of defense, who oversees the Pentagon's information warfare operations. ''There is a certain leveling of the playing field.'' In the business world, the reported hacker activity to date is mostly stealing credit card numbers, vandalizing software or harassing Internet service companies. Citibank got an alarming brush with the problem two years ago, when a Russian computer hacker tapped into the bank's funds transfer system, taking more than $10 million. Citibank will not discuss the case, but investigators say the bank recovered all but $400,000 Major breakdowns caused by computer intruders have not yet occurred. But there is evidence that more sophisticated hackers are now at work. Science Applications International Corp., a defense contractor and technology security firm, surveyed more than 40 major corporations who confidentially reported that they lost an estimated $800 million due to computer break-ins last year, both in lost intellectual property and money. Private investigators and bankers say they are aware of four banks, three in Europe and one in New York, that have made recent payments of roughly $100,000 each to hacker extortionists. The bankers and investigators would not name the banks, but the weapon used to blackmail the banks was a logic bomb - a software program that, when detonated, could cripple a bank's internal computer system. Time: October 7, 1996 Cyber Vending Machine: Cash on the Internet By MICHAEL KRANTZ It is a truth universally acknowledged that an infant media-distribution network in possession of a large audience must be in want of a way to cash in on it. Case in point: the World Wide Web, the interconnected computer universe that teems with affluent consumers whose only means of spending money online is to surrender their credit card to insecure networks--hardly a recipe for success. This week CyberCash, based in Reston, Virginia, launches a product that could change all that, and turn the Web into one giant vending machine. The company's CyberCoin system will allow online "microtransactions" of as little as a quarter. "We think," says an exuberant Larry Gilbert, CyberCash's vice president and general manager, "it's going to be the core of electronic commerce on the Internet." Here's how the system works: starting this week, you'll visit the CyberCash Web site, download an empty electronic wallet onto your hard drive and register it with the company (if your own bank signs up with CyberCash, it will offer you its own self-named wallet). The software acts like an ATM, allowing you to transfer $ 20 to $ 100 from your bank into your wallet before heading off onto the Web. When you reach a site that accepts CyberCash, you can spend your money by using either your credit card or CyberCoins. For online entrepreneurs, these 'coins,' digital markers of your money, could be the magic bullet that makes commerce viable on the Web. Suppose that, say, a certain TIME writer wants to promote his short stories online. Putting them on a Web site is a breeze. But suppose he wants to charge readers 50[cents] a story? Nobody's going to fork over a credit-card number for that. CyberCoins could let thousands of such harebrained Web schemes bloom. Take Worbble, a multiplayer word game created by Headgames Inc. of Edmonton, Alberta, that is set to hit the Web next week. From five to 2,000 players at once will look for words hidden in a 3-by-3 grid; the first player to find each word will win $ 10 to $ 60. The entrance fee: one buck. The currency: CyberCoin. "The product fits our marketing strategy like a glove," says Headgames president Ray Speichert. That's music to CyberCash, whose revenue will come from usage fees, just like those of credit-card issuers. "On a 25[cents] transaction," says Gilbert, "we'll charge the bank 6[cents], and they'll charge the merchant 8[cents]." As transaction sizes go up, they'll get a much smaller percentage; still, over millions of users, CyberCoin profits could add up to big bucks. Inevitably, the company will have company. CyberCash launches CyberCoins with a respectable roster of partners: some 30 Web hosting companies will offer CyberCash to their client sites, and by year's end CyberCash expects about 100 Web sites to take them up on it. Initially six banks will offer electronic wallets to their customers, including the Charlotte, North Carolina-based First Union, the nation's sixth largest. "There's an obvious niche for 'coin' payments on the Internet," says Parker Foley, First Union's director of electronic commerce. "CyberCash is the first company to have their model together." But most banks are sitting out this round, notably Citibank, which is developing its own E-money software. And numerous start-ups are readying entries in the online commerce sweepstakes. And that can only mean transaction fees will drop quickly, just as they have in nearly every software-driven business extant. Is cybercash safe from hackers and outright criminals? Last fall the Bank of International Settlements appointed a task force to examine security issues for E-money products like CyberCoin. The group, headed by Israel Sendrovic, an executive vice president at the Federal Reserve Bank of New York, reviewed a raft of upcoming 