|
Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost. | |||
21 December 1997
Thanks to Ian Grigg
Report by the Committee on Payment and Settlement Systems and the Group
of
Computer Experts of the Central Banks of the Group of Ten Countries
Basle
August 1996
In November 1995, the central bank Governors of the Group of Ten (G-10) countries commissioned a series of studies on specific issues related to electronic money, in view of the potential importance of this new form of money and its implications for monetary policy, consumer protection and payment systems. These studies were carried out by the Committee on Payment and Settlement Systems (CPSS). For the examination of the security aspects of electronic money schemes the CPSS sought the assistance of the Group of Computer Experts, which established for that purpose the Task Force on Security of Electronic Money, chaired by Mr. Israel Sendrovic from the Federal Reserve Bank of New York. At their meeting in July 1996 the G-10 Governors discussed the various reports that had been commissioned and agreed on the publication of the present report on Security of Electronic Money. The report is not necessarily intended to represent the official views of the Governors.
The Task Force on Security of Electronic Money met regularly between January and March 1996 and during that period also organised meetings with potential suppliers of various types of electronic money products. The intention was neither to cover the entire spectrum of products nor to assess individual systems, but to understand and evaluate the relevant security aspects relating to electronic money.
This report highlights the main design features and functional aspects of electronic money products and analyses the technical risks specific to these products. It also describes the possible security measures that can be relied upon to prevent, detect and contain fraud.
One conclusion of the report is that a range of measures exist which would enable the risks inherent in using these products to be controlled. However, there is no single security measure or set of measures that can be said to provide a guarantee of complete protection. It is the combination of measures together with the rigour with which they are implemented and administered that will serve to reduce risks most effectively. The report also underlines the importance of an overall approach to risk management, which might involve assessments by independent bodies.
It should be stressed that the report is based on knowledge of schemes that are currently under development or at a pilot stage. The analysis contained in the report as well as its conclusions might therefore need to be reviewed in the future in the light of expected technical and operational innovations and adaptations. Nevertheless, it is felt that the report can contribute to improving the general understanding of the technical aspects of electronic money products and to raise the awareness of the specific risks that might be involved and of the security measures available to counter those risks. The report does not evaluate any specific product.
Mr. Sendrovic and his colleagues are to be congratulated on having completed this important undertaking within tight time constraints. Able assistance in editing and publishing the report was provided by the BIS.
William J. McDonough, Chairman
Committee on Payment and Settlement Systems
Henri J. Barbé, Chairman
Group of Computer Experts
EXECUTIVE SUMMARY .............................................................................................. 1
1. INTRODUCTION ........................................................................................................... 2
1.1 Background ............................................................................................................ 2
1.2 Objectives and limitations ..................................................................................... 3
1.3 Scope ...................................................................................................................... 3
1.4 Methodology and report structure ........................................................................ 4
2. PRODUCT STRUCTURE AND FUNCTIONS ............................................................. 5
2.1 Design features ....................................................................................................... 5
2.1.1 Basic framework for money storage and transfer ......................................... 5
2.1.2 Implementation features .............................................................................. 6
2.1.3 Additional functions .................................................................................... 7
2.2 Product infrastructure ........................................................................................... 7
2.2.1 Development and production ....................................................................... 7
2.2.2 Distribution ................................................................................................. 8
2.2.3 System and network operation ..................................................................... 8
2.3 Transaction processing .......................................................................................... 8
2.3.1 Issuance and loading ................................................................................... 8
2.3.2 Purchases and other payments ..................................................................... 9
2.3.3 Deposit, collection and clearing .................................................................. 9
3. SECURITY RISKS ......................................................................................................... 10
3.1 Scope of risks examined ......................................................................................... 10
3.2 Fraud risks ............................................................................................................. 11
3.2.1 Duplication of devices ................................................................................. 11
3.2.2 Alteration or duplication of data or software ............................................... 11
3.2.3 Alteration of messages ................................................................................. 12
3.2.4 Theft ............................................................................................................ 12
3.2.5 Repudiation of transactions ......................................................................... 12
3.3 Malfunctions .......................................................................................................... 13
4. SECURITY MEASURES ................................................................................................ 13
4.1 Prevention measures .............................................................................................. 13
4.1.1 Tamper-resistance of devices ....................................................................... 13
4.1.2 Cryptography .............................................................................................. 14
4.1.3 Online authorisation .................................................................................... 17
4.1.4 Other measures ........................................................................................... 17
4.2 Detection measures ................................................................................................ 18
4.2.1 Transaction traceability and monitoring ...................................................... 18
4.2.2 Interaction with a central system ................................................................. 19
4.2.3 Limits on transferability .............................................................................. 19
4.2.4 Statistical analysis ....................................................................................... 19
4.3 Containment measures .......................................................................................... 20
4.3.1 Time and value limits on devices ................................................................. 20
4.3.2 Registration of devices ................................................................................. 20
4.3.3 Hot lists and disabling of devices ................................................................ 20
4.3.4 System suspension ....................................................................................... 21
5. EVALUATION OF SECURITY MEASURES .............................................................. 21
5.1 General assessment
................................................................................................
21
5.2 Specific security measures
.....................................................................................
22
5.3 Industry assessment
...............................................................................................
23
5.4 Current status and future developments
.............................................................. 24
6. OTHER CONSIDERATIONS ........................................................................................ 25
6.1 Use for criminal activities ...................................................................................... 25
6.2 Reliability ............................................................................................................... 25
6.3 Privacy .................................................................................................................. 26
7. CONCLUSION ................................................................................................................ 26
Annex 1: Glossary
..................................................................................................................
29
Annex 2: Models of electronic money systems
...................................................................... 34
Annex 3: Table of security measures
....................................................................................
38
Annex 4: The Internet
...........................................................................................................
44
Annex 5: Smart card security
................................................................................................
49
Annex 6: Standards
...............................................................................................................
53
Annex 7: Cryptography
.........................................................................................................
57
Chairman
Mr. Israel Sendrovic Federal Reserve Bank of New York
Bank of England Mr. Geoffrey Prior
Deutsche Bundesbank Mr. Georg Heine
Bank of Italy Mr. Fabio Cecchi
Bank of Japan Mr. Toru Asada
Netherlands Bank Mr. Simon Lelieveldt
Board of Governors of the Federal Reserve System Ms. Heidi Richards
Bank for International Settlements Mr. Yves Carlier
Mr. Paul Van den Bergh of the Bank for International Settlements also took part in some of the meetings of the Task Force and contributed to the preparation of the final report.
© Bank for International Settlements 1996. All rights reserved. Brief excerpts may be reproduced or translated provided the source is stated.
ISBN 92-9131-119-7
The Task Force on Security of Electronic Money was established following a work shop on retail payment systems developments held in October 1995 by the Committee on Payment and Settlement Systems of the G-10 central banks. The Task Force's objectives were to analyse the technical risks and security features of electronic money products and provide a preliminary assessment of the security measures.
The Task Force primarily examined consumer-oriented stored-value payment products, a few of which have already been launched in large-scale pilot programmes in various countries; others are expected to be widely introduced in 1996 or 1997. Through interviews with suppliers, the Task Force identified general models of electronic money products and specific characteristics that are relevant to security. The Task Force found that the logical design chosen for the stored electronic"value", as well as the conditions under which such money balances can be transferred to other users, provide the basic framework for examining security measures in the various stored-value products. In addition, the Task Force distinguished between card-based systems, which are implemented through a specialised computer hardware device, typically a "smart card" (a plastic card containing a microprocessor chip), and software-based systems, which employ specialised software installed on standard computer hardware using standard operating systems.
Security risks to electronic money systems could arise in the consumer or merchant domains and in the financial institution domain, as well as in network communications. Attacks on the security of electronic money systems would most probably be attempted for financial gain, but could also be aimed at malicious disruption of the system. Specific attacks could be instigated through attempts to duplicate or steal genuine consumer or merchant devices, to create fraudulent devices or messages that are accepted as genuine, to alter data stored on devices or in messages transmitted between devices, or to alter software functions on a device from their intended purpose. Malfunctions of devices or communications systems could also lead to accidental losses.
The Task Force found that various security measures have been developed to protect the integrity, authenticity and confidentiality of critical data and processes of electronic money products. One critical safeguard for card-based systems is the degree of tamper-resistance of the microchip embedded in the card or other device. Tamper-resistant features of these devices provide a significant advantage for card-based systems over software-based systems in terms of technical security, but also add significantly to their production costs. Such features make it extremely difficult and costly to observe or change critical data stored on a chip without proper authorisation, or to alter the operating system or software application functions.
Cryptography is the other critical safeguard for card-based systems and, indeed, the primary safeguard for software-based systems. Cryptography is commonly used in electronic money systems to authenticate devices and messages and to protect data from unauthorised observation or alteration. The security of the cryptography used depends on the strength of the algorithms, the length of the cryptographic keys and a sound key-management structure, which governs the life cycle of keys and the relationship between them. In the future, electronic money systems may migrate towards use of asymmetric cryptographic functions, which currently require more costly crypto-processor chips that may reduce the speed and reliability of transactions. Cryptographic key lengths used in electronic money products are also expected to increase as processing speeds rise.
All the electronic money products examined by the Task Force would establish central system operators (in some cases, the issuer or issuers) to monitor the system on an ongoing basis for attempted security breaches. Monitoring and traceability of individual transactions and the maintenance of cumulative records on individual devices or in a central database serve to enhance the security of the products. Other mechanisms to help detect and contain instances of fraud are also envisioned through the use of statistical analysis of transaction patterns, periodic interaction by devices with the central system and the hot-listing of suspect devices. Limits placed on the maximum balances of electronic money devices and the duration of validity of balances or devices also serve to deter fraud as well as to contain any resulting losses.
