Mobile ecash showcase - Overview and review - © Copyright 2004, Credentica Credentica December 16, 2004

2 © Copyright 2004, Credentica Part I M-cash showcase

3 © Copyright 2004, Credentica Merchants deposit Coins in batch at Bank (off-line) User spends Coins at Merchant sites (one Coin per payment) Overview of joint showcase with Nokia (NRC) Astro4you Lottery Bank $$$$$$$$$$ User obtains Coins in batch from Bank $$$$$$

4 © Copyright 2004, Credentica GPRS Details (1 of 4): Installation of Pocket software Astro4you Lottery User browses to a Merchant site User redirected to Bank to download Pocket application Bank User requests a service that costs a Coin

5 © Copyright 2004, Credentica GPRS Bank embeds User’s phone number and Coin denomination into each Coin Bank authenticates User through SMS network (using challenge-response) SMS Details (2 of 4): Withdrawal Astro4you Lottery $$$$$ $ $ $ $ $ User selects number of Coins to download $1 Bank Pocket now contains 5 Coins

6 © Copyright 2004, Credentica Pocket discloses Coin denomination but hides phone number unconditionally $$$$ GPRS Details (3 of 4): Payment Astro4you Lottery User browses to fee- based Merchant page, and is asked to pay a Coin $ Merchant validates Coin (off-line) and then provides content to User Bank Merchant cannot identify the payer $ Colluding Merchants cannot cross-profile User Pocket now contains 4 unspent Coins … User visits another pay-for-service Web site ….. and 1 entry in the log of spent Coins $ $ Pocket now contains 3 unspent Coins ….. and 2 entries in the log of spent Coins

7 © Copyright 2004, Credentica Bank WWW Details (4 of 4): Deposit (off-line) Astro4you Lottery $ $$ $ $ Merchant deposits Coins in batch to Bank $ $ $ $ $ Bank validates Coins and verifies they were not double-spent nor double-deposited Bank stores (footprint of) deposited Coins to detect and trace fraud Bank cannot identify Merchant’s customers or peak hours … nor profile (through linkage) customer behavior at Merchants

8 © Copyright 2004, Credentica $$ WWW GPRS Double-spending protection Astro4you Lottery $$ $1 Suppose User manages to hack phone … $$ Bank detects the fraud … Bank … and double- spends the same Coin When Merchants deposit the double- spent Coin … and can identify the fraudulent User

9 © Copyright 2004, Credentica Not yet implemented E-coin extensions & improvements: Multiple e-coin denominations, multiple currencies Pay with multiple e-coins (with exact change capability) Return protocol (for lost/crashed/stolen Customer device, network crash, expiry of unspent e-coins, …) E-coin encrypted back-up & restore E-cheques (pay any amount using a single token) (Limited) off-line transferability of e-coins “Earmarked” e-coins (e.g., negotiable Customer data) Dual-chip (tamper-proofness) enhancements (see next page) Fault-tolerance against transaction interruptions Policies (for on-line/off-line deposit, etc) Multi-party clearing & settlement infrastructure Receipts, fair exchange, dispute resolution, …

10 © Copyright 2004, Credentica On dual-chip mobile devices Client device contains two chips GSM SIM card Tamper-resistant chip (following WIM specifications) In 2002 – 2003, Nokia and Nordea conducted a pilot for a dual-chip WAP phone (“EMPS”) Aimed at secure Internet banking and credit card payments M-cash can exploit dual chip presence: Tamper-resistant chip provides prior restraint against double- spending (2 nd layer of defence) Tamper-resistant chip can enable single-token payment of any amount (e-cheque payments, tick payments) Many applications can piggyback on the same tamper-resistant chip when using Digital Credentials technology – Can use cheap 8-bit chip (no crypto coprocessor needed)

11 © Copyright 2004, Credentica Part II Benefits of m-cash

12 © Copyright 2004, Credentica Strong privacy guarantees Customer privacy towards Merchant & Bank Payment data does not reveal Customer ID (untraceability) – Prevents Customer spamming, discrimination, ID theft, … Multiple payments by same Customer are unlinkable – Prevents Customer profiling without Customer’s consent Merchant privacy towards Bank Bank cannot learn identities of Merchant’s customers Bank cannot data-mine Customer purchase behavior across an association of multiple Merchants Bank cannot learn Merchant peak hours (off-line payments) Merchant can “block out” disclosed Customer attribute data before depositing e-coins [not implemented in m-cash showcase] – E.g., negotiable demographic information encoded into e-coin Note: all privacy guarantees are unconditional A Customer’s privacy depends only on the quality of the random numbers generated by his own payment device (!)