'smart card' and/or software-based products. Its report, released early this month, conveys guarded optimism. "These systems are much more secure than credit cards," says Sendrovic. "There's no single American Banker: Friday, October 4, 1996 Banks Like Export Plan for High-Power Encryption By DREW CLARK Bank technology experts have reacted favorably to the Clinton administration's proposal to liberalize the development and sale of strong data security tools. This week, the government said it would lift export restrictions on certain kinds of cryptography, provided U.S. companies agree to cooperate with a procedure that would give law enforcement officials access to the "keys" of such codes, upon presentation of a warrant. Banks were heartened by the announcement because many view the widely used Data Encryption Standard -- a low-level form of data scrambling -- as inadequate protection against the rising computer power of so-called hackers. Though banks can use a complex 56-bit data encryption key for financial transactions, sensitive communications with overseas branches are limited to a less powerful 40-bit standard. Banks hope that a loosening of restrictions in general will benefit them, too. "This policy announcement is better than anyone expected," said Kawika M. Daguio, federal representative at the American Bankers Association in Washington. "It is gravy for us, but it's the meat and potatoes for the hardware and software industries." "Banks probably won't be adversely affected," said Stewart A. Baker, a partner at Steptoe & Johnson, a Washington law firm, "and they will be left pretty much where they were before." The announcement by Vice President Al Gore said that controls over powerful encryption technology would be lifted as the government and private sector develop a "key recovery" system. (International Business Machines Corp. already has stepped forward to head a consortium dedicated to creating such a system.) Current law forbids the export of computer hardware or software that uses cryptographic codes with digital "keys" -- randomly generated combinations of 0's and 1's -- longer than 40 bits. The longer the key length, the more impenetrable the code. For three years, the government has said it would permit the general use of more complex cryptography only if the companies using it placed their keys in the hands of the government or a third party. "Key escrow," as it is known in the technical community, is needed in order to prosecute people who have stored evidence of illegal activity on the hard drive of a computer, officials argued. But the private sector -- banks included -- have balked at handing over such access to any third party. The disagreement gave rise to a compromise system known as "key recovery" in which companies would hold their own keys but could be required to divulge certain information about specific transactions when presented with a court order or warrant. "What is novel is that it doesn't escrow any keys," said Homayoon Tajalli, executive vice president of Trusted Information Systems, Glenwood, Md., one of IBM's consortium partners. "If the government comes and gets this data with a court order," explained Mr. Tajalli, "then they take a digital lockbox from the third party or parties that hold it, and they read the message." Kathy Kincaid, director of information technology for IBM, said the difference between key escrow and key recovery is analogous to the following approach to securing a house when its owner goes on vacation: Instead of giving a key to two neighbors, the owner gives each neighbor half the combination to a lockbox that holds the key. "You must have both halves and put them together in exactly the right sequence," said Ms. Kincaid. "This provides protection against a single point of attack." Companies participating in development of key recovery systems include: Apple Computer Inc., Digital Equipment Corp., Groupe Bull, Hewlett-Packard Co., NCR Corp., RSA Data Security, Sun Microsystems Inc., Trusted Information Systems, and United Parcel Service. And a government official said banks may even play a role. "Banks have really taken a leadership role in the responsible management of cryptography," said a senior Clinton administration official who asked not to be named. "Banks are already doing what we want other organizations to do: safeguarding their keys and providing them, when necessary, to law enforcement." Heidi Kukis, a spokeswoman for Vice President Gore, said: "This key recovery system is the proper balance between commercial interests and national security." But not all agree. Some argue that the key recovery system still gives the government too much control over information flow. "Providing 56-bit encryption with key recovery doesn't help us," said Netscape spokeswoman Chris Holton. "The government is saying that you can export it but you have to provide us with the keys. We feel that is extortion on the part of the government." "We are making the best of a bad situation," said Scott Schnell, vice president of marketing for RSA Data Security. "The bottom line is that the standard proposed by the government is an insubstantial step in the right direction," he said. "We want to make