Transferability of electronic "value" directly between users' devices has implications for security. In general, the fewer consecutive transfers allowed without interaction with a central system operator, the greater the ease of detecting fraudulent activity. However, it is the potential unavailability of transaction information for security monitoring purposes, rather than the transferability feature itself, which may pose greater challenges to security. A range of additional security measures may also be implemented to help compensate for any loss of information that results from transferability.
The Task Force found that the technical security measures designed to protect issuers and other participants in electronic money systems from fraud may also serve to limit the usefulness of these products for criminal activities such as money laundering, particularly when compared with existing payment instruments. In terms of the privacy of consumer payment transaction information, electronic money products could have differing impacts, depending on how the products are actually implemented and used.
Overall, the Task Force's impression was that electronic money systems, particularly those implemented with hardware-based security, can be designed with an adequate level of security relative to other common forms of retail payment. However, there is no single security measure or set of measures that can be said to be sufficient for a particular product. It is the combination of measures, together with the rigour with which they are implemented, that will serve to reduce risk most effectively.
Moreover, while the security designs of most electronic money systems share many common features and international technical standards have been established for certain of these features, a wide range of options is available in terms of the specific implementation of products. These options present trade-offs for product developers in the areas of cost, functionality, speed and reliability. The degree of emphasis on these other considerations will have important implications for the level of security ultimately chosen. As a result, the security features of electronic money systems can be expected to undergo fairly rapid evolution as products are introduced and tested in the market.
While the electronic money suppliers interviewed by the Task Force have focused considerable attention and resources on the technical security of their products, security assessments conducted thus far have been partial evaluations of specific aspects of a product, rather than comprehensive security risk assessments of the entire system. The Task Force concluded that an integrated, overall risk-management approach to security, including independent security assessments, is an important component of the security of these new products.
The Task Force on Security of Electronic Money was established following a workshop on retail payment systems developments held in October 1995 by the Committee on Payment and Settlement Systems (CPSS) of the G-10 central banks. Participants at the Frankfurt workshop agreed that the security of electronic money products could raise a number of issues of significant concern to central banks, particularly if such products become widely used. The potential for counterfeiting and fraud could pose significant financial risks to institutions issuing payment obligations in these systems as well as to other participants. As a result, the Chairman of the CPSS recommended further investigation and analysis of the technical security aspects of electronic money, under the auspices of the Group of Computer Experts (GCE), as well as further research work on several other topics. The report prepared by the Task Force on the Security of Electronic Money thus complements other studies commissioned by the CPSS and the G-10 Governors on the implications of electronic money. This report was reviewed at the July meeting of the G-10 Governors who agreed to its publication in the hope that the report would contribute to the general understanding of technical and security issues relating to electronic money.
The Task Force's objectives were to analyse the technical risks and security features of electronic money products and, to the extent possible, provide a preliminary assessment of the security measures. The Task Force also considered technical aspects of electronic money products that may affect their potential for use in money laundering or other criminal activity. In both of these areas, the Task Force considered the likely risks and security measures relative to existing methods of payment, although such comparisons are difficult given the current early stage of development and implementation of electronic money products.
The Task Force limited its inquiry to technical matters and did not examine financial, legal or regulatory issues related to the security of electronic money products. Similarly, questions of liability for fraud or counterfeiting, that is, whether merchants or consumers would bear losses for counterfeit electronic money in addition to the issuers or other sponsors of the product, were not addressed. The assignment of such liability could create important economic incentives for security and thus could raise policy issues, but these issues are well beyond the scope of this report.
Importantly, the Task Force did not attempt to judge the adequacy of the security of particular products or to recommend particular security measures or design features as being necessary or sufficient. A process of rapid development and evolution is currently under way for all products analysed by the Task Force, and many aspects of the technology require highly specialised expertise and equipment to make a complete assessment of their security features. The Task Force's report is instead intended to describe the spectrum of security measures that have been developed to address security risks and analyse relevant considerations in their implementation. In addition, the report may help to develop a preliminary framework for central banks and potentially others to use in evaluating security measures as well as the policies and procedures adopted by institutions in this area.
The Task Force examined the issue of privacy of consumer information primarily as it relates to the use of confidential information for fraudulent purposes. The Task Force also investigated the reliability of products against accidental breakage or other system failures to the extent that this was possible given that most products have only advanced as far as the test or limited pilot phase.
The term "electronic money" has been used in different settings to describe a wide variety of payment systems and technologies. "Stored-value" products are generally prepaid payment instruments in which a record of funds owned by or available to the consumer is stored on an electronic device in the consumer's possession, and the amount of stored "value" is increased or decreased, as appropriate, whenever the consumer uses the device to make a purchase or other transaction. By contrast, "access" products are those typically involving a standard personal computer, together with appropriate software, that allow a consumer to access conventional payment and banking products and services, such as credit cards or electronic funds transfers, through computer networks such as the Internet or through other telecommunications links.
The Task Force focused its efforts on stored-value products, which comprise stored-value cards, or "electronic purses", and similar products that utilise computer networks, sometimes referred to as "digital cash" or by any number of product names. The Task Force found that many proposed products have attributes of both stored-value products and access products. Thus, much of the analysis of security aspects is applicable to certain types of access products as well as to stored-value products.
The Task Force determined that a relevant distinction for purposes of assessing security features is not whether or not a particular product can be used over a computer network, but rather whether the product's security is based on specialised tamper-resistant hardware (together with self-contained software) or, alternatively, on software installed on standard personal computer equipment. These two categories are termed "card-based" and "software-based" products in this report.
The scope of the study was limited to the analysis of products that are currently approaching their commercial launch date. While an array of potential products has been proposed and publicised, in many cases these products are still in the early design or pilot phases; as a result, insufficient information is available to assess their security features. In the area of software-based stored-value systems, in particular, fewer proposed products are nearing commercial introduction than in the case of stored-value cards; thus the Task Force was unable to examine in any detail the specific security features and likely implementation aspects of such products. It should be noted that software-based products that are most likely to become commercially available in the near future for use over open computer networks would function as access products to credit card accounts or bank deposit accounts; suppliers of these products were not interviewed by the Task Force.
The Task Force identified the major suppliers or developers of electronic money products in the G-10 countries and invited them to make presentations to the Task Force on the security features of their products. While not constituting an exhaustive list of products under development, the products of these suppliers were considered to be representative of those most likely to achieve commercial implementation in the next one or two years. Electronic money suppliers were asked to complete a questionnaire on their product's security architecture and procedures. For reasons of confidentiality, this report deliberately avoids identifying specific products or their specific features.
The general information provided through these interviews permitted the Task Force to identify the major structural design features, components and processes of electronic money products, which are presented in Section 2 of this report (and summarised in Annex 2). From the basic structural and functional framework, a set of general risk categories and specific threats were identified, which are described in Section 3. Using the information on the different security measures currently implemented or planned in the electronic money products analysed, the Task Force enumerated the security measures utilised or envisaged in the different products to address the risks and vulnerabilities identified. Section 4 summarises the range of security measures that the Task Force observed in the products analysed. The Task Force identified measures that could prevent the risks perceived, permit participants to detect activity in the event that prevention is unsuccessful, and then contain the resulting losses. These measures are also summarised in a matrix in Annex 3. The Task Force's observations and conclusions regarding the security measures are presented in Section 5. In Section 6, general conclusions regarding the implications of electronic money systems for criminal activities, reliability and privacy are summarised.
The most important technical background information is provided for reference purposes in the annexes. A glossary of terminology used in the report is provided in Annex 1. In addition to the other annexes mentioned above, Annexes 4-7 provide summaries of issues relating to the Internet and its relevance to payment systems, techniques to provide physical security for smart cards, international technical standards regarding the security of electronic money systems, and relevant aspects of cryptographic techniques.
An understanding of the components and processes of the product under study is vital to any security risk analysis. This section provides a general overview of the electronic money products which the Task Force studied, although many details are necessarily omitted. In general, the Task Force did not encounter any products that could be viewed as true "electronic currency", in the sense of replicating many of the key characteristics of physical currency, which is generally an untraceable, anonymous bearer instrument, readily transferable to any other person in any circumstance without intervention by a third party, although in theory the technology would permit development of such products.
Annex 2 illustrates the general structural model common to most electronic money systems, including participants and their interactions, and certain key structural variations on this model. Physical devices, such as smart cards or personal computers, are held by consumers and by merchants. Merchants interact with consumers and with their acquiring bank or other collection point, such as a third-party payment processor. Issuers receive funds in exchange for prepaid balances distributed to consumers and manage the "float" in the system that provides financial backing for the "value" issued to consumers. In some cases, other intermediaries, such as banks, retailers or service providers, distribute stored-value devices and balances directly to consumers. The system may include a central clearing house or system operator.
Although electronic money products share certain general features, the Task Force also found many major differences as regards design and implementation, as described below.
The following characteristics define the fundamental structure of electronic money products and influence the security design of the entire product.
Technical representation of money. The electronic record of "value" stored on a device can be designed in one of several basic ways. Devices can store and manipulate a numeric ledger, with transactions performed as debits or credits to a balance (hereafter referred to as "balance-based" products). Alternatively, devices can store electronic "notes" (sometimes called coins or tokens) that are uniquely identified by a serial number and are associated with a fixed, unchangeable denomination. In the latter "note-based" model, transactions are performed by transferring notes from one device to another, and the balance of funds stored on a device is thus the sum of the denominations of all notes on the device.[1] A third possible approach, which can be thought of as a hybrid of the previous two, is also possible by using what can be thought of as electronic "cheques" that are uniquely identified electronic certificates in combination with a balance. Most of the products examined by the Task Force use a balance-based design.
Transferability. Stored-value products differ in the degree to which participants can undertake transactions with one another without participation by the issuer or another central authority. The Task Force found that free transferability, in which consumers, merchants or banksmay make unlimited direct transfers between one another, is a theoretical concept only. In all systems analysed, transferability is restricted, although the degree and types of restriction differ across systems. In the majority of systems analysed, consumers may only make payments to merchants and merchants may only clear these payments or deposit the accumulated balances through their acquiring banks.
