Copyright violations

[Ronald Raygun Remailer]

Happy New Year.


Associated Press: Monday, December 23, 1996
 
Three Credit Card Firms Seek To Promote Internet Shopping 
 
Three credit card companies on Monday announced an agreement on chip card

standards in an
effort to promote shopping on the Internet. 
 
Europay International, MasterCard International and Visa International
said in 
a statement that they'll
integrate in chip bank cards a technology developed for safe electronic 
payments. 
 
The agreement is based on the Europay-MasterCard-Visa specification,
which 
established the
financial industry's first global chip card payment infrastructure, and
on 
MasterCard and Visa's
Secure Electronic Transactions specification for magnetic stripe-based
card 
transactions. 
 
Guido Heyns, director of 'smart card' development at Europay
International, 
said in the statement
that the Belgium-based company believes chip cards are the most secure
and 
consumer-friendly
solution for making payments on the Internet. 
 
Steve Mott, senior vice president of MasterCard International, agreed. 
'Consumers and merchants
want to conduct transactions over the Internet in a safe manner. By
integrating 
chip and electronic
commerce technologies, we are offering them the opportunity to do so as
quickly 
and practically as
possible.' 
 
An open comment period on the new standard will begin in the third
quarter of 
1997, according to
the statement. 
 

 
American Banker: Monday, December 23, 1996
 
As the Technology Advances, Security Debate Still Rages
 
By JEFFREY KUTLER
 
In one of the more startling public statements by a banker in 1996,
Citicorp 
chairman John Reed
said it would take two generations -- 50 to 70 years -- for on-line
electronic 
banking to gain full
public acceptance. 
 
Taken out of context, his remarks to a Treasury Department conference on 
electronic money
sounded like an invitation to complacency, or a dose of disinformation
from one 
of the world's more
aggressive purveyors of electronic financial services.
 
But Mr. Reed chose his words carefully, citing a lesson learned from his 
30-plus years at Citicorp:
Banking markets, and society generally, take time to change. He seemed to

suggest that
high-technology advocates can become so enthralled with the elegance of
their 
systems and
convinced of their viability that they overlook the most common of all 
constraints: consumer
behavior.
 
"Privacy and security are at the top of the list" of consumers' concerns,
the 
Citicorp chief executive
said. "They won't deal with anyone who doesn't give them assurance."
While 
"some early innovators
will be your electronic banking customers," he said, "the average
consumer is 
not there yet and isn't

going to be there" for some time. "This is not a question of economics or

efficiency. It is a question of
trust. The consumer will have to trust you. The Internet is fundamentally

flawed in that regard."
 
Essentially alone among the major U.S. banking organizations, Citicorp
has been 
openly wary of
Internet security and refrained from joining the rush to interactive
banking 
and monetary transactions
via the World Wide Web. Mr. Reed and his senior technology officer, Colin
Crook,
 have publicly
expressed interest in and enthusiasm for the Web but not yet for
transactional 
purposes.
 
When Mr. Reed was asked during the Treasury conference in September when
Citi 
would offer
Internet banking, he replied, "Not until it's secure." "There is no
absolute 
security," said Mr. Crook,
perhaps the only banker raising concerns about an "information warfare"
attack 
on the banking
system. "It is a risk management issue."
 
The Citibankers contend the risks of cyberspace are fundamentally
different 
from those in other
payment systems, and have yet to be addressed.
 
"Security will be more demanding than even the government itself is used
to," 
Mr. Crook said at the
Treasury meeting
 serves more customers via personal computer than any other, through 
conventional dial-up
connections and with software it developed more than a decade ago. 
 
Citibank also has placed a bet on a digital currency for on-line
transactions, 
the invention of one of
its own vice presidents, Sholom Rosen. The bank claims it will be more
secure 
than competing
alternatives like Cybercash Inc.'s Cybercoins, Digicash Inc.'s Ecash, and
the 
Mondex
smart-card-based system.
 
Putting considerable prestige and intellectual firepower behind its
cautionary 
principles, and behind
the notion that the issuing of electronic currency should be reserved for

regulated financial
institutions, Citicorp has kept alive a debate that is likely to resound
for 
months if not years in public
policy circles, with effects not just on the battle for technical and 
competitive superiority but on the
very consumer behavior Mr. Reed is trying to gauge.
 
Consider some recent twists and turns: The U.S. government continues to 
struggle toward a policy
on data encryption, the technology crucial to on-line transaction
security, 
that would be agreeable to
the high-tech community while addressing national security and law
enforcement 
concerns.
 
A May 1996 report by the National Research Council of the National
Academy of 
Sciences --
Citicorp participated in and vocally endorsed the study -- criticized the

government for being
backward with its restrictions on encryption, particularly regarding its
export.
 (See related article on
page 14A.)
 
Hewlett-Packard Co. in November announced its International Cryptography 
Framework, the first
"strong encryption" method to get U.S. export clearance. While the
framework is 
adaptable to
various and changing government policies, it did not fully resolve the 
controversial issue of access to
encryption keys. 
 
