New York Times: Monday, October 21, 1996 Israelis Cite New Risk To Electronic Data Security By JOHN MARKOFF Two of Israel's leading computer scientists say they have found a way to more easily decode and then counterfeit the electronic cash ``smart cards'' that are now widely used in Europe and are being tested in the United States. The researchers have begun circulating the draft of a paper that points out higher security risks than those discovered last month by scientists at Bell Communications Research. The Bell researchers had reported that it might be possible to counterfeit many types of the ``smart cards'' that are being tested by banks and credit-card companies, including Visa and Mastercard. The two Israeli scientists, Adi Shamir, a professor at the applied mathematics department at the Weizmann Institute, and Eli Biham, a member of the faculty of the computer-science department at the Technion, reported that in addition to the so-called public key coding systems that were found vulnerable by the Bellcore team, private key data coding systems such as the American Data Encryption Standard, or DES, can be successfully attacked if a computer processor can be made to produce an error. The two Israelis made a draft of their research available via the Internet on Thursday. In their paper the two wrote, ``We can extract the full DES key from a sealed tamperproof DES encrypter'' by analyzing fewer than 200 encoded messages. Both public key and private key data-scrambling methods are based on the difficulty involved in factoring large numbers. A public key system permits two parties who have never met to exchange secret information. A private key system requires that a secret key be exchanged beforehand. Data-coding experts said that the new Israeli method might be a more practical system than the previously announced Bellcore method, because unlike public keys, which are frequently used only once per message, a private secret key may be used repeatedly to scramble electronic transactions. ``This seems a lot closer to something that might actually be used,'' said Matt Blaze, a computer researcher at AT&T Laboratories. Smart cards have been promoted as tamperproof, which is why computer scientists at Bellcore, one of the United States' leading information-technology laboratories, sounded the alarm last month, saying that a savvy criminal might be able to tweak a smart-card chip to make a counterfeit copy of the monetary value on a legitimate card. Executives at smart-card companies said at the time that the attack was theoretical and that it would be impossible to make a smart card generate an error without actually destroying the card. However, Biham responded that he believed such hardware attacks were possible. The cards are generally damaged by means of heat or radiation, which causes the computer chip in the card to generate an error, which the Israeli scientists used to obtain the code key and copy the card. ``I have ample evidence that hardware faults can be generated without too much difficulty,'' he said in an electronic-mail message. ``As a consultant to some high-tech companies, I had numerous opportunities to witness successful attacks by commercial pirates on pay-TV systems based on smart cards. ``I know for a fact that some of these attacks were based on intentional clock and power-supply glitches, which can often cause the execution of incorrect instructions by the smart card.'' Other researchers said that the class of attacks demonstrated by the Bellcore team and the Israelis had been known by some members of the tightly knit community of cryptographers for several years, but the results had not been published. ``Some of the smart-card manufacturers are well aware of this flaw,'' said Paul Kocher, an independent Silicon Valley data-security consultant. ``But it doesn't mean that they have fixed it.'' American Banker: Monday, October 21, 1996 Bank Regulations Are No Obstacle to E-Money Ventures BY THOMAS P. VARTANIAN Banks and holding companies have three strategic alternatives for delivering new electronic products and services to customers: They can develop them through internal expansion; acquire, whole or in part, companies that provide them; or enter into joint ventures, networks, alliances, and partnerships. Experts seem to believe the third approach provides banks with the optimal array of business opportunities. But successful technology ventures require a blend of business skills, savvy instincts, and an understanding of the legal pitfalls. Venture partners must be compatible in strategic goals, competitive vigor, geography, cultural affinity, and social constitution. As the trend toward technology-driven ventures develops, so must regulators correspondingly expand their views of what constitutes permissible banking activities. As they do, and as Internet commerce and electronic money transform the nature of banking relationships and money, banks and bank holding companies should constantly evaluate how investments in subsidiary corporations, partnerships, joint ventures, and limited-liability companies may facilitate their strategies to remain technologically competitive. In January 1996, the Office of the Comptroller of the Currency explained its current position regarding the ways in which the operating subsidiaries of national banks may co-venture with nonregulated entities in the development and delivery of new technological products and services. In that decision, the OCC approved the contribution of a merchant credit card business by a group of affiliated national banks to a technology company, in exchange for a collective 40% equity interest in that company. Other initial shareholders in the transaction included a venture capital fund, a telecommunications company, and management of the company. The newly formed operating subsidiary planned to complete a public offering and further reduce the banks' ownership interests subsequent to this initial transaction. Similarly, the OCC approved in March a national bank operating subsidiary's participation in a joint venture that was 50% owned by 31 depository institutions, including four national banks. The venture was to provide automated teller machine and point of sale services to depository institutions in the northwest United States and western Canadian provinces. It also would operate a transaction switch, transmit information to other networks pursuant to gateway agreements, provide ATM and POS-related services to owners and members, and furnish net settlement information. These authorizations reflected a flexible approach to two critical factors: the list of activities that national banks may legally engage in; and the manner in which they can be so engaged. With respect to the latter point, the OCC will make exceptions to its traditional requirement that national banks control at least 80% of their operating subsidiaries and permit minority investments in subsidiaries if certain conditions regarding the activities and independence of the subsidiary are met. The OCC seems to recognize such subsidiaries will be a necessary vehicle for national banks to remain competitive in technologically driven markets. The Board of Governors of the Federal Reserve System is similarly accommodating. On May 21, it authorized Cardinal Bancshares to acquire Five Paces Software Inc. through a wholly owned thrift subsidiary, Security First Network Bank, and thereby engage nationwide in data processing activities relating to financial services over the Internet. The Fed noted that all of Five Paces' data processing and transmission activities "are provided in connection with transactions in accounts maintained by a financial institution. " The