In some systems, consumers may make payments directly to other consumers, but the technological capability exists to restrict these payments through various limits, including the numberof such direct transfers or the period of time within which such transfers can occur before communication with the issuer or central operator is required. Greater transferability is not necessarily associated with truncation of transaction information, as discussed later in the report.
Based on the framework given above, the following characteristics define one or more of the major features of the product.
Card-based and software-based products. Most product designs analysed by the Task Force could, in theory, be implemented as either card-based or software-based products. For the purposes of this study, card-based products are defined as those that provide the consumer with a portable, specialised computer device, typically an integrated circuit (IC) card containing a microprocessor chip ("smart card"). The smart card's self-contained operating system and application software are inserted into the chip during manufacturing. In addition to those involving smart cards, card-based products are defined to include those utilising more sophisticated electronic computing devices, such as "electronic wallets", that provide special functions or are capable of greater data-processing capabilities. Owing to their more advanced stage of development, the majority of products analysed in this study were card-based systems.[2]
Software-based systems, in contrast, include those stored-value products that operate via software installed on an industry-standard personal computer, such as a desktop computer or even a smaller portable computer device, supplied by the user and running a standard operating system. Such products are typically designed to be utilised to make payments over computer networks, primarily the Internet. However, many card-based systems have the potential to be used over telephone connections or proprietary or open computer networks, including the Internet. Thus, the relevant distinction between card-based and software-based systems is the implementation of specialised hardware in card-based systems.
Issuer structure. The number and type of issuers - institutions whose obligations are electronically transferred in an electronic money system - is critical from a financial perspective and also affects the technical implementation of an electronic money system. Systems with only one issuer may not need to clear transactions for purposes of interbank settlement, although clearing and settlement would be necessary if other intermediary institutions (distributors and acquirers) were used to distribute and collect funds in the system. In systems with multiple issuers, the card number or a cryptographic "certificate" identifies the issuer, and purchases or loading transactions are typically transmitted to that institution for settlement. Such systems may routinely collect transaction information for financial clearing purposes that may also be useful for security monitoring purposes.
The following features may be optional in their implementation but are also relevant tothe security design of an electronic money product.
Information collection. Electronic money transactions generate financial information and security-related information. This information can be stored, temporarily or permanently, by different devices, including consumer devices, merchant terminals, issuers and central system operators. The amount, location and time of information collection depend on the financial structure of the system, the cost of collecting the information and security and privacy considerations. Some systems perform full transaction clearing, in which all transaction details, including the identifying number of each device, are collected as soon as possible after the transaction and transmitted to the issuer. Other systems "truncate" the information provided at the point of sale but store some transaction details in the merchant terminal as well as in the consumer's card or other device involved in each transaction.
Ability to reload devices. Particularly in the pilot or test phases, some stored-value cards are not usable once the initial balance purchased on the card has been expended. Other electronic purse products, as well as products designed for computer networks, are reloadable; that is, the balance on the device can be increased at the consumer's convenience using a variety of payment methods, including direct withdrawal from a bank account, or a cash or credit card payment. Direct withdrawals from a bank account function in a similar manner to cash withdrawals at an automated teller machine (ATM).
Single or multiple currencies. In all the products analysed by the Task Force, electronic "value" stored on devices is denominated in a national currency. In many cases, balances can be held and payments made in several different national currencies. None of the products analysed permits exchange of currencies to take place on the consumer's device without interaction with an external source to provide current exchange rate information; for example, currency exchange could take place at an ATM or, in some cases, at a merchant's terminal.
Single or multiple applications. While some card-based stored-value products are intended to be the only application resident on a consumer's card, in other cases suppliers propose including other payment products, such as debit or credit card functions, on the card. Some projects also involve non-payment applications, such as retail incentive programmes or transport system tokens that would be co-resident on the device. The non-payment applications may be supplied and operated by third parties. Software-based products would, of course, have any number of other applications in addition to the electronic money software residing on the same device.
The processes through which the infrastructure for an electronic money system is implemented can create security vulnerabilities. These processes include the development and production of devices and software, their distribution to consumers and other users and the operation of the central system and network.
For card-based products, devices must be designed and tested, manufactured and prepared for use. These processes are described in Annex 5, which also provides an overview of chip card technology. Chip cards are generally manufactured according to a number of international technical standards, as discussed in Annex 6. The operating system for the chip card is generally developed by the manufacturer. The electronic money application may be designed by a separate developer.
During the chip card manufacturing process, the application and operating system coding are physically set into the wiring in the chip module. After testing of the chip modules, a further initialisation ensures that the chip is uniquely identified with a serial number and contains the correct file and directory structures and cryptographic keys. The chip is then embedded in a plastic card. Card personalisation, which may occur at the card manufacturer, at the issuer or at a central system operator, is the process by which individual card and customer data are created and loaded onto thechip.
For software-based products, software must be designed, coded and tested. Design features may be changed or security features upgraded in subsequent generations of the products or releases of the software.
In stored-value card systems, issuance of cards to consumers may be accomplished in a number of ways. In some cases, cards are linked to a bank account of the consumer; alternatively, cards may be purchased anonymously at vending machines or using credit or debit cards. Merchant terminals or other devices are typically distributed through acquiring institutions or by a central system operator.
In the case of software-based products, software must be distributed to consumers, merchants and participating financial institutions. Distribution of software may be accomplished through physical transport of diskettes or by transmission between a central system operator and the consumer's device over a telephone connection or computer network; consumers must then install the software on their personal computers.
The electronic money systems analysed by the Task Force establish one or more central computer systems and databases for functions such as control of cryptographic keys, clearing and settlement and monitoring of data for potential fraud. In some systems, many of these functions are decentralised in issuing and acquiring institutions or can be provided by a third-party processor.
For communication purposes, such as for online transactions or collection of transactions from merchants, a variety of methods are possible. Some products use existing credit or debit card clearing networks. Others make use of standard telephone connections or open computer networks such as the Internet for communication between consumers, merchants, issuers and acquirers.[3]
Transactions in electronic money systems, whether card-based or software-based, are accomplished through exchanges of electronic messages between computer devices according topredefined protocols which cause the devices to perform certain internal functions. The messages may be transmitted through direct electrical contact, for example between a smart card and a smart-card reader device, through wireless transmission methods or across telecommunications lines, such as those connecting computers in the Internet.
Issuance of stored "value" in an electronic money system can occur either prior to or atthe time of the "loading" or distribution to consumers. In some electronic money systems, stored
Online authorisation. For some electronic money transactions, online authorisation by athird party is performed before the transaction can be executed, or before the merchant provides itsgoods or services to a consumer. In general, online transactions require that information on the deviceor supplied by the user be validated against data held by a central system operator or issuer in securedcentral databases. For a given product, online authorisation may be used for all transactions or onlyfor certain types of transaction, such as those that debit a bank account. Online authorisation requiresan additional communication that can add greatly to the cost and time required for transactions.
value balances, "notes" or "cheques" are created by the issuer and distributed to intermediaryinstitutions prior to being distributed to consumers. In other cases, issuance may occur at the time thata consumer initiates a load transaction. Issuance transactions ultimately generate accounting entries inthe records of the issuer and may flow through a clearing and settlement process.
Loading of a stored-value card is typically accomplished at an ATM or through the use of a specially equipped telephone; suppliers expect that personal computer-based smart-card readers will also be available in the future for this purpose. If not paid for by cash, credit card or other means, load transactions are generally designed to result in a debit to the consumer's pre-existing bank account that is linked to the card. Most products establish a direct connection to the issuer in the loading process, although offline loading methods, in which completion of processing by the issuer occurs after the balances are loaded, have also been developed. Reloadable products, in some cases, could be designed to permit a small overdraft (negative balance) on the device, which would be covered by a debit to a bank account once the transactions were collected and cleared.
For software-based products, loading is accomplished in a similar manner using messages between the consumer's and the issuer's devices, often transmitted over computer networks. In practice, software-based products for security reasons tend to involve issuance of digitally signed electronic "notes" or "cheques", as described later. Payment to the issuer for such electronic notes is made via direct debit, credit card or other common remote payment methods.
To make a purchase using a card-based product, a consumer inserts a card in a merchant terminal; the merchant (or possibly the consumer) then enters the payment amount.[4] The merchant terminal checks that the card balance is sufficient to complete the transaction, and then instructs the card to debit its stored balance by the payment amount. The consumer's card then instructs the merchant terminal to increase its balance.
A similar process would occur for remote payments via a computer network or telephone, but additional card-reading equipment would be required on the consumer's side. In systems permitting transfers to other consumers, an additional device (such as a "wallet" or telephone) could be used to perform the same function between two cards, whether face-to-face or remotely.
For software-based products, the payment process may depend on the design of the electronic money system as well as the context in which the payment is being made. To purchase an item advertised on the Internet, for example, certain electronic money systems provide for menu-driven software on the consumer's personal computer which automatically prompts the consumer to accept or reject a particular payment based on an electronic invoice sent via electronic mail by the merchant. Alternatively, the consumer may be required to enter the amount and destination of a particular payment. Where a note-based model is used, the serial number of the appropriate number and denomination of notes is transferred from the consumer's device to the merchant’s device using appropriate security protocols, as discussed later.
With some electronic money products, a consumer would have the option of receiving a refund for an unused electronic money balance (or electronic note) and having the proceeds deposited in a traditional bank account, typically one already linked to the device by the issuer. If the bank account were not located at the issuing institution, a clearing and settlement process would be required to redeem the issuer's stored-value obligation.
As in other retail payment systems, electronic money products typically involve a collection process whereby a merchant's account at an acquiring institution is credited with funds received for payments from consumers. In some systems, in which most or all transaction information is truncated at the point of sale, merchants may simply deposit a single accumulated balance (or one balance per issuer) on their terminal through a connection between the terminal and the acquiring institution. For other systems, transaction details are transmitted from the merchant terminal to the acquiring bank, where they are routed to a clearing centre.[5]
In many proposed card-based systems, existing interbank clearing and settlement arrangements such as ATM, debit or credit card networks and systems would be employed. In software-based systems, clearing and settlement mechanisms tend not to be well defined at this stage of their implementation.
In analysing security risks, the Task Force focused its attention primarily on those aspects of electronic money products that are different from conventional payment instruments suchas credit and debit cards and electronic funds transfers. These include, in particular, the use of smart cards and advanced cryptographic techniques. The basic elements of security for electronic payment systems are well established. Thus, the Task Force did not examine in detail issues such as audits and internal controls, separation of employee duties and information, development and testing of hardware and software, and risks in physical production and transportation of devices. However, these aspects of security are the first line of defence against many conceivable security attacks and their importancecannot be overstated.
The Task Force focused on risks and security measures at the level of the consumer or merchant devices. Risks that are internal to an issuer, acquirer, clearing mechanism or central operator could also arise and may create significant vulnerabilities for electronic money systems. For example, an issuer could operate in a fraudulent manner in such a way as to threaten the security of the entire system. Institutions that participate as intermediaries in distributing devices or electronic "value" to consumers could also be a source of risks. In most areas, these security risks have been examined in the context of other payment systems, and administrative controls can be put in place to address them.
The Task Force did not assess security measures aimed at protecting the internal computer systems of issuers or central system operators from outside attacks; Annex 4 describes some of the common security measures that are used to protect computers from attack via network connections, in particular Internet connection. Such risks should not be underestimated; however, they are not unique to electronic money products and thus were considered to be outside the scope of this report. The Task Force did find that electronic money suppliers view transmission of messages between consumers, merchants and central system devices in electronic money system as inherently insecure and open to observation, modification or transmission failure, whether or not the transmission is effected over an open network such as the Internet or by some other method; thus all systems include measures to protect the integrity of messages during transmission.
The most likely motive for any fraudulent attack would be financial gain. This could be accomplished by creating fraudulent electronic representations of electronic money that are accepted as genuine by the issuer or by other participants, or by stealing devices or data from another participant. If such fraudulent balances could be successfully exchanged for currency or other readily transferable forms of money or physical assets, this would cause financial loss to the issuer or other participants. Alternatively, an attack on an electronic money system might be motivated not by financial gain but by a desire to disrupt a particular system.
The primary areas of vulnerability in an electronic money system were outlined in Sections 2.2 and 2.3. These comprise the devices used in the system, including those held by consumers and merchants, and the messages transmitted between such devices. As with other payment systems, significant areas of risk are to be found in the manufacturing and distribution processes, issuer and acquirer systems and central system operation; however, these categories are not examined in detail in this report.
There are a number of possible methods of attack; general categories of threats are outlined in this section. An important aspect of the security vulnerability of electronic money products is that they are designed for widespread retail usage. Thus, it must be assumed that it would not be difficult for an attacker to obtain large numbers of legitimate software, devices or communications between devices, which would facilitate analysis and reverse engineering of the product. Repeated attempts to compromise a device can be expected even if such attempts result in the destruction of a number of devices.
In card-based systems, the method of attack could be the creation of a new device that is accepted by other devices as genuine. The objective would be to duplicate a genuine card, including its existing cryptographic keys, card balances and other data. Alternatively, an attacker could attempt to create a card that would function as a genuine card but would fraudulently contain balances without a corresponding load transaction and payment to the issuer.
Duplicating a smart card or a merchant terminal would involve a number of complicated steps requiring a high level of expertise and resources, as described further in Annex 5. An attacker would need to procure the same type of chip card and load the appropriate operating system, application software and data. An attacker could attempt to reconstruct the operating system and application software by examining genuine cards that might be available through legitimate channels.
The objective of fraud could be to modify data stored on a genuine electronic money device in an unauthorised manner. For example, if the balance recorded on a device were fraudulently increased without other evidence of tampering or damage to the card, the holder could perform transactions with the device that would appear genuine to the merchant terminal. Another method of attack would be to modify the internal functions of a chip card, such as its accounting procedures, so that calculations would not be executed as intended.
Alteration of data or functions on a device could be attempted through exploiting security weaknesses in the operating system or by physical attacks on the chip itself. In software-based systems, data stored on a consumer's device could be altered directly if not protected by software functions, or software could be modified to allow unauthorised alteration of data by the user. In a note-based system, a user could duplicate data representing electronic notes and attempt to use the notes to purchase goods and services.
Attackers could attempt to change the data or processes of a device by deleting messages, replaying messages, substituting an altered message for a valid one or observing messages for the purpose of attempting a cryptographic attack. Communications between devices could be intercepted by outside attackers when sent across telecommunications lines, through computer networks or through direct contact between devices. Interception and retransmission of messages in a software based system that utilised the Internet for transmission would be relatively straightforward, given that standard devices and electronic mail capabilities would probably be used.
An attacker could change the destination device of messages during a transaction by diverting a message sent over a computer network via electronic mail or by removing a smart card from a reader and inserting another with a lower balance. A smart-card reader device could be simulated and used to send false messages to the smart card; alternatively, a fraudulent smart card could be used in a valid card reader, with the intention of causing the card reader device to performun authorised functions. Critical data in a message, such as the transaction amount, could be changed and the message then retransmitted to its intended recipient device. Messages authorising the loading of funds from a valid ATM or other terminal could be copied and replayed to a card from a fraudulent terminal. Transaction data transmitted from a merchant terminal to the acquirer could be duplicated in an attempt to receive double credit for the transactions.[6]
An unsophisticated method of attack would be to steal consumer or merchant devices and fraudulently utilise the balances recorded on them. Data stored on devices could also be stolen via unauthorised copying. For example, in a note-based system, an attacker could intercept messages between a genuine user and an issuer, or insert an unauthorised software program into a user's personal computer that enabled the attacker to copy electronic notes stored or in transmission, and then use the notes to perform transactions. Such a theft would only be detected after the issuer received the fraudulent as well as the genuine copy of the same note for payment, by which time the attacker would probably already have obtained a financial benefit.
As with traditional payment instruments, internal theft within an electronic money supplier could also be an avenue for attack. For example, an employee of an issuing institution could attempt to load balances onto a genuine device while circumventing the normal loading process controls. Employees of manufacturers or issuers could steal devices prior to their being sold or issued to consumers, or could distribute cryptographic keys without authorisation. Product development staff could be bribed to provide confidential product design documentation to outside attackers that might lead to devices being compromised. One of the most significant threats to an electronic money system would be the theft or compromising of the issuer's cryptographic keys by either an inside or an outside attacker.
Fraud could also be attempted through repudiation of transactions made with an electronic money payment. For example, in remote transactions, such as those conducted over the telephone or via computer networks, a user could fraudulently claim that he or she had not, in fact, authorised a particular transaction. This could cause losses to the merchant as well as to the institution issuing the particular electronic money product.[7]
Electronic money products could suffer from instances of accidental corruption or loss of data stored on a device, the malfunction of an application, such as accounting or security functions, or failures in the transmission of messages. Malfunctions could result from physical or electrical disturbances to a device, or from the interruption or corruption of message transmissions between devices. Such malfunctions could cause losses to a party involved in a transaction if, for example, a malfunction caused changes to stored-value balance data on a device. If exploited by unscrupulous holders before being detected, certain types of malfunction could cause losses to the issuer.
Security features in electronic money systems, as well as in other payment systems, are designed to safeguard the integrity, authenticity and confidentiality of critical data and processes, aswell as to protect against losses due to fraudulent duplication or repudiation of transactions. Thissection describes the different types of security measures that have been planned or implemented by electronic money product developers to address the risks summarised in the previous section.[8]
Annex 3 provides a table summarising these measures and the threats and vulnerabilities they are designed to address.
Security measures can be grouped into several categories based on whether the measure is designed primarily to prevent, detect or contain threats. The primary objective of measures categorised here as preventive is to ensure that attacks on components of the system will be thwarted before a fraudulent transaction can be executed. Detection measures are those taken to alert the issuer or system operator to an occurrence of fraud and to identify the source of the fraud. Containment measures are intended to limit the extent of any fraud once it has been committed. Of course, measures to detect and contain fraud may also have an important deterrent function and thus serve to prevent fraud as well. In addition, certain security measures, notably cryptographic techniques, are critical to the security of electronic money products throughout the stages of prevention, detection andcontainment.
The electronic devices used in electronic money products provide the first line of defence against outside attacks. In card-based systems, security-related processing is performed inside a physically secured module, such as a smart card containing a microprocessor chip. The merchant's secured device might also be a smart card or what is sometimes referred to as a secure application module (SAM), a secure computer component integrated into the merchant's payment-processing terminal.
Annex 5 provides additional information on smart cards and their security features. Tamper-resistant features of these cards are aimed at protecting the data and software from unauthorised observation or alteration. These highly sophisticated features include both logical (software) and physical (hardware) protection. The software code itself resides in the chip and is designed to be protected from any external observation or modification. Software protection includes features of the application and operating system that prevent data stored in memory from being accessed or changed except according to predefined authorisation and access protocols, often involving cryptographic techniques, as discussed below.
Data storage areas within smart cards contain different levels of security. Typically, any data that will not be altered during the life of the card are stored in read-only memory (ROM) during the manufacturing process. Sensitive but alterable data are stored in the EEPROM (electronically erasable programmable read-only memory) portion of the memory, which can be changed by the chip's internal functions.
