A recent American Banker article on data security ("Web Possibilities Make Security People Insecure," Feb. 27, page 13) was an accurate reflection of a total lack of industry leadership, and of the sad fact that many so-called experts don't know what they are talking about.
Current industry security solutions work very well, but are not understood or appreciated even by these experts.
Allow me to answer a few of them.
Win Schwartau's warning on "denial of service" attacks: They have been successfully defended against since the advent of automated teller machines and branch automation with simple design rules, selective redundancy of network servers, and data base access mechanisms.
The mention of the "Russian attack" on Citibank's network: Citi never disclosed the specifics, and the attack has not been experienced by another bank. This suggests that the Citi case was an inside job. The banking industry successfully wires trillions of dollars every day, which raises the question, why isn't the current industry solution used for the Web? Why aren't these security experts familiar with the two decades of success with data encryption based on changeable keys?
Air Force Cadet Edward Browne's implication that the Fed wire is vulnerable: If he has come up with a good attack scenario, why not release it to the industry for an assessment?
Federal Reserve official Heidi Richards' comment that current smart card pilots use low-security technology: In fact, the magnetic-stripe credit and debit cards that smart cards might replace have no security. Yet the system is loaded with security features and sensitivity tests, and annual losses are a trivial fraction of gross dollar volume. In France, the chips inside 24 million bank cards have lowered losses by 10% a year and reduced the need for central, on-line authorization of transactions by 90%- a result that seems paradoxical to many in the United States. Perhaps Ms. Richards and her colleagues should take a look at how the French did it.
Citibank executive Dan Schutzer's concern about "too many one-of-a- kind" digital cash solutions: The electronic banking industry has demonstrated over two decades its ability to deal with a multiple-vendor environment. The real requirement is an industry-led effort to define a common architecture and security guideline. It happens to exist for smart cards and the Internet in the international standard ISO 10202-and it can answer the concern of George Schmidt of Systor in Switzerland that the MasterCard-Visa Secure Electronic Transactions protocol cannot be implemented cheaply.
RSA Data Security Inc. chief engineer John Adams' prediction that short-term and long-term transaction and information applications won't coexist on a single smart card: In fact, they already do. Lufthansa's Senator Card acts as a prepaid, refillable telephone card (short term), electronic airline ticket (short term), and credit or debit card (longer term).
The allegation that "the basis of all our security" is 40-bit encryption keys: Not true. The U.S. banking industry has been using 56- and 112-bit varieties since the advent of the Data Encryption Standard 20 years ago.
All of this leads me to believe that what is most lacking is industry leadership. We can come up with the necessary solutions by comparing what is available with emerging needs. Much of the current talk is about the digital certificate concept, which is expensive, cumbersome, and just plain overkill. Let us build on demonstrated security achievements.
