American Banker
Thursday, February 27, 1997
page 13

Web possibilities make security people insecure

by Jeffrey Kutler and Wendy S. Mead

Consumer resistance isn't all that bankers must overcome to make Internet services a reality.

They also have to contend with their own industry's security experts. And when bank security people ponder the implications of a mass market in on-line banking and commerce, as they did at a conference in New York last week, sparks can fly.

The security community, already stirred up about scary new possibilities for attacks against established computer networks, isn't quite ready to give newer developments like stored-value cards and digital cash a clean bill of health. That might be good news for the promoters of the next wave of interactive banking. They have time to do their system building. The watchdogs who might slow them down have more immediate worries.

Electronic sabotage, for one. Or information warfare that might be launched against the United States by way of its financial system. Or what computer security experts refer to as a "denial of service" attack-perhaps by a hacker who finds a way to shut a financial institution's virtual doors, or by forces beyond the institution's control that cut or disable telecommunications lines. The hazards are heightened as banks become increasingly dependent "upon the Internet as a transport mechanism to provide both revenues and profits", said Winn Schwartau, president of the Seminole, Fla., consulting firm Interpact Inc. and author of "Information Warfare", a definitive book on the subject. "If your lines are busy, not necessarily only for hours but for days, what happens to customer confidence?", said Mr. Schwartau, who served as chairman of the National Computer Security Association's International Banking and Information Security Conference.

One of his slides showed a Web page that enabled its visitors to send anonymous E-mail bombs, which overwhelm recipients with hundreds or thousands of messages. The page provided a space to type in "terrorist demands".

Mr. Schwartau showed "a collection of increasingly hostile applets", which he described as "specific harassment tools designed to shut down Web servers".

No banks yet are known to have been disabled or paralyzed by mail bombs or terrorist applets. That may be because the Internet isn't yet where much money is.

But several references were made to "the Citibank case", an infiltration by Russians into the bank's wire transfer operation. It did more symbolic than monetary damage, but was seen as a sign of threats to come.

David Luther, president of the Security First Technologies network security division, the group responsible for the many layers of security safeguarding Security First Network Bank on the Internet, said his system has detected only a series of amateurish nuisance attacks.

Frank Trotter, senior vice president of Mark Twain Bank in St. Louis, the first in the Americas to test Digicash Inc.'s Ecash system, acknowledged banks have "a security risk" and must face the fact that "privacy is a paramount issue in consumers' minds".

But both practitioners viewed the new technologies as solutions, not problems. Mr. Trotter said "a great leap forward is coming" as Ecash is integrated more closely with bank accounts, establishes a brand identity, and gains adherents around the world.

Mr. Luther predicted consumer acceptance will gather momentum as early as this year as telephone and cable television companies offer "dial-tone access to the Internet" and home banking becomes "just another channel flip".

Mr. Luther, among others, referred to the classic risk-management calculation-the trade-off between an absolute level of security that would make interactive services very difficult to use, and the desire to attract customers through convenience and ease of use.

Some bankers in the New York audience last week took offense when Robert Ayers, chief of the Defense Information Systems Agency's information warfare division, criticized their risk management mentality-and that of corporate America in general.

"There are a lot of pseudo-scientific formulas for calculating risk", he said. "A lot of subjectively and arbitrarily defined numbers (that) computers deal with and then spit out answers."

He added, "The perception of security is in many cases a product of military culture", which gave rise to the idea that one could, say, build a Great Wall of China or a fortress like the Alamo to keep enemies out. No such "risk avoidance" tactic ever worked.

Data encryption, the ultimate computer security defense, is no more than a "way to buy yourself time" to detect and respond to an attack, not much different from the time-delay locks on bank vaults.

"We need to view the problem differently", Mr. Ayers said. "Don't view security as a static defense ... but dynamic, continuous, ongoing."

Philip Reitinger, a member of the Justice Department's computer crime and intellectual property section, agreed that "security is a process, not a goal you'll get to". He recommended that bankers understand their weaknesses and "use risk-based assessments". But he suggested paranoia would not be out of line. "You cyberbankers will be about the juiciest target there is", Mr. Reitinger said. "Your security systems will have to be the best. Plan for intrusions. You will be hacked. Deal with it."

U.S. banking is a "tempting target" for terrorists and foreign enemies because it is "incredibly interconnected and interdependent", said Edward J. Browne, an Air Force Academy cadet.

He has concluded the current state of technology is "not sufficient to defend" such attacks. "If I were an attacker", he said, "I would focus on Fed Wire. It is the linchpin of the national and even global economy."