Hardware protection is created during the manufacturing process and includes physical barriers that prevent optical or electrical reading or physical alteration of the chip's contents. Size, in terms of the width of the chip's wiring, is an important physical barrier for microchip cards. The smaller the wiring, the more difficult it is to probe physically the contents of a chip without highly specialised and expensive equipment. Physical barriers also include external coatings as well as multiple layers of internal wiring that are very difficult to remove without damaging the chip itself. Active tamper-resistant features include sensors within the chip that detect unusual levels of heat, light and electrical current and render the chip inoperable under an attempted attack, as well as providing evidence that tampering has been attempted ("tamper-evident"). Other design features reduce the usefulness of data gathered through unauthorised probing of the chip. For example, the layout of the components of the chip, as well as sensitive data such as cryptographic keys, are physically scattered throughout the chip.
These hardware protection features would very probably prevent the contents of a single chip from being successfully analysed or "reverse-engineered" even by a sophisticated attacker. However, if legitimate chips are widely available, attackers could attempt to piece together information from attacks on multiple chips; moreover, the success rate in analysing chips for fraudulent purposes could be improved through repeated attempts on a number of chips. Such attacks would be feasible for microchip manufacturers or organisations that reverse-engineer computer chips on a commercial basis.
In software-based electronic money systems, by definition, there is no physical protection built into the product itself that would prevent the user or an outside attacker from observing or tampering with the data or software used in the system. The software itself typically contains access control mechanisms to prevent the user from changing or duplicating data in an unauthorised manner. Software protection would typically deter only unsophisticated users, however, as software designed for use on standard personal computers can be altered using readily available programming tools.
Cryptography is one of the most important components of fraud prevention in all electronic money systems examined by the Task Force.[9] The subject of cryptography is highly complex and is covered in more detail in Annex 7.
Purposes of cryptography. Cryptographic techniques provide the logical protection of electronic money systems by ensuring the confidentiality, authenticity and integrity of devices, data and communications used in transactions. There are a number of different cryptographic techniques that are used for different purposes in electronic money systems.
Encryption is a technique used to protect the confidentiality of data during transmission or while stored on a device. Encryption is particularly important for certain types of sensitive data used in security processes, such as cryptographic keys. Other information, such as payment amounts or card serial numbers, may not necessarily be transmitted or stored in encrypted form.
Cryptography is also commonly used in electronic money products to authenticate the identity and privileges of devices in transactions. Before a device will respond to commands issued from another device, it will perform cryptographic challenges; only a device with the appropriate cryptographic keys will produce the correct responses. For example, critical control data, such as the maximum balance on the device, are generally protected against alteration except by devices holding cryptographic keys maintained by an issuer or central system operator. Digital signatures are one means of authenticating the identity of a device that sends a particular message and may also be used to prevent fraudulent repudiation of transactions.[10]
Cryptography is also used in some systems to certify the validity of electronic notes or other data created by an issuer or system operator. The security of note-based (or cheque-based) systems depends at least partially on cryptographic protection of the electronic note itself, which is typically certified by a digital signature created by the issuer's device or system. This approach is common in software-based systems, in which balances cannot be protected physically but can be protected mathematically.
Cryptography is commonly used for verifying the integrity of messages exchanged between devices in electronic money systems, that is, detecting whether or not a message has been altered before reaching its intended recipient. Message authentication codes may be used for this purpose. Creation of a fraudulent message that is successfully received as a valid message would require knowledge of cryptographic keys. Cryptographic techniques can also be used to protect the integrity of software transmitted over open networks.
Types and strength of cryptography. Cryptographic techniques rely on mathematical algorithms together with parameters known as keys. Many different cryptographic algorithms areavailable. Algorithms are usually classified into symmetric key and asymmetric (or public) key cryptographic systems. Symmetric algorithms require devices to use the same secret cryptographic key for encrypting and decrypting messages. The most commonly known symmetric key algorithm is Data Encryption Standard (DES), which has been adopted as a standard in many countries, particularly in the financial services industry. The DES algorithm can be used in a process that greatly increases its strength, known as triple-DES, whereby three separate encryption and decryption operations are performed using a double-length DES key.
Asymmetric algorithms allow the use of a combination of private and public keys in the encryption and decryption processes. A message encrypted with a public key can only be decrypted by its private key counterpart. Similarly, only a message encrypted with a private key can be decrypted with the public key counterpart. While the public key may not need to be protected from outside observation, the private key is stored only on the user's device, thus limiting its vulnerability to attack. The design of algorithms is such that, in the current state of mathematics, calculating the private key from the public key is practically infeasible. RSA is one well-known asymmetric cryptographic algorithm, although others are also used.
Systems using cryptography can be attacked by exploiting weaknesses in the algorithm, by stealing secret keys, or by testing all possible keys in turn ("brute-force attacks"). For a given cryptographic algorithm, the longer the key, the more difficult and costly it is for an attacker to derive the keys or encrypted information through a brute-force attack.[11] However, longer keys also increase processing times, which may be a constraining factor for current generations of IC cards. The strength of the algorithm itself is usually verified mathematically and through repeated testing.
The card-based electronic money systems investigated by the Task Force use (or plan to use) both symmetric and asymmetric cryptography. The most common algorithms used in electronic money products are DES and triple-DES algorithms, so-called "hash functions", and RSA or other asymmetric algorithms. Asymmetric key lengths range from 512 bits to 2,048 bits. The Task Force found that most suppliers of electronic money systems have made similar assessments regarding the strength of particular encryption algorithms, necessary key lengths for symmetric and asymmetric algorithms and good key-management practices. Most are using or plan to use published cryptographic algorithms that have been subject to extensive testing.
The use of "active" or "dynamic" asymmetric cryptography, in which chip cards generate digital signatures or perform other cryptographic calculations, can be applied to prevent attacks that may be attempted through replaying previous messages and observing the exchange of cryptographic information. Active asymmetric cryptography, however, requires more powerful microprocessors (known as crypto-processors), which are currently more costly to produce, and may result in slower transaction speed and reduced reliability of devices, according to suppliers. Thus, at this stage of their implementation, many products rely on the use of "passive" asymmetric cryptographic certificates stored on each card, together with dynamic symmetric cryptography, in which unique "session" keys are generated for each transaction, as discussed in Annex 7. However, note-based or cheque-based products generally utilise active asymmetric cryptography.
Systems using cryptography can also be attacked through weaknesses in their implementation. For example, the software that performs cryptographic functions must be properly designed and implemented, and any use of random data to generate keys must be truly random or patterns could be recognised that would aid in a brute-force attack. Extensive testing of the product is the most effective means of correcting such implementation weaknesses.[12]
Key management and storage. The key management of a system comprises thedifferent types of cryptographic keys and their relationship, generation, use, distribution, storage and validity. Decisions in this area are critical to the security of the product as a whole.[13] Damage to a system through the compromising of cryptographic keys may be reduced by limiting the use of each key. Many electronic money systems contain different keys that provide access to different functions, such as load, purchase and deposit functions. Individual cards may each store a unique key, derived from a master key. Highly sensitive load keys that allow the increase of balances on a card are generally held only by the issuing institution and may involve longer key lengths. The ability to change cryptographic keys or algorithms used in the system quickly is a security measure envisioned by many electronic money systems. Suppliers interviewed by the Task Force indicated that they anticipated a relatively short key life cycle, sometimes a matter of months for critical keys.
All electronic money systems involve cryptographic keys that must be kept secret, or secure against unauthorised observation, in order to prevent unauthorised duplication or alteration of data. In card-based systems, various security measures have been developed to safeguard keys in storage on devices and in transmission between devices. For software-based systems, in particular those that involve access to open computer networks, storage of cryptographic keys poses greater challenges, because the user's device cannot be assumed to be secure with any degree of certainty.
Certification authorities (CAs) may be necessary for systems employing asymmetric cryptography. CAs are typically centralised databases that certify, store and distribute public keys and information identifying the holder of the corresponding private key. Owing to their limited use of active asymmetric cryptography, most electronic money systems examined by the Task Force provide their own CA facilities. Those that require widespread, routine distribution of public keys for each user face greater challenges. In either case, the compromising of a CA would be a significant threat to an electronic money system. In particular, the use of third-party CAs or multiple CAs (for example within an international system) raises a number of security issues that may require further analysis if they are ultimately implemented in electronic money systems.
In card-based systems, online authorisation by the issuer is typically only required at the time the device is loaded by a debit to a bank account. Such authorisation is required, as in a standard ATM transaction, to ensure that the holder of the card is authorised to access funds in a particular account. A standard personal identification number (PIN) is usually required of the consumer in such transactions. The deposit or collection function between merchants and their acquirer also typically occurs in an online manner. Centralised systems at the acquirer verify merchant transaction logs to ensure that no transactions have been transmitted more than once. In some card-based systems, the merchant terminal might request an online authorisation for a purchase transaction; this could be done randomly or on the basis of certain card or transaction parameters.
Online authorisation is generally considered to be necessary for all transactions in software-based electronic money products.[14] In order to deter a user or outside attacker from copying a particular electronic note and "spending" it several times over, a central authority must verify each transaction sequentially on the basis of information about notes that have previously been issued and redeemed. Such methods would not necessarily prevent fraud, however, but might only detect it after the event. In some systems, the use of sophisticated cryptographic techniques would enable the issuer to determine which party instigated the fraudulent transaction.
Electronic money systems may provide additional levels of security against fraud as well as malfunctions by requiring individual devices to perform additional verifications during transactions. These could include, for example, verifying expiration dates, numbers of transactions executed with the device, balances on the device (against its maximum balance) and the maximum balance itself.
Electronic money systems also include measures to prevent the creation of unauthorised balances through interruption of transactions. Message protocols are designed so that transactions are completed only if all messages defined for that transaction have been successfully exchanged. Incomplete transfers, such as those caused by interruption of power supply or of messages, can at worst lead to the debiting of amounts on one device without their being credited to the counterpart device. Logs of incomplete transactions are typically stored on the devices for future reference or investigation by the issuer or system operator.
