Netscape Communications Corp.'s browser for the Internet was recently found to have a security flaw in its data encryption system. The company promised it would be fixed within a couple of weeks.
Shortly before that, it came to light that Citicorp's wire transfer network had been broken into by several Russian nationals using personal computers. Citibank said it successfully bolstered its security with smart cards.
These are only two of many messages that add up to a serious warning to the banking industry: There is no such thing as a perfectly secure system.
The effective security measures we hear about may be the best ones available at the time of the installation decision. But any security can be attacked at some price. Every secure system has an attack "work factor" - the time and cost required to render it ineffective. These work factors, or barriers, are constantly being whittled down by advances in the technology of breaking into secure systems.
Within the data security community, the president of RSA Data Security Inc., a leader in the field, recently suggested that users of his company's encryption algorithm stop using keys that are 512 bits in length. Better if the keys, the digital codes needed to code and decode messages, are 1,024 or 2,048 bits long, because the ability to compromise the RSA algorithm has improved tenfold over the last 10 years.
Meanwhile, the National Institute of Standards and Technology has requested that the federal data encryption standard be decertified. Continued improvement in chips and computing speeds have made it increasingly possible to break the code.
The banking industry has asked for a 10-year delay in decertification. They want a new family of algorithms with variable work factors. The world does not stand still for bankers. The technology and system performance continue to improve for hackers.
Smart cards are seen as part of the solution, but they are subject to the same growing risk. The current International Organization for Standardization 7816 architecture and security are 10 or more years old. At least three methods of attack have been called to the attention of the relevant standards committees, but they have not responded. Similar inaction in the past has come back to haunt them.
So be warned again: There is no such thing as perfect security, and that includes the ISO 7816 smart card.
Mr. Svigals is a consultant based in Redwood City, Calif., and publisher of Smart Cards and Comments newsletter.