13 © Copyright 2004, Credentica Extremely cost-effective Few account accesses (vs. non-cash systems): One withdrawal spans many payments Many off-line payments can be deposited in one batch Device independent Payee does not need tamper-proof terminal; any PC will do Payer may not need tamper-resistant chip in client device Messages over-the-wire need not be encrypted for security High computational & storage efficiency One e-coin is only 250 bytes (and 140 bytes if EC-based) All exponentiations on Customer side can be precomputed, and spending an e-coin does not require exponentiations Bank can batch-verify multiple e-coins overnight, and need merely store 50 bytes per deposited e-coin Dual-chip enhancement does not need crypto coprocessor

14 © Copyright 2004, Credentica High systemic security E-coins are counterfeit-proof Each e-coin is protected with military-grade cryptography – Counterfeiting requires knowledge of private minting key Multiple measures against double-spending: Double-spending enables Bank to identify Customer – In m-cash implementation: Customer’s phone number is disclosed Client code obfuscation measures [not implemented in m-cash showcase] On-line payment clearing [not implemented in m-cash showcase] Tamper-resistant (dual) client chip [not implemented in m-cash showcase] Unsuitable for money laundering, bribery, … No or limited off-line transferability; identified payer and payee accounts; payer can trace payee (with Bank); high-value payments can be on-line; earmarking to encode payer “reputation”; tamper-resistant (dual-chip) protections

15 © Copyright 2004, Credentica Flexibility & extensibility Flexible dual-chip migration path for Customers Customer can switch to smartcard enhancement anytime – Enables off-line high-value payments, better virus protection, etc. Low-cost 8-bit smartcard implementations Suitable for both micro & macro payments From fractional cents to very large payments Combine with any other Digital Credentials Over-18 proofs, location proofs, etc. Dual chip enhancement can serve many applications (!) Platform & device independent Payer and payee do not need special-purpose hardware All-electronic processes: minting, issuing, spending, verifying, depositing, fraud detection & tracing, etc. Multi-currency & automatic currency conversion

16 © Copyright 2004, Credentica Well-established technology Protocols in open literature since 1993 Scrutinized by dozens of the world’s top cryptographers (Including Adi Shamir, Ron Rivest, and Claus Schnorr) Wide reputation as the world’s best e-cash technology – E.g.: “Considered by many to be the best” – NSA, Office of Information Security Research & Technology, June 1996 Eight multi-jurisdictional patents granted US, Canada, Europe, Japan, Australia, Singapore Third-party prototypes & pilots 1993 – 1996: CAFE project (e-cheques in smartcards) – Gemplus, Royal Dutch PTT, Siemens, and 10 other organizations 1996 – 1999: OPERA (CAFE continuation by major banks) – Pilot with ~ real bank customers in Greece & Spain 2000 – 2001: Zeroknowledge Systems – RIM Blackberry implementation

17 © Copyright 2004, Credentica Part III Benefits per participant

18 © Copyright 2004, Credentica Benefits for Bank (1) Extremely low transaction costs No need to authorize each payment in real-time Few account accesses (vs. non-cash systems): – One withdrawal spans many payments – Many off-line payments can be handled through one batch deposit Fully electronic processing (minting, deposit handling, transaction logging, fraud tracing, dispute handling, …) Highly secure Unsuitable for money laundering, bribery, … – Due to ability of payer to trace payee (only “one-way” privacy) Customers cannot spend money they do not have Avoids ID theft opportunities – Due to payer privacy towards Merchant E-coins are counterfeit-proof Multiple measures against double-spending

19 © Copyright 2004, Credentica Benefits for Bank (2) Can serve new markets (new revenue streams) Micro-payments Withdraw, spend, and deposit e-coins over any medium Earmarked cash (e.g., location, age, …) Customer goodwill for privacy Merchant goodwill for autonomy towards bank Bank cannot trace & cross-profile Merchant’s customers Bank cannot learn peak hours of Merchant Bank does not decide on payment validity; Merchant does Flexible & extensible architecture Flexible dual-chip migration path for Customers Suitable for both micro & macro payments Combine with any other Digital Credentials

20 © Copyright 2004, Credentica Benefits for Merchant (1) Anyone can be a Merchant Do not need special-purpose hardware to receive e-coins No need to establish business relation with Bank No need for special status by Bank (no charge-back, etc.) Lowest transaction costs of all payment systems Can accept payments off-line All-electronic receiving, depositing, and transaction logging Can serve new markets (new revenue streams) Customers who do not have bank accounts Customers who cannot get credit cards Micro-payments Peer to peer off-line payments (Bluetooth, infrared, etc.) Countries with poor on-line connection capability Individuals need not be inhibited about spending behavior

21 © Copyright 2004, Credentica Benefits for Merchant (2) Payment finality E-coin reception guarantees that Bank will credit Merchant Payee not submitted to financial risk & payment uncertainty Bogus money is automatically rejected with 100% accuracy No reliance on on-line Bank presence at payment time Customer goodwill for privacy But e-coins unsuitable for money laundering, bribery, etc. Merchant keeps its autonomy towards Bank Bank cannot learn identities of Merchant’s customers Bank cannot data-mine Customer purchase behavior across an association of Merchants Bank cannot learn Merchant peak hours (off-line payments) Bank cannot falsely or erroneously deny payments Merchant can “block out” disclosed Customer attribute data before depositing e-coins

