In the fall of 1995, the payment and settlement systems committee of the Group of 10 central banks established a Task Force on Security of Electronic Money. In August 1996 the Bank for International Settlements published the group's analysis of the technical risks and security features of electronic money. Israel Sendrovic, executive vice president of the Federal Reserve Bank of New York, headed the task force and was principal author of the report.
Following are excerpts - slightly edited - from the report's executive summary and its assessment of available security measures:
The task force primarily examined consumer-oriented, stored-value payment products, a few of which have already been launched in large-scale pilot programs in various countries. Others are expected to be widely introduced. Through interviews with suppliers, the task force identified general models of electronic money products and specific characteristics that are relevant to security.
The task force found that the logical design chosen for stored electronic value, as well as the conditions under which such money balances can be transferred to other users, offers a basic framework for examining security measures in the various stored-value products.
In addition, the task force distinguished between card-based systems, which are implemented through a specialized computer hardware device, typically a smart card, and software-based systems, which employ specialized software installed on standard computer hardware using standard operating systems.
Security risks to electronic money systems could arise in the consumer or merchant domains and in the financial institution domain, as well as in network communications. Attacks on the security of electronic money systems would most probably be attempted for financial gain but could also be aimed at malicious disruption of the system.
Specific attacks could be instigated through attempts to duplicate or steal genuine consumer or merchant devices, to create fraudulent devices or messages that are accepted as genuine, to alter data stored on devices or in messages transmitted between devices, or to alter software functions on a device from their intended purpose. Malfunctions of devices or communications systems could also lead to accidental losses.
The task force found that various security measures have been developed to protect the integrity, authenticity, and confidentiality of critical data and processes of electronic money products.
One critical safeguard for card-based systems is the degree of tamper-resistance of the microchip embedded in the card or other device. Tamper-resistant features of these devices offer a significant advantage for card-based systems over software-based systems in terms of technical security but also add significantly to their production costs. Such features make it extremely difficult and costly to observe or change critical data stored on a chip without proper authorization, or to alter the operating system or software application functions.
Cryptography is the other critical safeguard for card-based systems and, indeed, the primary safeguard for software-based systems. Cryptography is commonly used in electronic money systems to authenticate devices and messages and to protect data from unauthorized observation or alteration. The security of the cryptography used depends on the strength of the algorithms, the length of the cryptographic keys, and a sound key- management structure, which governs the life cycle of keys and the relationship between them.
Electronic money systems may migrate toward use of asymmetric cryptographic functions, which currently require more costly crypto- processor chips that may reduce the speed and reliability of transactions. Cryptographic key lengths used in electronic money products are also expected to increase as processing speeds rise.
All the electronic money products examined by the task force would establish central system operators (in some cases, the issuer or issuers) to monitor the system continually for attempted security breaches. Monitoring and traceability of individual transactions and the maintenance of cumulative records on individual devices or in a central data base serve to enhance the products' security.
Other mechanisms to help detect and contain instances of fraud are also envisioned through the use of statistical analysis of transaction patterns, periodic interaction by devices with the central system, and the hot-listing of suspect devices. Limits placed on the maximum balances of electronic money devices and the duration of validity of balances or devices also serve to deter fraud as well as to contain any resulting losses.
Transferability of electronic value directly between users' devices has implications for security.
In general, the fewer consecutive transfers allowed without interaction with a central system operator, the greater the ease of detecting fraudulent activity. However, the potential unavailability of transaction information for security monitoring purposes, rather than transferability itself, may pose greater challenges to security. A range of additional security measures may also be implemented to help compensate for any loss of information that results from transferability.
The task force found that the technical security measures designed to protect issuers and other participants in electronic money systems from fraud may also limit the usefulness of these products for criminal activities such as money laundering, particularly when compared with existing payment instruments.
In terms of the privacy of consumer payment-transaction information, electronic money products could have differing impacts, depending on how the products are actually implemented and used.
Overall, the task force's impression was that electronic money systems, particularly those adopted with hardware-based security, can be designed with an adequate level of security relative to other common forms of retail payment. However, no single security measure or set of measures can be said to be sufficient for a particular product. It is the combination of measures, together with the rigor with which they are implemented, that will reduce risk most effectively.
Moreover, while the security designs of most electronic money systems share many features and while international technical standards have been established for certain of these features, a wide range of options is available in terms of specific implementation of products. These options present tradeoffs for product developers on cost, functionality, speed, and reliability. The degree of emphasis on these other considerations will have important implications for the level of security ultimately chosen. As a result, the security features of electronic money systems can be expected to undergo fairly rapid evolution.
While the electronic money suppliers interviewed by the task force have focused considerable attention and resources on the technical security of their products, security assessments conducted thus far have been partial evaluations of specific aspects of a product rather than comprehensive security risk assessments of the entire system.
The task force concluded that an integrated, overall risk management approach to security, including independent assessments, should be an important component of these new products' security.
The overall impression gained by the task force was that measures are available to provide adequate security for electronic money systems, in particular compared with other common forms of retail payment. However, a number of challenges face developers in terms of implementation.
While the security architectures of most electronic money systems share many design features, a wide range of options is available to product developers in terms of specific chip-card security measures, cryptographic algorithms, key lengths, and transaction monitoring. These options, too, present tradeoffs on cost, functionality, speed, and reliability. The degree of emphasis on these other considerations will have important implications for the level of security ultimately chosen.
Security measures for electronic money products are highly complex. There is no single measure or set of measures that can be called sufficient for a particular product.
International standards have been developed for particular aspects of electronic money products, such as the basic functionality of chip cards, certain cryptographic techniques, and communication protocols, but these in themselves are not sufficient to ensure adequate security for a product as a whole. In addition, the development of standards may naturally tend to lag behind technological advances, especially in areas of rapidly changing technology.
Because it is the combination of measures (and) the rigor with which they are implemented that will reduce risk most effectively, it is more important to focus on the overall security risk management approach for a particular product than on the use of individual measures. In addition, relatively low maximum balance limits on devices may be one of the simplest yet most effective deterrents to fraud.
Compared with other forms of payment that are paper-based or rely on plastic cards with magnetic stripes, it is widely accepted that microchip cards are much more difficult to counterfeit or fraudulently alter. In addition, maximum amounts that could be held on devices in most proposed systems are generally lower than the amounts at risk for most debit or credit cards.
However, security measures at each level of an electronic money system (for example, consumers, merchants, financial institutions) should be commensurate with the degree of risk at that level.
For instance, merchant devices could hold significantly greater amounts and thus may be a more likely target for attack. Additional hardware protection and other controls may therefore be desirable for higher-value merchant devices.