Finally, procedural and administrative controls provide important safeguards against attempted fraud. Tasks such as card manufacture, cryptographic key management and card personalisation are subject to strict access controls and are separated geographically and administratively, increasing the number of employees that would need to collude in order to gain enough information to compromise system security. Terminals, particularly those that allow loading of balances, are distributed in a controlled manner, and may be supervised through remote monitoring by a central operator. Control over the merchant environment may also play an important role in security administration, as merchant terminals may have higher balance limits and be an attractive entry point for an outside attacker. Administrative controls are also necessary to prevent the possibility of fraudulent issuance of electronic money by an issuer or its employees.
Individual electronic money transactions, once executed, are subject to a variety of different security-related monitoring and verification procedures. In most of the card-based systems analysed, each transaction can be identified by a unique number, based on the card's serial number and its transaction counter, which increases by one increment for each attempted transaction. In the case of note-based systems, each note has a unique serial number.
The frequency, location and extent of monitoring of transaction-specific information by a central operator varies across systems and may be conducted at the option of the operator according to the particular environment. In some systems, transaction information, including the identity of both devices in the transaction, is transmitted to the central point some time after the transaction has taken place. Typically, such transmission by merchants is required within a specified time-frame. For unattended terminals, such as vending machines, this process might occur up to two weeks after the transaction date. In most systems, the devices themselves, including those held by consumers, store a full or limited record of transactions performed. This record could be read at a later time by a central system. Some systems truncate information at the level of the merchant or acquirer. Some systems verify every transaction that is executed; this is clearly quite costly to perform. Other systems check transactions on an ad hoc basis or in response to evidence of suspicious behaviour.
Transactions can be subject to financial verification as well as security verification. Financial verification may involve accumulating transaction amounts for each device and calculating "shadow balances" for devices, which are stored in a central database. Although the exact balance on each device at any point in time cannot be calculated with complete accuracy owing to the time-lags in clearing transactions, transactions made with a particular card can be compared against the shadow balance maintained for that card to ensure that it is not inconsistent with the prior transaction data. This type of active transaction monitoring provides a very high degree of certainty that any fraudulent transactions or alteration of balances on a card will be detected at some point, although the time that may elapse before such detection could vary considerably depending on the design of the particular system. Some electronic money systems examined by the Task Force do not check every transaction against a centrally held balance, either because not all transaction data are routinely collected or for cost reasons.
Security verification by the issuer or central operator involves verifying message authentication codes, transaction sequence numbers, information about previous payment and load transactions and other information contained in transactions or stored on devices. In note-based systems, as mentioned earlier, serial numbers of notes used in transactions can be verified against a central list. Some verification of cryptographic information may be performed at the central operator or issuer level, using cryptographic keys that are not contained in merchant terminals. This provides an added level of security against the compromising of a merchant terminal.
To the extent that greater transferability between users limits information collected by a central point, it reduces the effectiveness of transaction monitoring. However, the Task Force did observe note-based or cheque-based systems that permit transferability within certain parameters but also collect a full transaction log of each transfer attached to each "note" for later monitoring by the issuer. Thus, transferability and strong traceability and detection measures are not necessarily mutually exclusive but depend on the logical design of the product.
Online interaction with the issuer or central operator of an electronic money system is a commonly used security feature of card-based systems. Such interaction allows the central operator to check security parameters on the card for consistency, to update security measures on the device, such as cryptographic keys, and, in some cases, to gather additional transaction data from the device. The transaction log and records of any errors or incomplete transactions can be read and stored by the central system. Such measures increase the probability that any attempted fraud will be detected within a short period.
Events that may require interaction with the central system include routine load or deposit transactions, resolution of failed transactions or multiple failed attempts to enter a PIN. In addition, the expiration date of the device or of balances or notes stored on the device could also trigger online interaction. In some systems, or as planned future enhancements, the device itself will automatically cease functioning after a certain number of consecutive offline transactions, thus requiring online interaction. Of course, some of these measures could reduce convenience and flexibility for the holder.
Limits placed on the transferability of stored-value balances or notes may reduce the opportunities for fraudulent balances to be used without detection. If balances on devices are transferable to other users without information being made available to a central point, the origin of any fraudulent balances may be more easily disguised. In most systems reviewed by the Task Force, consumers are only permitted to make transfers to merchant terminals or to issuers; there is no provision for consumer-to-consumer transfers. Consumers might be permitted to transfer balances to an "affiliated" device, such as one held by another member of their family, but not to unaffiliated devices. Other systems may permit consumer-to-consumer transfers at an ATM or other terminal with an online connection to the issuer or other central system. Certain types of device may be permitted to make transfers only to other devices with certain parameters. For example, to deter attempts at merchant fraud, merchant terminals may be permitted only to transfer balances to individual acquiring institutions.
Even those systems that permit consumer-to-consumer payments may include some limitations that can help detect attempted fraud. As noted earlier, devices could be designed to require interaction with a central operator periodically, so that consumer-to-consumer transaction records stored on the device could be checked. Software-based systems that permit transferability typically operate online; thus each transaction effectively requires interaction with the central operator.
Electronic money systems can also implement procedures to analyse system-level data on payment flows in order to detect unusual volumes of payments that could be indicative of fraud. Issuers or a central system may utilise the automated procedures for pattern recognition that have become common in the credit card industry to detect abnormal activity, such as those using artificial intelligence and neural network techniques. At the highest level, the system can track the volume of balances issued and redeemed each day; any level of redemption outside the norm could trigger more detailed investigations. For example, the volume of payments collected by merchants can be analysed by comparison with other merchants of the same type or with normal daily payment volumes.
Statistical analysis procedures require the accumulation of a large database covering normal payment activity over a given period. These data could be analysed for unusual payment patterns, taking into account seasonal patterns and differences across geographic locations, for example. It is not clear, at this stage, how effective a tool statistical analysis will become for detecting specific instances of fraud, or how difficult it would be for sophisticated attackers to disguise their activity within these normal payment patterns.
Limits on the size of balances permitted to be stored on consumer and merchant devices are a very important security feature of electronic money systems. Note-based systems may not contain a direct value limit but in some cases may limit the number and denomination of notes issued to a particular device at any given time. While the direct effect of value limits is to contain the magnitude of losses from successful fraud attempts, the indirect preventive result may be equally important - to deter attempted fraud by reducing the potential financial gain. Any attacker would need to duplicate or alter a large number of devices to make the effort financially worthwhile. Of course, the effectiveness of balance limits relies on highly secure means of storing the maximum balance limits to prevent tampering as well as on routine verification of the actual balance against the maximum balance permitted. Moreover, limits on consumer devices may not help contain breaches of security of higher-balance merchant terminals.
Expiration dates on devices and on value also serve to contain the extent of any fraud, as a fraudulently altered device would only be usable for a limited period. Importantly, such measures may also be used to force the user to interact with the central system, where fraud could be more easily detected. In card-based systems, devices may contain limits on the maximum number of transactions that a particular device can perform.
Registration of the identity and address of the holders of devices with the issuer or central authority would facilitate investigation of any attempted fraudulent activity. In many of the electronic money systems analysed, both consumer and merchant devices are required to be associated with specific bank accounts, from which funds can be withdrawn in loading transactions. Anonymous purchases of cards, for example at vending machines in exchange for currency, so far appear to be the exception rather than the norm; moreover, functional limitations could be placed on such devices compared with those that are individually registered. In software-based systems, users would be required to register their identity with issuers in order to transfer funds into or out of the systems, as well as to receive software and register cryptographic keys and other information necessary to execute transactions.
Registration of merchant devices may be particularly important. Because merchant devices may have much higher balance limits than consumer devices, control over distribution of and access to these terminals is a necessary security measure. The same holds true for devices held by entities distributing or collecting stored-value balances.
Hot lists are records of the serial numbers of suspect devices maintained by a central system operator. These lists are used to check for suspect cards at each point of interaction with the central system, and can cause the cards to be disabled or retained by a terminal. In some cases, hot lists can also be distributed to merchant terminals to prevent purchases by suspected devices or devices within a certain range of card serial numbers. The hot lists held on merchant terminals can be updated when the terminal makes an online connection to the system operator. Owing to cost considerations, most suppliers interviewed envision using this capability only for fraudulent devices, rather than to block lost or stolen cards at the merchant level. In software-based systems in which devices would not be identified by their serial numbers, it may be more difficult to identify users suspected of fraudulent activity and prevent them from operated devices, although this will depend on the manner in which users are registered or otherwise identified in the system.
Other measures that cause automatic disabling of devices can include multiple attemptsto enter a PIN or multiple failed transactions. In some electronic money products, a PIN can be used to "lock" the device in order to discourage theft by preventing use by an unauthorised person.
Many of the electronic money systems plan to implement facilities to rapidly change the cryptographic keys or algorithms used if a wide-ranging fraud is detected or suspected. A longer-term measure would be to replace cards or software if it were suspected that the design was compromised. Ultimately, in the face of widespread fraud, system operators could resort to the extreme solution of disabling all terminals and recalling devices.[15] Given that some transactions typically take place offline, and that some time would be needed in order to notify participants, complete closure probably could not take place immediately and thus would not fully contain losses.
The overall impression gained by the Task Force was that measures are available to provide adequate security for electronic money systems, in particular compared with other common forms of retail payment. However, there are a number of challenges to developers in terms of implementation. While the security architectures of most electronic money systems share many common design features, a wide range of options are available to product developers in terms of specific chip card security measures, cryptographic algorithms, key lengths and transaction monitoring. These options present trade-offs for product developers in the areas of cost, functionality, speed and reliability. The degree of emphasis on these other considerations will have important implications for the level of security ultimately chosen.