An information security team at the National Security Agency produced a 
monograph (excerpted at
left) critical of the degree of anonymity built into Digicash's Ecash.
The NSA, 
of course, is part of the
establishment attacked in the National Research Council report.
 
Digicash and Mondex, which is being taken over by MasterCard
International, 
continually trade
charges about their degrees of anonymity and security. Both sell
anonymity of 
payments as a
necessary analogue to cash. In that Digicash's anonymity appears more
absolute, 
it may raise more
governmental concerns. But Digicash, the brainchild of the renowned 
cryptologist David Chaum,

accuses Mondex of not being "true electronic cash." 
 
First Virtual Holdings Inc., an Internet payment pioneer, does not trust
Web 
security; its transaction
data flow instead over private E-mail. By contrast, Cybercash Inc.
chairman 
William Melton is so
confident of the available technology that he tells bankers: "Security is

essentially done. Just tell your
customers, 'Don't worry, we'll take care of it.' " (He is more worried
about 
privacy as a political
flashpoint.)
 
Enter the central banks of the Group of 10 industrialized countries, the 
constituents of the Bank for
International Settlements in Basel, Switzerland. This august global
regulatory 
body has signed off on
a moderate, largely laissez-faire approach to the electronic evolution of
money.
 
 
A task force empaneled by the G-10's payment and settlement systems
committee, 
which is headed
by Federal Reserve Bank of New York president William McDonough, spelled
out 
its conclusions
in a 64-page booklet, "Security of Electronic Money," dated August 1996. 
 
The task force was generally impressed by existing security capabilities,

particularly those
incorporating hardware components like smart cards. The report took the 
eight-member task force
less than a year to complete. 
 
Chairman Israel Sendrovic, the New York Fed's executive vice president of

automation and systems
services, asserts that this was no rush to judgment. He personally did
due 
diligence on all of what he
calls "the usual suspects" -- the electronic money schemes not mentioned
by 
name in his report (but
presumably in this article).
 
In a recent interview, Mr. Sendrovic stressed that there are no
absolutes. 
"There is no such thing as
one secure measure," he said. "It's a combination of measures, and the 
combination of measures
changes the risk management of an attack."
 
His measured response to a lot of questions - pertaining to money
laundering or 
the market potential
of electronic currency and how it is to be regulated -- was, "It
depends." He 
did say, in response to
the recent flurry of questions about smart card security emanating from 
Bellcore and other research
laboratories, that the cards were advertised as "tamper-resistant, not
tamper- 
proof." 
 
Mr. Sendrovic said his panel has disbanded, satisfied with its work and
having 
gotten positive
feedback. "Then again, it didn't break new ground," he said. "Remember,
it was 
designed not for the
cognoscenti but for the Group of 10 governors. 
 
"We stay in close touch and follow these things," he said of the task
force, 
adding that it may have
cause to renew its inquiry in a year or two. Though the task force
acknowledged 
"comprehensive
security risk assessments of the entire system" are still lacking, it
said they 
are within reach. 
 
And its words lacked the alarm or urgency of, say, the Citicorp
contingent. 
Sholom Rosen, inventor
of Citibank's Electronic Monetary System, characterized the risks as
"very 
high" and not yet fully analyzed. Digital cash gains legitimacy when it
is interchangeable with other  forms of money, he said, but its
interactions with those systems -- how an attack on one mechanism would 
affect others -- must be studied.
 
And he said he believes the answers do not lie in technology alone but in
the 
fundamentals of the "three pillars of security" -- prevention, detection,
and containment. Where Mr. Rosen sees enormous hazard, Mr. Sendrovic
retains faith in barriers to entry, as might be  expected of someone who
has worked with the dependable Fed Wire for many years.
 
To be legitimate, electronic money "has to be cleared," he said. "At some
point  it has to get into the payment system." Is "the payment system" at
risk of infection from the new  forms of money? Based on what we know so
far, it depends.
 

 ABA Banking Journal, 12/96

SMART CARDS POSE TAX PROBLEM FOR MERCHANTS  

A consensus is emerging that the success of smart cards hinges at least
as much on merchants accepting them as on consumer acceptance. Increased
tax liability is one reason for merchants' muted enthusiasm -- besides
the fact that merchants are the only ones so far being asked to pay for
using smart cards."There's a resistance to forms of payment besides
cash," said Bruce Brittain, whose firm Brittain Associates, Inc., polled
merchants that participated in the smart card test during the 1996 Summer
Olympics in Atlanta. Some merchants admitted to understating their cash
receipts so as to reduce their tax burden, he said. (Smart cards leave an
electronic audit trail by recording deductions in card value each time
merchandise is purchased.)  On the flip side, franchisors may push for
the adoption of smart cards in their stores, since some Atlanta operators
told Brittain, "We want to collect more fees from our franchisees." (The
franchisor's cut of the receipts will be reduced if the franchisee
understates his receipts.) Other sources said they heard the same thing.
The wish to under report receipts may pose a greater obstacle to smart
cards when they undergo their next major test in New York City next year,
because more "Mom and Pop" stores will be participating, Mr. Brittain
said.