update
Electronic money (also known as e-money, electronic cash, electronic currency, digital money, digital cash or digital currency) refers to money or scrip which is exchanged only electronically. Typically, this involves use of computer networks, the internet and digital stored value systems. Electronic Funds Transfer (EFT) and direct deposit are examples of electronic money. Also, it is a collective term for financial cryptography and technologies enabling it.
While electronic money has been an interesting problem for cryptography (see for example the work of David Chaum and Markus Jakobsson), to date, use of digital cash has been relatively low-scale. One rare success has been Hong Kong’s Octopus card system, which started as a transit payment system and has grown into a widely used electronic cash system. Singapore also has an electronic money implementation for its public transportation system (commuter trains, bus, etc), which is very similar to Hong Kong’s Octopus card and based on the same type of card (FeliCa). There is also one implementation in the Netherlands, known as Chipknip.
Date: January 10, 2007
Source: creditorweb.com
This is the age of plastic money. It’s not uncommon for the typical consumer in the western world to go weeks at a time without ever handling a coin or bill. Everything we need is available to us with the simple “swik-swik’ sound of a credit card sliding through a reader. Supplies for the office, flowers for the wife, meals and drinks out, and an endless supply of useful products available for sale through the Internet can all be bought with naught a cent to be seen.
The big question is: “How safe is all this plastic?”
Cash has its obvious benefits. When you buy a sandwich for $2.95 and you hand the cashier a $5 bill, you know you haven’t been ripped off when he hands you $2.05 right then and there. But when you hand your card to a waitress at the local chain restaurant, how do you know she hasn’t taken a moment to sneak into the office and copy your card number and signature? You don’t, and the implications of this question are having a serious effect on credit card companies and the merchants they do business with.
In response to these issues, the big credit card companies have developed more secure ways to do business. MasterCard International and Visa got together and came up with a set of guidelines called the Payment Card Industry Data Security Standards. This is a list of 12 guidelines that imposes strict regulations on all transactions taking place between the card company and the merchants it trades with. While these standards have been in place since 2005, merchants are taking some time to catch up to them. However, in the past year there has been marked improvement, and both credit card companies have stepped up their tactics to the point where merchants may be experiencing losses of service if they do not fall in line soon. (You can read the 12 guidelines and the details of this plan on the homepages of Visa or MasterCard.)
Discover Card has responded to the pressure for more secure methods with it’s own program. They call it the Secure Online Account Number program. Anytime you use your Discover card to purchase a product online, their program will generate a random account number to “stand-in” for the one on your card. You then send this number to the merchant in place of the real number. When the number is verified with Discover Card, it will link to your account and the purchase is charged to you. The benefit of this system is that the merchant never sees your true account number. Only you and Discover Card have access to it. Once the transaction is completed the randomly generated account number is no longer valid, so any attempts to use it result in denial.
A security method that online merchants are employing is the requirement of a shipping address that matches the billing address on your credit card. This is to guard against thieves who may steal your account number but will have no access to your billing address. This way, if your card is stolen, it can only be used to make purchases that will ship to your address. Any prospective thieves will have to pick up their orders from your mailbox, not something the average anonymity-seeking thief will want to do.
There are also third party systems in place for ensuring online credit card security. VeriSign’s SSL (Secure Sockets Layer) technology is the leader in the field. VeriSign will give each merchant it conducts business with 2 “keys” (like coding alphabets), a public key and a private key. The public key is used to encrypt information, and the private key is used to decipher it. VeriSign’s technology now offers this encryption in 128- to 256-bit encryption, which provides a nearly un-guessable number of possible combinations of codes.
A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. In addition, it is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
Executive Summary
Continuing technological innovation and competition among existing banking organisations and new entrants have allowed for a much wider array of banking products and services to become accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as e-banking. However, the rapid development of e-banking capabilities carries risks as well as benefits.
The Basel Committee on Banking Supervision expects such risks to be recognised, addressed and managed by banking institutions in a prudent manner according to the fundamental characteristics and challenges of e-banking services. These characteristics include the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems and the increasing dependence of banks on third parties that provide the necessary information technology. While not creating inherently new risks, the Committee noted that these characteristics increased and modified some of the traditional risks associated with banking activities, in particular strategic, operational, legal and reputational risks, thereby influencing the overall risk profile of banking.
Based on these conclusions, the Committee considers that while existing risk management principles remain applicable to e-banking activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of e-banking activities. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks’ senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. The Committee also believes that the integration of e-banking applications with legacy systems implies an integrated risk management approach for all banking activities of a banking institution.
To facilitate these developments, the Committee has identified fourteen Risk Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities.
These Risk Management Principles are not put forth as absolute requirements or even “best practice.” The Committee believes that setting detailed risk management requirements in the area of e-banking might be counter-productive, if only because these would be likely to become rapidly outdated because of the speed of change related to technological and customer service innovation. The Committee has therefore preferred to express supervisory expectations and guidance in the form of Risk Management Principles in order to promote safety and soundness for e-banking activities, while preserving the necessary flexibility in implementation that derives in part from the speed of change in this area. Further, the Committee recognises that each bank’s risk profile is different and requires a tailored risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks. This implies that a “one size fits all” approach to e-banking risk management issues may not be appropriate.
For a similar reason, the Risk Management Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking. Technical solutions are to be addressed by institutions and standard setting bodies as technology evolves. However, this Report contains appendices that list some examples current and widespread risk mitigation practices in the e-banking area that are supportive of the Risk Management Principles.
Consequently, the Risk Management Principles and sound practices identified in this Report are expected to be used as tools by national supervisors and implemented with adaptations to reflect specific national requirements and individual risk profiles where necessary. In some areas, the Principles have been expressed by the Committee or by national supervisors in previous bank supervisory guidance. However, some issues, such as the management of outsourcing relationships, security controls and legal and reputational risk management, warrant more detailed principles than those expressed to date due to the unique characteristics and implications of the Internet distribution channel.
The Risk Management Principles fall into three broad, and often overlapping, categories of issues that are grouped to provide clarity: Board and Management Oversight; Security Controls; and Legal and Reputational Risk Management.
Board and Management Oversight
Because the Board of Directors and senior management are responsible for developing the institution’s business strategy and establishing an effective management oversight over risks, they are expected to take an explicit, informed and documented strategic decision as to whether and how the bank is to provide e-banking services. The initial decision should include the specific accountabilities, policies and controls to address risks, including those arising in a cross-border context. Effective management oversight is expected to encompass the review and approval of the key aspects of the bank’s security control process, such as the development and maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. It also should include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.
Security Controls
While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorisation privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information.
Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort regarding information disclosures, protection of customer data and business availability that approaches the level they can expect when using traditional banking distribution channels. To minimise legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their web sites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimise operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers’ expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.
A black swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was. The astonishing success of Google was a black swan; so was 9/11. For Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives.
Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”
For years, Taleb has studied how we fool ourselves into thinking we know more than we actually do. We restrict our thinking to the irrelevant and inconsequential, while large events continue to surprise us and shape our world. Now, in this revelatory book, Taleb explains everything we know about what we don’t know. He offers surprisingly simple tricks for dealing with black swans and benefiting from them.
Elegant, startling, and universal in its applications The Black Swan will change the way you look at the world. Taleb is a vastly entertaining writer, with wit, irreverence, and unusual stories to tell. He has a polymathic command of subjects ranging from cognitive science to business to probability theory. The Black Swan is a landmark book–itself a black swan.