22 © Copyright 2004, Credentica Benefits for Customer (1) Anyone can make e-coin payments No need for special-purpose hardware – Dual (tamper-resistant) chip is optional No need for good credit status with Bank – Could obtain e-cash from resellers … Payee does not need to verify payer’s credibility Customer privacy towards Merchant & Bank Payment data does not reveal Customer ID (untraceability) – Prevents Customer spamming and discrimination Multiple payments by same Customer are unlinkable – Prevents Customer profiling without Customer’s consent Highly secure Little scope for ID theft (pre-paid, untraceable, un-linkable) Unsuitable for money laundering, bribery, … – Payer can always identify the payee Protection against loss of e-cash stored on client device

23 © Copyright 2004, Credentica Benefits for Customer (2) Low transaction costs Off-line payments, little scope for repudiation, etc. Convenient “Click and pay” – computer represents Customer Micro-payments are cost-effective Automatically keep personal transaction logs Automated backups for recovery from loss and crashes Download & spend from anywhere (platform independent) No physical proximity to Merchant or Bank required Client software can serve multiple applications Seamless scalability from micro to macro payments Other “Digital Credentials” tokens / applications – no cross-application security or privacy “interference” possible!

24 © Copyright 2004, Credentica Benefits for governments/regulators Not suitable for criminal activities (money laundering, tax evasion, extortion, bribery) Privacy is only one-way, payee can always identify payee Extra safeguards: tamper-proof chip on Customer device Auditability of Bank accounts complies with all existing bank regulations & policies Government can make significant profit from issuance of e-cash (“seignorage”) E-cash does not rely on message encryption over the wire, so export control issues play no role Facilitates cross-border payments through multiple currencies

25 © Copyright 2004, Credentica Part IV Comparison to other payment systems

26 © Copyright 2004, Credentica General drawbacks of account-based systems Account-based AKA book-entry systems: Bank transfers funds from payer to payee account Cheques, credit cards, debit cards, … General drawbacks: Unsuitable for low-value e-payments No privacy for Customers nor for Merchants Payments must be cleared on-line – Not an option in many situations / locations – Delays transactions, may result in unavailability – Adds cost (on-line connection costs money) – Bank must install hardware to cope with peak load – Denial of service attack on clearing/authorization process Payment process requires delay to identify and correct undesirable conditions (e.g., bounced cheques)

27 © Copyright 2004, Credentica Drawbacks of (paper) cheques Payee bears risk of insufficient funds Payee must wait days to receive money No non-repudiation Payer denial is major fraud cause Can write cheques against closed accounts No privacy for Merchants and Customers “In a sense a person is defined by the cheques he writes. By examining them the agents get to know his doctors, lawyers, creditors, political allies, social connections, religious affiliations, educational interests, the papers and magazines he reads and so on ad infinitum” – Judge William O. Douglas, U.S. Supreme Court, 1974, California Bankers Association v. Shultz Not usable in cyberspace Processing and handling of cheques is expensive Poor security ABA: 5 billion US$ annual losses for financial industry

28 © Copyright 2004, Credentica Drawbacks of (plastic & chip) credit cards Not suitable for peer-to-peer payments Need tamper-resistant point-of-sale terminal Need merchant status Payments must be on-line Merchant liable for bogus charges & card-not-present High costs of exception handling Credit cards not economic for below $10 Even less privacy than cheques: Data trail already in electronic format Central parties learn transaction time / items Cardholder profiling for fraud detection Poor security Especially of card-not-present transactions (e-payments…) ID theft opportunities

29 © Copyright 2004, Credentica E-payments with credit cards Inherit all legacy system drawbacks Make use of same back-end infrastructure In particular: payments must still be cleared on-line Privacy worsens Combine electronic credit card data trails with: – IP address, click-stream data, location information, … Security worsens Virus attacks, spoofing, DOS attacks, replay, ID theft … Card-not-present transactions very insecure – Fraudulent Merchant can automate attacks Charge randomly generated credit card numbers Bank strategy to withdraw Merchant status is ineffective Serious credit card storage vulnerabilities – Merchant database is now on-line …

30 © Copyright 2004, Credentica Other cash-like e-payment systems Mondex, Proton, Citibank, etc.: No privacy: payments systematically traceable & linkable Payees need tamper-resistant terminals Payers needs tamper-resistant chipcards (and “reader”) No earmarking of money and other functionalities Typically: poor security (not: military-grade per cash unit!) Millicent and similar software-only systems: No privacy: payments systematically traceable & linkable Payments are effectively on-line … – must obtain vendor-specific “coins” from “broker” to pay Poor security (no migration path, no PK security, etc.) No earmarking of money and other functionalities DigiCash: Sequential on-line payment clearing that does not scale No smartcard (dual-chip) solution, no negotiable attributes, no e- cheques, no double-spending tracing, etc. etc.