Adding a bank signature to bundled financial data does not
make digital currency immune from counterfeiters. Nothing prevents the
recipient from receiving issuance from a financial institution (FI), duplicating
the data, and spending it multiple times. Trusted software must receive and
dispense electronic currency from a personal electronic device (PED) and invalidate
the data and revoke the signature in the case of a data breach outside the
confines of trusted software.
A certificate authority
(CA) or some other trusted entity signs software running on the PED. The issuing FI validates the software with
access to the digital currency using any of a number of methods including a challenge
with a cryptogram and a legitimate response. If satisfied the trusted software
challenges the FI and only receives an issuance of currency after validating
the response to the challenge. This double challenge and response (or other
verification methodology) then is replicated (preferably using an industry
standard) between payer and payee for as long as the currency circulates.
There are still multiple vulnerabilities presented by the
storage of digital currency on a PED regardless of the care used to store and
move value from PED to PED. Ingenious attackers will ply their trade. Issuing
FI may cease to exist. Theft (along with the user access codes), loss, or destruction
of the PED threatens the currency. In short, issued digital currency will not
gain acceptance without users having confidence that they will not lose their
money.
There must be insurance for the digital currency with fees based
on real risk. A regulation E (protects cardholder accounts in the US) approach
does not work with a circulating digital currency because FI will not control access
to the currency after issuance. Can risk have a price based on aggregate value
stored on the PED? Is the risk linear? Is the cost for a small value stored on
a PED the same as a large value stored on a PED? My hope is that companies think
about insuring digital currency so when there is a rush to the exits of card
technology the infrastructure supporting digital currency exists.
Governments also will address certain aspects of digital
currency. Will users with PEDs containing large values need to declare such at
border crossings or will the movement be the same as a check book moving across
borders? Equally important to users is anonymity of purchases (not really
possible with signed values), so acceptance will depend on limited government
interference of value transfers and the preservation of the illusion of anonymity,
Governments need warrants before review of stored payment activity logs. Current
laws seem to offer adequate protection for users of digital currency, however,
knowing the predilection of governments to know of large value transfers, some
new laws are almost inevitable. I only
hope that excessive lawmaking zeal will not nip the bud before it blooms.
No comments:
Post a Comment