Security measures for electronic money products are highly complex. There is no single security measure or set of measures that can be said to be sufficient for a particular product. As discussed in Annex 6, international standards have been developed for particular aspects of electronic money products, such as the basic functionality of chip cards, certain cryptographic techniques and communication protocols, but these standards in themselves are not sufficient to ensure adequate security for a product as a whole. In addition, the development of standards may naturally tend to lag behind technological advances, especially in areas of rapidly changing technology. It is the combination of measures, together with the rigour with which they are implemented, that will serve to reduce risk most effectively. Thus, it is more important to focus on the overall security risk management approach for a particular product, rather than on the use of individual measures. In addition, relatively low maximum balance limits on devices may represent one of the simplest yet most effective deterrents to fraudulent attacks.
Compared with other forms of payment that are paper-based or rely on plastic cards with magnetic stripes, it is widely accepted that microchip cards are much more difficult to counterfeit or fraudulently alter.[16] In addition, maximum amounts that could be held on devices in most proposed systems are generally lower than the amounts at risk for most debit or credit cards. However, security measures at each level of an electronic money system (e.g. consumers, merchants, financial institutions) should be commensurate with the degree of risk at that level. For example, merchant devices could hold significantly greater amounts and thus may be a more likely target for attack; additional hardware protection and other controls may therefore be desirable for higher-value merchant devices. Data and devices held at issuers would be particularly sensitive and would most probably be subject to the highest level of security.
Physical barriers against tampering with devices provide one of the most important security measures for electronic money products. The cost and resources necessary to physically alteror reproduce the various types of microchip cards are fairly well known by industry experts. Tampering with microprocessor cards is beyond the means of the casual criminal, while even for experienced or professional computer thieves, tampering with chip cards would also be extremely difficult and costly.[17]
However, with legitimate electronic money devices widely available in the market, criminal organisations will be able to continually improve their methods of attack, even if initial attacks on a chip card fail. Thus, it can be assumed that even the most sophisticated tamper-resistant features may eventually be breached, potentially permitting analysis and reproduction of the contents of the device. As a result, continual strengthening of the tamper-resistant features of card-based products will probably be necessary.
For software-based products, data stored on the devices used by consumers and merchants can be expected to be copied or otherwise compromised by only moderately sophisticated attackers. The software itself can be reverse-engineered and examined closely for vulnerabilities, a process which is generally much more difficult when the software is physically protected on a chipcard. As a result, software-based systems must generally rely on other measures such as online, real-time authorisation.
Published cryptographic algorithms that have been widely tested and in use for a considerable amount of time provide a high level of security; products should not rely on the secrecy of the algorithm for protection. In addition, longer key lengths greatly increase the cost and time for abrute-force cryptographic attack. RSA keys are generally at least 512 bits in length; in fact, 768 bit keys are now becoming common and some keys are as long as 2,048 bits. Key-management techniques such as separation and diversification of cryptographic keys, both across functions and across devices, help to contain any losses resulting from the keys on a single device being compromised. Longer keys may be used for more sensitive functions, such as those performed by issuers.
The feature of transferability between users found in some electronic money systems does not, in itself, pose greater security threats; products have been developed that provide transferability while still permitting full traceability of transactions. Shadow-balance accounting should provide a very high degree of detection of possible fraud, provided that transactions are required to be cleared within a fairly short time-frame. Systems that do not rely on shadow-balance accounting, either for cost reasons or because transferability features make the collection of data difficult, must rely on other measures to ensure a high level of security, such as highly tamper-resistant chips, strong cryptography, more extensive security verification between devices, relatively low balance limits and more frequent online interaction with a system operator or issuer. Statistical analysis of payment patterns may help to detect suspicious activity, but the effectiveness of such techniques has not been proven. Such monitoring might raise the cost of attempting fraud, because activity would need to be more carefully disguised.
The use of an insecure network, such as the Internet, for transmitting payment messages does not in itself create additional security hurdles.[18] All electronic money products operate via messages exchanged between devices, and it is possible to observe or intercept these messages whether they flow over a computer network or through more direct means, without the knowledge of one or both of the parties to the transaction. Electronic money products are therefore designed on the assumption that messages are not transmitted over a secure medium.
Finally, as with other payment systems, administrative and procedural controls over development and operation are critically important security measures. Given the advanced technology used in electronic money products, administrative channels can be expected to be the least costly method of attacking a product, and should therefore be addressed through administrative security control measures.
Electronic money products have been developed by organisations with varied experience. The Task Force found that the particular background and experience of different suppliers is evident in their approach to security design. Some systems have been developed by large organisations or banking associations with long experience in operating payment systems. Some would utilise existing payment infrastructures, such as credit or debit card networks, for the operation of their products; these networks typically already address technical security management procedures. New entrants to the payment systems arena may have advantages in terms of flexibility, costs and innovation, but may have less expertise in managing security risks. In particular, because software-based products require less costly physical infrastructure, they may be introduced by organisations less experienced in operating payment systems.
Developers of electronic money products have invested considerable resources in designing and assessing the security features of their products, as well as in analysing the impact of cost and functionality considerations on security. While suppliers interviewed by the Task Force have clearly focused considerable attention on the technical security of their products, security assessments conducted thus far have in most cases been partial evaluations of specific components of a product, rather than comprehensive security risk assessments of the entire system. Comprehensive security assessments are complex, lengthy and expensive to conduct. Owing to the complexity and evolutionary nature of the technical security aspects of electronic money products, it may be difficult for one organisation to perform such a comprehensive assessment. Moreover, there are few organisations qualified to perform such evaluations. A comprehensive security assessment must balance the benefits of an integrated, comprehensive risk-management process against the risks inherent in concentrating detailed security information in any one organisation. However, the Task Force concluded that such assessments conducted by objective, independent experts within an overal security policy framework would serve to significantly enhance confidence in the security of the product.
The Task Force observed that current pilot projects, such as those for stored-value cards in a number of countries, are generally designed to test the business case for electronic mone products rather than the specific security implementation. It can be expected that there will be significant changes to the security architecture of these products over the next few years as they are introduced to a wider market. In particular, many suppliers indicated that they are upgrading the physical security and processing power of microchips used in electronic money products, as well as moving to the use of asymmetric cryptography. Suppliers also plan to increase the length of cryptographic keys to provide additional security, and to change keys and security procedures periodically in order to increase the cost of attacking their systems.[19]
Cryptographic techniques and chip card technology are constantly evolving. New means of attack will certainly also be developed and the costs of mounting such attacks will decline as specialised equipment becomes more widely available. As a result, electronic money systems will face challenges in ensuring that their systems can be regularly upgraded and modified to meet new security threats. In the area of cryptography, continuing increases in computing speed should work to the advantage of electronic money suppliers, as cryptographic keys can be lengthened fairly easily, greatly increasing the cost of successful cryptographic attacks.
The cost of these measures, in particular the cost of producing powerful and highly tamper-resistant chip cards, is likely to be a major factor in the implementation of card-based electronic money systems for the foreseeable future. It is unclear how the development of international standards and features permitting interoperability of products will contribute to the security of electronic money products. In addition, products providing for multiple applications housed on one device may raise security issues that may not have been fully addressed at this stage, given that such products have not yet been introduced.
At this stage, software-based stored-value systems, particularly those designed for use on the Internet, are not well developed from a commercial perspective, and the Task Force was thus unable to examine the likely implementation features of such systems that are critical to their security. Software-based products providing access to traditional credit card or bank accounts are much closer to commercial implementation, however, but were not the focus of the Task Force’s analysis; industry security standards in this area are also close to completion. In general, suppliers indicated that payment systems designed for use over computer networks may move towards use of tamper-resistant devices in the future, for example smart cards that would perform security-related functions for the consumer. Additional security assessments in this area may therefore be useful in due course. These risks deserve additional investigation, in particular as new techniques and potential industry standards for protecting information transmitted over the Internet come to be introduced.
Some characteristics of certain electronic money products, such as their relative lack of physical bulk, their potential anonymity and the possibility of effecting fast, remote transfers, might make them more susceptible than traditional payment systems to criminal activities, in particular money laundering. The Task Force's investigation of electronic money products has shown that, in most cases, the security features that suppliers intend to implement in order to protect issuers from fraud risks might make these products less attractive for use in criminal activities than many existing payment instruments.
For example, events that trigger a required interaction with the central system increase the chance that suspicious activity will be recorded and potentially made available to law enforcement agencies. In all card-based systems examined by the Task Force, devices have unique serial numbers. In most cases, transactions can be uniquely identified by a transaction number, and transaction logs of some kind are stored on devices themselves, and in many cases on a central database as well. Limits on transferability and expiration dates on devices or balances also constitute practical obstacles to the extensive use of these products for money laundering. Risk control procedures based on statistical analysis may also help detect criminal behaviour.
Products that do not require registration of the user with an issuer or other central authority, such as those that can be purchased at vending machines, are typically planned to have quite low limits on values and might not be reloadable. Even for software-based systems that permit remote payments in which the sender may not be identified, users must register with the issuer in order to deposit funds for use in the system and to register cryptographic keys. Given these limits, successful money laundering would be likely to require some degree of involvement or collusion by a financial institution participating in the system. Such activities may be more feasible in certain types of electronic money system if they permit large-value payments to financial institutions in remote locations, such as via the Internet, as well as unrestricted and unmonitored participation by institutions anywhere in the world; these features may depend upon the actual implementation of particular systems.
Reliability encompasses the robustness of devices and networks and timeliness of transactions in electronic money systems in the face of malfunctions, system interruption and transmission failures or delays. The failure rate of chip cards is routinely analysed and documented by electronic money suppliers and chip card manufacturers. Card manufacturers may guarantee a certain level of reliability in terms of card life and the number of transactions that can typically be performed. To the extent that a central system is used for online authorisation, clearing of transactions, storage of cryptographic keys or other critical functions, contingency arrangements for such systems would be an important factor in ensuring reliability.
Developers have implemented measures to address the impact on reliability of interrupted messages due to communications or electrical failures. In some cases, users might be required to return to the issuer to reactivate the device. Reliability of the network in terms of speed and message integrity is likely to be a significant factor in use of the Internet for transmitting payment-related messages, particularly for those systems that operate online. Systems that utilise the Internet or other remote communications methods must ensure that transaction protocols are particularly resilient to delayed or interrupted transactions.
