information security
TRANSCRIPT
Digital Cash
Its Security and Privacy
What is Digital Cash???
• A system that allows a person to pay for goods or services by transmitting a number from one computer to another. Like the serial numbers on real dollar bills, the digital cash numbers are unique. Each one is issued by a bank and represents a specified sum of real money.
• Electronic money (also known as e-currency, e-money, electronic cash, electronic currency, digital money, digital cash, digital currency, cyber currency) is money or scrip that is only exchanged electronically.
Famous Examples
• Oyster Card ( London, England)
• Octopus Card ( Hong Kong, Singapore)
• Chipknip ( Netherlands)
• Myki ( Victoria)
Oyster card• The Oyster card is a form of electronic ticketing used on public transport based in
Greater London in England.• A standard Oyster card is a blue credit-card-sized stored-value contactless
smartcard.• Passengers touch onto an electronic reader when entering and leaving the
transport system in order to validate it or deduct funds. • The cards may be "recharged" by recurring payment authority, by online purchase,
at credit card terminals or by cash, the last two methods at stations or ticket offices.
• The card is designed to reduce the number of transactions at ticket offices and the number of paper tickets
• The card was first issued to the public in July 2003.
Electronic money systems• Electronic money system :
An online representation, or a system of debits and credits, used to exchange value within another system, or within itself as a stand alone system. In principle this process could also be done offline.
• Occasionally, the term electronic money is also used to refer to the provider itself.
Types of Electronic Money Transfer Systems
• Technically digging, systems involved in transaction, processing and transferring of electronic funds could be classified into:
• Centralized systems• Decentralized systems• Offline "anonymous" systems
Centralized systems• In these systems, currency is backed up by a Government body which is authorized
to issue Digital currency.• Many system will sell their electronic currency directly to the end user, but other
systems only sell through third party digital currency exchangers.• For an example, Payment gateways are used for such a centralized transfer of
electronic funds.• In the case of Myki card here in Melbourne, Australia, electronic money deposits
work similarly to regular bank deposits. • After Myki Card Limited receives deposited money from users, the money is
deposited into a bank just like debit cards.• Many mobile service providers across the globe provide centralized rotation of
electronic funds through specialized products like Easy Paisa in Pakistan and M-Pesa system in Kenya.
Decentralized systems• These systems are based on trust based and peer-to-peer networks• It depends upon user whom to trust and whom to transfer the electronic funds.
These transactions are not banked by any central bank.• These online currencies are issued by independent computing networks which
monitor and process transaction and transferring of these funds. Some Examples are:
o Ripple monetary system, a monetary system based on trust networks.o Bitcoin, a peer-to-peer electronic monetary system based on cryptography. o Loom, a digitally encrypted commodity exchange system, warehouse certificates
that can be used as currency
Offline "anonymous" systems• In the use of offline electronic money, the merchant does not need to interact
with the bank before accepting money from the user.• Merchants can collect monies spent by users and deposit them later with the bank.• In principle this could be done offline, i.e. the merchant could go to the bank with
his storage media to exchange e-money for cash. • Nevertheless the merchant is guaranteed that the user's e-money will either be
accepted by the bank, or the bank will be able to identify and punish the cheating user.
• In this way a user is prevented from spending the same funds twice (double-spending).
• Offline e-money schemes also need to protect against cheating merchants, i.e. merchants that want to deposit money twice (and then blame the user).
Types of Electronic Currencies• Digital currencies can be divided into hard digital currency and soft digital currency
Hard Currency:
• Hard digital currency does not allow transactions to be disputed or reversed.• Hard digital currency is not equivalent to online banking. Online banking uses
government issued money that is tracked publicly.• Hard digital currency is privately owned. It circulates only through the internet or
digital databases, and is not directly linked to government issued money.• Accounts within a hard digital currency account are not FDIC insured. This means
that hard digital currency is only as safe as the company in charge of it.• Unlike a typical bank account, a hard digital currency account is free, easy to set
up, and all transactions clear instantaneously
Continued…….
Advantages:
• The primary advantage of a hard currency is the fact that operating costs are reduced dramatically
• Transactions can also take place immediately without having to be cleared first.
Continued……
Soft Electronic Currency:
• A soft electronic currency is one that allows for reversal of payments, for example in case of fraud or disputes. Reversible payment methods generally have a "clearing time" of 72 hours or more. Examples are PayPal and credit card.
Advantages:
• Allows payments to be reversed if accusations of fraud are involved• Provide services to dispute or reverse charges.
Security Measures in Digital Cash• Security features in electronic money systems are designed to safeguard the
integrity, authenticity and confidentiality of critical data and processes, as well as to protect against losses due to fraudulent duplication or repudiation of transactions.
• Security measures can be grouped into several categories based on whether the measure is designed primarily to prevent, detect or contain threats.
Three primary concerns can be
• Preventive measures• Detection measures• Containment measures
For our presentation, we would be explaining preventive measures.
Preventive Measures• These measures aims to bring down the upcoming fraudulent activities and
threats before a successful attempt. These can be categorized into:
• Tamper-resistance of devices• Cryptography• Online authorization
Tamper-resistance of devices:• The electronic devices used in electronic money products provide the first line of
defense against outside attacks.• In card-based systems, security-related processing is performed inside a physically
secured module • The merchant's secured device might also be a smart card or what is sometimes
referred to as a secure application module (SAM).
Continued…….• Tamper-resistant features of these cards are aimed at protecting the data and
software from unauthorized observation or alteration. • These highly sophisticated features include both logical (software) and physical
(hardware) protection.
