What threats do electronic commerce
New York (February 20, 1997) -- As the global financial infrastructure begins to move to the Internet, information warfare against banks threatens the budding field of electronic commerce, industry insiders said here today at the International Banking and Information Security Conference (IBIS '97).
In an extreme example, information warfare -- if successfully carried out against financial institutions -- could paralyze nations as much as the traditional, physical forms of battle, according to some speakers and observers.
Military strategists believe that the most effective way to disrupt everyday life in a nation, short of eliminating its national leadership, is to bring down its communication infrastructure, of which the banking system is a crucial part, according to Edward Browne, a speaker at the conference and a cadet at the U.S. Air Force Academy.
"Imagine the effect of a semisuccessful attack against an American institution. How would that affect other institutions? ... Remember the bank runs of the '30s," Browne said.
Unlike traditional battle, information warfare attacks are via computers. And what is bringing the issue to the fore is the globalization of the world economy -- where more and more institutions are electronically linked to each other -- combined with the general move to the Internet, which is not as secure as traditional transaction payment systems.
Though online transactions over the Internet are minuscule compared to other forms of transactions, they are increasing.
Corporate Web sites are growing at 500 per week, said Dan Schutzer, vice president and director of advanced technology at Citibank N.A. There are now more than 50,000 North American corporations online, with an expected one million by 2000, he added. The Internet is especially interesting to banks because it offers the opportunity to establish a full range of services 24 hours a day, seven days a week, Schutzer said.
The physical banking world is constantly hit by fraud, with $800 million a year in bad checks against banks and $1 billion a year in credit card fraud, Schutzer noted.
"We can never eliminate fraud...today we manage it so customers feel safe," said Schutzer. But the Internet brings new problems to banking, he said. These include the ability of hackers to:
To combat these potential problems, widespread cooperation in the banking industry is needed, most speakers said. For example, the European Committee for Banking Standards (ECBS) is now looking at various security enhancement proposals, according to George Schmidt, chief executive officer of Systor AG of Switzerland.
The ECBS is looking at the Secure Electronic Transaction protocol being established by Visa Corp. and other financial and computer companies, but this poses problems for Europeans, he said.
A public key infrastructure, set up so third parties have the ability to "unlock" messages encrypted via SET or other protocols, could be a stumbling block, Schmidt said.
"This public key infrastructure will be difficult to set up," he said, since it requires coordinating law in all the countries in the European community.
Another area in which widespread cooperation is needed is the effort to defend against service shutdowns caused by mail bombs, "spam" attacks, and similar methods of deluging a user or service provider with messages or data to the extent that it causes the closing of a server or service, according to Winn Schwartau, president of Interpact Inc., a consultancy in Seminole, FL.
One potential method of combating this threat is to set up a "back channel" for the Internet that uses a different protocol than TCP/IP, Schwartau said. With a two-channel Internet, separating data and control signals, the "B" channel would be free to send information about abnormal occurrences such as a buildup of mail messages. This information could be used by monitoring devices to activate switches to reroute mail bombs.
"We have to get away from using the single protocol model, TCP/IP Internet," Schwartau said.
Despite the new threats to security posed by online commerce, however, traditional bankers' contingency planning and risk management should assure that a huge disaster will be avoided, according to Kawika Daguio, a federal representative from the American Bankers Association, in Washington, D.C.
"Our reviews of the [bankers'] measures have revealed that the efforts to build robust systems to deal with traditional insider fraud, building robust systems to deal with contingency problems have paid off in terms of national security benefits," Daguio said.
"We're pretty comfortable, having talked to a lot of bankers, that the stories about hundreds of millions of dollars being missing or hundreds of millions in ransom being paid are empty."
The industry needs to continue to learn about security risks while those risks are still relatively small, Daguio said.
"The good news is that if you take the whole of Internet commerce, and being gracious and giving them 400 million [dollars] a year and you compare that 2.4 trillion [dollars] a day it's not that big a deal...These are small experiments and we don't expect things to go right all the time."
--Marc Ferranti, IDG News Service, New York Bureau
If you have technical problems with this magazine, contact firstname.lastname@example.org