Advanced cryptographic techniques offer the potential for a greater degree of privacy in financial transactions than has been possible with other types of electronic payment. However, proposed electronic money products differ greatly in the degree of privacy they would provide to consumers. For example, some electronic money systems would permit users to transfer electronic notes certified through cryptographic algorithms by the issuing institution without revealing the identity of the sender. Other systems would allow consumers to purchase devices with balances stored on them without revealing their identity, for example at vending machines.
Most of the electronic money systems examined by the Task Force would prevent unauthorised access to transaction information by outside parties, as the consumer's identity would not be contained in transaction messages, and in some cases these messages would be transmitted in encrypted form. Moreover, merchants generally would not have access to information on the identity of the user in a transaction; their devices would record the serial number of the consumer's device but they would have no way of associating that device with an individual. However, a cardholder might voluntarily provide personal information in order to participate in a loyalty or discount programme at a particular merchant.
The anonymity of transactions vis-à-vis the central operator or issuer depends on factors such as the logical design of the system (note-based or balance-based), the degree of truncation of payment messages and whether holders or devices are registered with issuers. If full transaction information is transmitted to the central point, the issuer will probably be able to relate transactions to particular consumers fairly easily; this could reduce the level of consumer privacy compared with certain traditional payment methods. Some suppliers have stated that they intend to retain such detailed transaction information but make it available only for law enforcement purposes.
Electronic money products have the potential to provide important benefits to payment systems if implemented with due regard for security. The Task Force concluded that no system can be made fully secure against all types of attack. Determining the appropriate level of security for a particular product should involve consideration of the magnitude of potential risks, the cost of implementing varying levels of security, the impact on the functionality of the product and the implications for privacy.
In its interviews with suppliers, the Task Force was impressed with the amount of research that has been undertaken and resources that have been expended on the security of electronic money products. Many sophisticated security measures have been developed that should provide a high degree of security for electronic money products in their initial stages. However, risks may arise in the implementation of these measures. Thus, each product must be evaluated on its own merits. Moreover, it can be expected that there will be significant changes to the security architecture of these products over the next few years, as the resources and capabilities available to both suppliers and potential attackers of these systems increase.
Owing to the technical complexity of these products and the high level of scientific expertise required to assess many aspects of security, it may be difficult for one organisation to evaluate objectively and comprehensively the security of an entire product. The Task Force concluded that an integrated, overall risk-management approach to security, including independent security assessments, is an important component of the security of these new products.
1 Note-based systems require a solution to the problem of "making change" or splitting notes if the consumer does not hold the necessary denominations for a particular transaction.
2 A variety of other specialised hardware devices have also been proposed, including security calculators, PCMCIA cards, personal digital assistants or specially equipped telephones or screen-phones.
3 Annex 4 provides background information on the Internet and related security issues.
4 In many card-based systems, suppliers intend to incorporate devices similar to merchant terminals in unattended vending machines.
5 For vending machines, the transaction information can be downloaded periodically onto a portable device, which is subsequently connected to the acquiring bank.
6 The security of a system against the risk of duplication or"replay" of messages is sometimes known as "idempotency".
7 In practice, the potential for repudiation of transactions is not unique to electronic money products, and has not been a major source of fraud in existing payment instruments compared with theft and counterfeiting.
8 In a number of cases, electronic money product developers have not implemented the full range of security measuresin pilot programmes, but state that they intend to do so at the time of more widespread introduction of their products.
9 A number of countries have laws regulating the use or export of cryptographic software or hardware. The Task Force did not address these issues, as they may involve questions of legal interpretation and were not cited as major obstacles to security design by suppliers of electronic money products. However, such laws may have implications for some electronic money products depending on the countries where the products are manufactured and used and on their design.
10 Whether or not digital signatures are adequate to ensure that a payment has been legally authorised may involve additional technical as well as legal issues which the Task Force considered to be outside its scope.
11 Comparisons of key lengths across different algorithms are not always meaningful; for example, asymmetric cryptographic algorithms typically require much longer keys than symmetric algorithms in common applications.
12 For example, such weaknesses have been uncovered and publicised in certain network access software following widespread market introduction.
13 As discussed in Annex 6, certain international standards for payment systems provide guidance on desirable key-management practices.
14 Even the use of asymmetric cryptography by the consumer, merchant and issuer may not be sufficient if users' private keys are stored on a standard personal computer rather than a specialised hardware device.
15 Of course, suspending the system could have important financial repercussions for consumers and merchants; these are not discussed here.
16 It is difficult to assess the cost of counterfeiting electronic money products compared with physical currency, giventhe recent technological advances in currency production, such as the incorporation of holograms and the use of specialised materials. It is well known that the cost of counterfeiting magnetic stripe cards is quite low.
17 While several incidents of counterfeiting or tampering with memory chip cards have been reported in Europe, counterfeiting of microprocessor cards is considered to be significantly more difficult. Non-financial applications of microprocessor cards may involve less advanced security features owing to the lower financial risks that could result from the cards being compromised. There have been no reports thus far of IC chips used in general-purpose stored-value cards being compromised by an outside attacker.
18 Use of the Internet does, however, provide a lower-cost channel for outside attacks on computers connected to it, although these issues are not addressed in this report.
19 For example, 40 bit DES keys have been standard for many years, but are now considered to be vulnerable to attack; the stronger triple-DES algorithm is preferable even for systems using 56 bit DES keys.
Acquirer: in an electronic money system, the entity or entities (typically banks) that hold deposit accounts for merchants and to which transaction data are transmitted.
Asymmetric cryptography (also called public key cryptography): a set of cryptographic techniques in which two different keys (private and public keys) are used for encrypting and decrypting data. The private key is kept secret by its holder while the public key is made available to communicating entities.
Audit trail: a sequential record of events having occurred in a system.
Authentication: the methods used to verify the origin of a message or to verify the identity of a participant connected to a system.
Availability: the ability of services and information to be accessed by users when requested.
Balance-based system: an electronic money system in which the electronic funds are stored on a device as a numeric ledger, with transactions performed as debits or credits to a balance.
Biometric: refers to a method of identifying the holder of a device by measuring a unique physical characteristic of the holder, e.g. by fingerprint matching, voice recognition or retinal scan.
Bit: the basic data element: a binary digit, either 0 or 1.
Brute-force attack: a method of cryptanalysis in which every possible cryptographic key is tried.
Byte: a series of 8 bits.
Certification authority: an entity entrusted with creating and assigning public key certificates.
Challenge-response: a means of authentication in which one device replies in a predetermined way to a challenge from another device, thus proving its authenticity.
Ciphertext: the encrypted form of data.
Closed network: a telecommunications network that is used for a specific purpose, such as a payment system, and to which access is restricted.
Confidentiality: the quality of being protected against unauthorised disclosure.
Contact cards: cards that require physical contact through an electronic connection surface between the card and the card reader or terminal device.
Contactless cards: cards that do not require physical contact between the card and the card reader or terminal.
CPU (Central Processing Unit): area of a computer system (and of an IC card) that performs computations.
Cryptanalysis: area of cryptography dedicated to studying and developing methods by which, without prior knowledge of the cryptographic key, plaintext may be deduced from ciphertext.
Cryptographic algorithm: a mathematical function used in combination with a key that is applied to data to ensure confidentiality, data integrity and/or authentication. Also called cipher.
Cryptography: the application of mathematical theory to develop techniques and algorithms that can be applied to data to ensure goals such as confidentiality, data integrity and/orauthentication.
Derived key: a cryptographic key that is obtained by using an arithmetic function in combination with a master key and a unique identification value such as a card serial number.
DES (Data Encryption Standard): a symmetric cryptographic algorithm (ANSI standard) that is widely used, in particular in the financial industry. Triple-DES consists of operating three times on a set of data (encrypting-decrypting-encrypting) using a double-length DES key.
Digital signature: a string of data generated by a cryptographic method that is attached to a message to ensure its authenticity as well as to protect the recipient against repudiation by the sender.
Embedding: in IC card manufacturing, the process by which the chip module is mounted on the plastic carrier (card).
EEPROM (Electronically Erasable Programmable Read-Only Memory): the area of an IC chip used to store data. Data in EEPROM can be electronically erased and rewritten under the control of the operating system.
Electronic purse: typically an IC card containing an application that stores a record of funds available to be spent or otherwise used by the holder; the record of funds is updated as transactions are made. Additional funds may be added to the stored balance through a withdrawal from a bank account or by other means. Sometimes referred to also as a stored-value card.
Electronic wallet: a computer device used in some electronic money systems which can contain an IC card or in which IC cards can be inserted and which may perform more functions than an IC card.
Encryption: the use of cryptographic algorithms to encode clear text data (plaintext) into ciphertext to prevent unauthorised observation.
EPROM (Electronically Programmable Read-Only Memory): the area of an IC chip used to store data. Data in EPROM can only be written once and cannot be erased selectively.
Firewall: a hardware- and/or software-based system that is used as an interface between the Internet and a computer system to monitor and filter incoming and outgoing communications.
Fleckless: from the German "fleckenlos", which means spotless; a device (card) or a system is said to be fleckless when it can provide evidence that it has not been tampered with.
Hot list: in a card-based system, a list - held by the merchant terminal or other device - of suspicious card numbers or ranges of suspicious card numbers. The hot list is used to detect and to block any transaction with such cards.
IC Card (Integrated Circuit): a plastic card in which one or more integrated circuits are embedded. Also called chip card.
Integrity: the quality of being protected against accidental or fraudulent alteration or of indicating whether or not alteration has occurred.
Internet: an open worldwide communication infrastructure consisting of interconnected computer networks and allowing access to remote information and the exchange of information between computers.
ISO (International Organization for Standardization): an international body whose members are national standards bodies and which approves, develops and publishes i