Mr. Schwartau suggested moving to a two-channel communications setup. In current interactive banking programs, "information and the control signal use the same virtual, logical, and physical path" he said. When subject to some form of hacker bomb, there is no way to send a distress signal and try to remedy the situation. Hence the dreaded denial of service.

"We need to establish an alternate control channel for ... when certain behaviors start taking place that are clearly not allowing us to communicate over our main channel", Mr. Schwartau said.

Also, he said, banks will need means of detecting and reacting to the attacks, such as a module "to recognize that I'm getting too much E-mail from this one person".

Heidi Richards, representing the Federal Reserve Board staff in Washington, reviewed the August 1996 report on "Security of Electronic Money" by a committee of the Group of 10 countries' central banks.

In part encouraged by that report, industrialized countries' bank regulators have chosen to monitor, but not restrict, the free-market development of digital cash innovations.

"The task force was relatively comfortable with these products, especially if they are confined to small-value retail use", Ms. Richards said. And central bankers have developed "some level of comfort" that the new systems do not endanger monetary control functions or create immediate counterfeiting hazards. But Ms. Richards pointed about that most of the current pilot systems, particularly smart cards, "use low-cost, low-security technology, almost deliberately, because they are more concerned about testing the business case".

Bruce Schneier, author of "Applied Cryptography", raised some suspicions about the Mondex smart card system.

While its hardware is said to be tamper-resistant, "they don't make the details of the system public", said Mr. Schneier, president of Counterpane Systems, Minneapolis. "They effectively say 'the security is good, trust us', and yet they assume no liability."

"Any electronic commerce solution where the person that owns the token and the person that owns the secret in the token are different will not work long term",

Mr. Schneier said. Besides, tamper-resistant hardware "really doesn't exist" and there needs to be much more work toward that end.

Security gurus like Mr. Schneier have a different perspective than many bankers and technology proponents. At a recent gathering in San Francisco sponsored by RSA Data Security Inc., the leader in encryption systems, Mr. Schneier was skeptical that "anonymous E-money", the kind typified by Ecash, would apply to anything but "very small values".

"Certainly we'll see a lot of payment systems-we already have a lot of payment systems", he said.

Also at the earlier meeting, John Adams, chief engineer at RSA's parent, Security Dynamics Technologies Inc., said he sees limits to the "multiple applications" that many vendors tout for smart cards.

"Short-term applications like a debit card are not compatible with long-term applications like an authentication card", he said. "Related applications or those with similar life spans go best together."

George Schmidt, chief executive officer of Systor AG, a Swiss bank technology provider, reflected the more detached European point of view, influenced by that continent's slower embrace of the Internet.

He reeled off a number of questions: "Can we build a security payment system in a fundamentally insecure (Internet) environment? How soon will we have a stable Internet payment scheme and get consumers to accept it? What is the right degree of privacy? Can encryption policy, under current government controls, assure privacy?"

Mr. Schmidt, who is close to the European Committee for Banking Standards, made a critical statement about the MasterCard-Visa Secure Electronic Transactions protocol rarely heard in the United States: that it is "very good but we do not believe it can be implemented on a low-cost basis".

His firmest predictions were that without strong security including a public-key encryption infrastructure, "electronic commerce will be delayed", and that call-center telephone banking will take off first.

"This is the year of pilots", said Dan Schutzer, vice president and director of advanced technology at Citibank and president of the Financial Services Technology Consortium.

Mr. Schutzer firmly expects modified versions of existing models-such as his consortium's construct of an electronic check-to find their way onto the Internet.

The problem today is "we have too many one-of-a-kind solutions" that over time could confuse consumers, Mr. Schutzer said. "It would be like everyone is walking around with different kinds of money."

Kawika Daguio, the American Bankers Association federal representative who is often alone at banking conferences in sounding payment-security alarms, came across as a moderate in this crowd.

"Bankers are doing IT (information technology) right", Mr. Daguio said. "Predictability, confidentiality, reliability, and integrity are bank trademarks."

He said the idea of "15-year-olds sitting on their dads' Pentiums in their basements or in their rooms being able to take down a bank or payment system ... is just fantasy", Mr. Daguio said.

But at least one of the risk assessors in the audience was not comforted: "How can we as an industry claim to be doing due diligence when ... passwords protected with 40-bit encryption keys are the basis of all of our security?"

Copyright © 1997 by American Banker. All Rights Reserved. Reprinted with permission.