Thursday, October 9, 2014

Adding Details to FI Issued Digital Currency

Adding a bank signature to bundled financial data does not make digital currency immune from counterfeiters. Nothing prevents the recipient from receiving issuance from a financial institution (FI), duplicating the data, and spending it multiple times. Trusted software must receive and dispense electronic currency from a personal electronic device (PED) and invalidate the data and revoke the signature in the case of a data breach outside the confines of trusted software.

 A certificate authority (CA) or some other trusted entity signs software running on the PED.  The issuing FI validates the software with access to the digital currency using any of a number of methods including a challenge with a cryptogram and a legitimate response. If satisfied the trusted software challenges the FI and only receives an issuance of currency after validating the response to the challenge. This double challenge and response (or other verification methodology) then is replicated (preferably using an industry standard) between payer and payee for as long as the currency circulates.

There are still multiple vulnerabilities presented by the storage of digital currency on a PED regardless of the care used to store and move value from PED to PED. Ingenious attackers will ply their trade. Issuing FI may cease to exist. Theft (along with the user access codes), loss, or destruction of the PED threatens the currency. In short, issued digital currency will not gain acceptance without users having confidence that they will not lose their money.

There must be insurance for the digital currency with fees based on real risk. A regulation E (protects cardholder accounts in the US) approach does not work with a circulating digital currency because FI will not control access to the currency after issuance. Can risk have a price based on aggregate value stored on the PED? Is the risk linear? Is the cost for a small value stored on a PED the same as a large value stored on a PED? My hope is that companies think about insuring digital currency so when there is a rush to the exits of card technology the infrastructure supporting digital currency exists.

Governments also will address certain aspects of digital currency. Will users with PEDs containing large values need to declare such at border crossings or will the movement be the same as a check book moving across borders? Equally important to users is anonymity of purchases (not really possible with signed values), so acceptance will depend on limited government interference of value transfers and the preservation of the illusion of anonymity, Governments need warrants before review of stored payment activity logs. Current laws seem to offer adequate protection for users of digital currency, however, knowing the predilection of governments to know of large value transfers, some new laws are almost inevitable.  I only hope that excessive lawmaking zeal will not nip the bud before it blooms.

Next Blog: Digital currency in war zones

No comments:

Post a Comment