• Software protection o includes features of the application and operating system that prevent data stored
in memoryo Data Storage areas within smart cards are of different security levels. o No information can be altered once the “EOL” information is written inside ROM
of chipo Sensitive but alterable data are stored in the EEPROM (electronically erasable
programmable read-only memory) portion of the memory, which can be changed by the chip’s internal functions.
Continued….• Hardware protection
o is created during the manufacturing process and includes physical barriers that prevent optical or electrical reading or physical alteration of the chip's contents.
o Size, in terms of the width of the chip's wiring, is an important physical barrier for microchip cards.
o The smaller the wiring, the more difficult it is to probe physically the contents of a chip.
o Active tamper-resistant features include sensors within the chip
Privacy in Digital Cash• In terms of information and recordkeeping, Privacy appears to mean, to most
people, the ability to keep certain kinds of personal information from other people or to restrict its use, except as one freely chooses to permit its disclosure or use.
• Frequently, privacy is regarded as an attribute of individuals and the focus is on those activities through which they are able to control and restrict access to personal information. The information so protected is “confidential.”
• There may be many reasons for wishing to withhold information about oneself• Information may expose one to censure or punishment• It may Threaten one’s reputation, social status, or self-esteem; it may give others
some advantage or power over oneself• Information concerning income, debts, or financial transactions may in some
situations do all of these things. This may explain in part why people are particularly sensitive to privacy when it comes to payment systems
Continued…..
• However, the strong possibility remains that EFT systems and services themselves, through their normal functions and operations, may intrude on the privacy of users
• In case of Soft Digital cash, software applications are designed in such a way that they require personal information from users but it also ensures that the information is collected through a secured channel so the privacy could be assured. Payment Gateways are an example of such an application.
Violation of Privacy• In payment systems, privacy is violated when data is, without the subject’s
consent to disclosure, used by those not a party to the transaction, for purposes other than those necessary to accomplish the transaction.
• If a person has not given his consent about the disclosing, implicitly or explicitly, and usage of the information s\he has given willingly, then this is also considered as privacy breach.
• This is the obverse of unauthorized disclosure of information to third parties• The ability of the individual to know what personal information has been collected
and how it is being used. • Thus, customers need to know what information is recorded about them and how
they can correct inaccuracies• Privacy can be violated is by illegal or unauthorized access to EFT and other
telecommunication systems
Privacy and EFT• In many ways Digital Cash can enhance the privacy of financial transactions. • An automated teller machine (ATM) transaction is clearly more impersonal and
anonymous than one conducted through a human teller. • Electronic transactions cannot be signed over to a third party by the recipient as a
check may be.• When dealing with any financial transaction, we also deal with a collector,
conveyor and recipient.• Collector collects data from the customer, then passes it to conveyor which then
routes it to recipient\customer.• In hard transactions, manual processing is involved which may incur erroneous
results in processing and also threatens ones privacy.• With EFT systems, collector, conveyor and recipient are incorporated into in an
integrated computer system.• Thereby providing enhanced processing and overcomes privacy breach issues.• EFTPOS is an example of such system.
Privacy Policy Design Considerations
• What is a privacy policy?• A privacy policy is a document that discloses some or all of the ways about what
you will do with information gathered from users, how you are gathering that information and how the information will be stored and managed
• The Working Party’s discussions of consumer, law enforcement, and supervisory issues suggested several key considerations to which consumers, providers, and authorities may wish to give attention in the implementation and use of electronic money products. These considerations are:
• Transparency: Potential users can best make informed choices about the relative merits of electronic money products if their features, costs, and risks are sufficiently transparent.
Continued….• Financial integrity: The financial integrity of any electronic money issuer rests
importantly on adequate liquidity, capital, and internal controls.
• Technical security: Technical security measures have important implications for the financial and operational reliability of an electronic money scheme.
• Vulnerability to criminal activity: The design of electronic money schemes can affect importantly the risks of criminal usage of and attacks on electronic money.
Questions…..
Thank you for Listening
References• Admin. (n.d.). Information About: The Personal Finance Weblog. Retrieved September 01,
2012, from The Personal Finance Weblog: http://www.finance-weblog.com/86193367/what_is_digital_currency.php
• Australian Securities and Investment Commission. (2008). Electronic Funds Transfer Code of Conduct. Australian Securities and Investment Commission.
• Bank of International Settlements. (1997, September). Publications: Bank of International Settlements. Retrieved September 01, 2012, from Bank of International Settlements website: http://www.bis.org/publ/gten01.htm
• Committee on Payment and Settlement Systems and Group of Computer Experts of the central banks of the Group of Ten countries. (1996). SECURITY OF ELECTRONIC MONEY. Bank for International Settlements.
• Electronic Clearing House, Inc. (2005, August 19). Documents: National Check Network Website. Retrieved September 01, 2012, from National Check Network Website: http://www.nationalchecknetwork.net/secure/ECHO-ISO-8583-Technical-Specification-V1.6.5.pdf
Continued….• European Central Bank. (2003). ELECTRONIC MONEY SYSTEM SECURITY OBJECTIVES
ACCORDING TO THE COMMON CRITERIA METHODOLOGY. Frankfurt: European Central Bank.• Gupta, C., & Subramaniam, S. (n.d.). Reports Archive: KTH Royal Institute of Technology.
Retrieved Sept. 01, 2012, from KTH Royal Institute of Technology: http://web.it.kth.se/~johanmon/attic/2g1704/reports/ecash.pdf
• OTA. (1982). Selected Electronic Funds Transfer Issues:. Washington, D.C.: U.S. Government Printing Office.
• Reserve Bank of India. (2005, March). Publications: Reserve Bank of India. Retrieved September 01, 2012, from Reserve Bank of India website: http://rbidocs.rbi.org.in/rdocs/Publications/PDFs/39198.pdf