sure it is usable and prepare for the day that products will be available that do not have this key recovery situation." The government's announcement came three months after a National Research Council report on the role of cryptography in an information- oriented society. The report encouraged liberalization of government standards and questioned the feasibility of the key escrow system then favored by government. "We raised the issue about the security of key escrow systems," said law professor Kenneth W. Dam, chairman of the body that prepared the report, "and we said the government should work on it." "I take it this is an attempt to move in the way of key escrow, with the help of industry," said Mr. Dam. Reuters: Sunday, October 6, 1996 Dutch Banks to Be First with Smartcards By Lucas van Grinsven AMSTERDAM-- Dutch banks are poised to become the first in the world to introduce computer smartcards on a nationwide scale this year, eventually giving 15 million people the possibility of living their lives without cash. Dozens of smartcard trials are being carried out across the globe and industry pundits forecast billions will be in circulation at the beginning of the next millennium, but it's the Dutch who lead the field. Undeterred by union warnings of thousands of job losses in the sector, Dutch banks will start issuing smartcards to their clients this month and by October 1997 all 15 million people in the Netherlands will have access to them. The Dutch smartcards are not just reloadable cash cards but can also be used for on-line bank transfers, retail loyalty schemes such as airmiles, teleshopping and ticket reservation. A Dutch consumer can store small amounts of cash on a card which can be used even for purchases such as icecream or bus fares. The money will be transferred from the card to the retailer's account without costly on-line links via the bank. More expensive articles will ideally be paid on-line, validated by the client's secret four digit individual code. Smartcards can be loaded at "cash dispensers," but by the end of 1996 topping up will also be possible at home via smartphones or cheap "home-loaders" connected to an ordinary telephone. "The Netherlands is forerunner. We're the first country to introduce smartcards on a national scale," said a spokesman for the Dutch "Chipknip" consortium. There will be two types of Dutch smartcards, issued by two groups of banks, Rabobank and ABN AMRO on one side with their "Chipknip," and Postbank and PTT Telecom on the other with the "Chipper." "Our card has slightly more computer memory which will make payment transactions more secure," said the Chipknip spokesman. The Chipper consortium on the other hand claims its card has a multifunctional character. "It's a services card. You can also use it to book cinema tickets and then go the theatre where your card is checked at the entrance for identification. You don't need a physical paper ticket anymore," a Chipper spokesman said. Chipknip says such applications will also be possible with their card in the near future. In a bid to avoid a battle of standards, Chipknip said it planned to offer all Postbank customers their type of smartcard. "This country is too small for two different standards," an ABN AMRO spokesman said. The computer chips on the current generation of smartcards can hold as much of four densely-typed A4 pages of information, but the industry keeps expanding capacity in the fight for this potential multi-billion dollar market. The more information that can be stored on one card, the fewer smartcards consumers will have to be carried. Trials in the U.S, such as one carried out in Atlanta at this year's Olympic Games by Visa, focus on payment transactions. The Spanish and French governments will launch smartcards on a huge scale next year to make health care and social security safer and more efficient. People will carry their medical or social records on a card. Public transport is another area for smartcards as they reduce ticket sales time and fare-dodging. Contactless fare collection is currently pioneered in the South Korean capital, Seoul, using systems developed by Mikron Indentification, an Austrian company which was bought by Philips Electronics in 1995 and which also runs pilots in Sydney. Smartcards are also used to personalise GSM telephones, computers and pay-television. Although the first smartcard was developed as early as in 1977 by Motorola and Bull for a bank in France, the home of the smartcard, they are only now catching on, but without one standard leading the industry. The choice of an encryption method to ensure safety is still being debated as is the method for contactless reading. The battle over smartcard technology and licence fees is being fought between a few companies, giants such as Motorola, Bull, Philips, Visa and Mastercard but also LSI, Thomson and specialised France's Gemplus and Britain's Mondex. But Dutch banks and retailers, who will have to carry most of the infrastructure costs, will not wait for a single standard despite higher costs of adapting to different systems at a later stage. The immediate cost advantages are far too clear. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps