Electronic Checks: Method of Internet Cash Transfer or an Open Invitation to Hackers Into Your Wallet

This is being posted on alt.privacy, misc.consumers, and on sci.crypt (The last may be somewhat off subject but the implications of security [or lack thereof] in relation to codes that involve cash flow would be obvious).

First, I am posting this anonymously because I have a sufficiently high profile in business and my company often does business with many of the organizations listed below. While I have no personal ax to grind on this matter, (other than the potential privacy concerns stated below) I do provide professional services the nature of which could be seen as having a position of both sides of this issue. Therefore, I have no desire to explain or defend my comments or views to my colleagues or clients who may, without justification, expect my personal feelings on these matters to reflect that of their own or their employer.

I am seeking comments, and discussion, on the following...

A recent New York Times report indicated that a serious project was underway to provide "Electronic Checks" for use on the InterNet. The checks would include a "digitized signature - a code designed to prove that payment was authorized by the account holder". The name of this project is "Electronic Check" and is managed by the "Financial Services Technology Consortium", Dan Schutzer, President (Vice President at CitiBank). This is NOT the same as the "stored value" "Smart Cash" card recently announced, although some of the players are the same.

Major financial players include:

1. Bank of America
2. Bank of Boston
3. Bank One
4. Bank of Montreal
5. Chemical Bank
6. CitiBank
7. Wells Fargo Bank

Other major players are:

1. BBN Inc.
2. Equifax
3. IBM Corp.
4. Information Resources Engineering Inc.
5. National Semiconductor
6. Sun Microsystems
7. Telequip

The *primary* interest of the financial players is obvious. I have not yet researched all of the other major players. However, I am at a loss to see what Equifax could contribute to such a consortium, but it is easy to see what they could gain by access to the data flow ... and I expect that are trying to set themselves up as a "key holder". I, for one, am significantly uncomfortable with that scenario on multiple levels.

Given the package as a whole, and given that the best solution for the code would be PGP (currently available), and given that some (maybe all) of the players have a vested interest in a hardware intensive application of the stated goal, I suspect that we are seeing a rebirth of the "Clipper Chip" via the financial community. [Didn't someone recently post a comment forecasting such a possibility.] If not the clipper chip, this is at the *very least* a proprietary code totally controlled by (not the user) and of unknown (but suspected relatively weak) strength. I am doubly perplexed because if *any single bank* wanted to accept electronic messages to transfer money they could so TOMORROW! All that would be necessary would be for me to trot down to my local branch, deposit a copy of my public PGP key, sign a regular form for "machine generated signatures (facsimiles)", and them to accept/generate E-Mail through the InterNet. That's IT. There would be no more problem for the bank than if I used a "counter" check as opposed to my regular pre-printed checks. There is a small fee for this, but so what. (If there are any bank people reading this, please tell me where I am wrong.) I expect that the first Financial Institution (not necessarily a bank) to announce that it will work in this manner will get MANY new accounts ... but I digress. The New York Times story also reported that this Electronic Check would contain all the information currently on a paper check, including the bank issuing the check, an account number, payment amount and the name of the payee ... in addition to a "digital" signature a code designed to prove that the payment was authorized by the account holder. This is already being touted as the next best thing to sliced bread and canned beer ... "Electronic Check is designed to be open, secure and convenient ... It will bring to electronic commerce on the Internet a level of security and confidence currently found only in traditional banking products." quote attributed to Dan Schutzer in the New York Times. I'm not sure about you, but I believe that there are many causes for concern. Not the least of which is having an "open check" which contains my account number (and presumably other information) floating around cyberspace for anyone to see ... this is without the risk of someone "hacking" my signature... and, there are *many* others. The potential loss of privacy concerning my transactions is important by itself. The intent of this message is to stimulate conversation ... all comments are welcome and E-Mail is always accepted. My PGP public (anon) key is below:
 - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAy+j9ZQAAAEEAMKOpx2wm/McV1ctoP4KTgHpA2Cz/NBBapr//0RyA4HEKKaI VV3jzfXNRfM6hwVEj+IAXwiEWw9gdCCm9EhspRgli35ssbN4+8yH3VkgdOxZ7ZrU pCzA186OcOQJHVLUQzqZvEic4g77D0CwRoyXOE1uKDze4FM2UrP81y4/oactAAUR tEBBaW4ndCBObyBTdWNoIFBlcnNvbiA8bm9ib2R5QG5vd2hlcmU+IFt3aGF0IGRp ZCB5b3UgZXhwZWN0IC4uID9diQCVAwUQL6P2RbP81y4/oactAQFKUwP9FPii0i4E WJQBRRzxX6gCVLykegeTNJdNo8xNFNJJytqKSRES3irS3rfQRtu0h0Qk7Hzw6iIq tDEnwUL8fpS2op9qzxOOrBjFQrlkgYDt1Md4oL0GuKk/n9gAuLORlMPoPtTq7s6L +9Cr9bdWHpk3mnGyiRQoh8BsjddzOpNxtLG0PEFpbid0IE5vIFN1Y2ggUGVyc29u IDxhbjE3MDUwOUBhbm9uLnBlbmV0LmZpPiBbeWVzLCBpdCB3cmtzXQ== =Hlvm - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMD1qoLP81y4/oactAQG/EgQAiefR8guMb4WhfV89FK7r4tKrmVuu6W+K E/TkOSlhpx6sDXkEMN6e49nLgceweGN7IESVijNwDlPY5OZCpZ0rXvzdhG9eLTq+ 5pGXTY7RYCSNOd02FMz4wp3yIBodx2UwHmdzPZkqZfJbzOBCE0P4I2yUgurXYz4x LkRtOSGt2xc= =Mx5p -----END PGP SIGNATURE-----

To find out more about the anon service, send mail to help@anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin@anon.penet.fi.