Chase Manhattan Bank has begun employing smart cards with embedded microchips to make an electronic cash management service more secure.
Companies will be able to use the technology to ensure that transactions sent through Chase's Infocash wholesale banking service have not been fraudulently altered.
"To enhance security, we are going to the smart card," said Gene U. Rao, a Chase vice president responsible for transaction security.
Much like home banking systems for consumers, the Infocash system lets financial executives in corporate treasury offices use personal computers to obtain a wide range of banking services.
Infocash services include Fed Wire funds transfers, letters of credit, and balance reports for corporate demand deposit accounts.
Since these transactions can involve millions of dollars, security is critical.
Until now, two types of security have been available, both based on software loaded into the personal computer.
The first, most basic level of security is called access control, and is commonly found on most corporate computing systems. Access control requires a user to enter a proper "logon" and password before being able to use the computer.
A second, more sophisticated level of security is authentication, employing the widely used Data Encryption Standard.
With authentication, software in the Infocash workstation reads fields in a transaction request.
For example, on a funds transfer, the dollar amount, name of payee, and bank account number would be read.
The software uses this information to compute what is called a checksum - a series of numbers derived by applying an algorithm to the transaction data.
The checksum is inserted into the transaction request in what is called a message authentication code. When the information gets to Chase's computers, they use the same algorithm to compute their own checksum.
If the transaction request has been altered in any way, then the checksums will not match, and the request will be rejected.
But loading the checksum algorithm into the Infocash personal computer software poses a security risk. Someone could, for example, copy the software and produce his own valid checksums for fraudulent transactions.
Storage for Algorithm
The smart card is supposed to minimize this risk. Instead of loading the checksum algorithm into the software, it will be loaded into a computer chip embedded in a plastic card issued to an authorized user.
To execute a banking transaction, a user will insert the smart card into a special $1,200 card reader attached to the Infocash workstation.
The reader will use the algorithm on the smart card to compute a checksum that will be inserted into a message authentication code attached to the transaction request.
Chase will use smart card technology from International Business Machines Corp. of White Plains, N.Y.
The bank has already been using the technology internally for wholesale banking transactions executed on Infocash workstations by company employees.
Chase is not the first bank to make available smart-card security systems on wholesale workstations. But Mr. Rao said he thinks the Chase system has some advantages, including being more tightly integrated with the treasury workstation.
This integration gives a user a log of the transactions and more control over what transactions can be sent, he said.