agency had previously determined that "the development, production, and sale of software that allows a customer to conduct banking transactions using personal computers (is permissible because it) is closely related to banking." On Feb. 6, the Fed approved the acquisition by Royal Bank of Canada of 20% of the voting shares of Meca Software LLC. The Fed relied on Section 225.25(b)(7) of Regulation Y, which permits bank holding companies to provide data processing and data transmission services, facilities (including software), data bases, or access to such services, facilities or data bases by any technological means, so long as the data to be processed or furnished are "financial, banking or economic in nature." Interestingly , the central bank disregarded the fact that Meca conducted nonfinancial activities. It concluded that those software products -- including games, computer security programs, a medical reference library, and a program providing basic legal forms -- did not have dedicated employees or resources, produced only 7% of the company's revenues and would not be upgraded, enhanced or promoted. Therefore, they would not preclude approval. Similar limitations on nonfinancial data processing and transmission services facilitated the Fed's approval of a de novo subsidiary of Compagnie Financiere de Paribas on Feb. 26 to produce integrated billing software programs for digital mobile telephone networks. It remains to be seen how the Federal Reserve or the OCC will respond to requests to engage in technological activities that are not directly financial, banking, or economic in nature. However, the agencies seem to be signalling a willingness to be expansion-minded. The Fed issued an order July 1 allowing four banks in Ohio and Pennsylvania through their ATM affiliate, Electronic Payment Services Inc., to provide data processing and other services relating to the distribution of tickets, gift certificates, prepaid telephone cards, and other documents. Proposals regarding joint ventures in electronic money, smart card systems, and PC hard-drive currencies are pending. The regulators are becoming attuned to new types of regulatory issues and concerns. For example, in its Cardinal Bancshares order, the Fed said it expects acquisitions such as Five Paces to "enhance consumer convenience by expanding the availability of electronic banking services and by making those services available in new ways." But it warned that defects in security policies or procedures would be considered unsafe and unsound banking practices because of the risks associated with the provision of services over the Internet. Not since Jesse James was practicing his entrepreneurial skills has bank security become such a regulatory concern. Since no human can exist in cyberspace, and identification and verification of parties over the Internet may be subject to manipulation, the Fed is clearly telling banks to take prudent steps and utilize state-of-the-art cryptography to discourage and prevent computer break-ins, counterfeiting, theft of accounts and identities, systemic attacks and informational warfare. A fair enough admonition -- one that many banks can satisfy only by working with partners and unaffiliated entities. But entrepreneurial business venturers do not mix easily with regulation. While a bank's joint-venture partner may be a high-quality technology company, it may not be accustomed to the kind of regulatory examination, intervention, and enforcement that banks know. This issue must be resolved at the inception of a joint venture to avoid subsequent disputes. Given the way current laws work, nonbanks may want to join with a bank holding company affiliate rather than a bank subsidiary to avoid the liability that can attach to an "institution-affiliated party," such as a subsidiary of an insured bank. Traditional concepts of due diligence will also have to be substantially augmented and modified to adequately evaluate businesses in cyberspace. No longer will physical reviews of corporate documents and officer interviews suffice. Bank acquirers and co-venturers will have to thoroughly consider the extent to which electronic breaches, theft, counterfeiting and manipulation of systems have occurred or can occur. Given the ever-increasing technological capacity available to cyberspace pirates, security protocols will have to efficiently accommodate new generations of technological upgrades. Off-line, unaccountable smart cards may have to be upgraded by the originator or issuer through virus- like transmissions spread card-to-card and card-to-terminal. Similarly, the encrypted identifying marks of electronic money may need to be regularly reformatted in order to limit the amounts that can be counterfeited or duplicated. In the intellectual property area, an acquired or co-ventured technology business may only be worth what it costs if the products and services and their underlying software and programs are adequately protected or protectable under copyright, trademark, and patent laws. Given the dizzying rate at which such filings are occurring in electronic banking and commerce, it is equally critical to determine that any technology, products, or services being acquired do not violate pending or issued licenses in any jurisdiction in the world. The Internet is a worldwide marketing mechanism, and users will have to consider the laws and customs of a multitude of jurisdictions -- even those where they may never have done business or intended to do business. In any joint venture, affiliation, or alliance, the contracting parties must determine who "owns" the customer. But in the world of cyberspace, where traditional identities and boundaries no longer apply, ownership and access issues will be even more important, particularly when a venture is unwound or dissolved. Banks have traditionally sought to share information between and among affiliates for marketing purposes. Where the affiliate is not a controlled subsidiary, however, such sharing may be problematic and even illegal under state privacy laws. As electronic commerce and smart card products begin to be introduced and gain acceptance, certain brands will naturally become more prominent and recognized. Unlike the branding issues that are important to companies in the consumer products area, these electronic products will have to fight for market share among consumers who put a premium on confidence and trust. Banks will have to find ways to continue to accommodate the financial as well as emotional elements of the relationship that exists between an individual and his or her money. Brands and logos that evoke confidence and trust will be extremely valuable, and should be treated accordingly in the business ventures that develop. Technology co-ventures must have workable and verifiable policies and procedures concerning disaster recovery. How an organization deals with traditional crashes, power losses, and breaches will indicate its capability in this area. No financial institution that relies on public trust and confidence can tolerate the loss of business information or customer data, particularly if it keeps customers from their money, electronic or otherwise, for some period of time. Odds are that many banks will not be able - or prefer not - to "go it alone." The landscape is already filled with dozens of alliances and joint ventures, and the business is still in its infancy. At the same time, banks should not be too quick to dilute or share their long-standing consumer trust and confidence. They have as much to give as they do to gain in technology joint ventures, and they should negotiate accordingly. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps