Security issues are a major source of concern for everyone both inside and outside the banking industry. E-money increases security risks, potentially exposing hitherto isolated systems to open and risky environments. All retail payment systems themselves are vulnerable in some way, e-money products raise some more issues such as authentication and non-repudiation, integrity and privacy.
Security breaches could occur at the level of the consumer, the merchant or the issuer, and could involve attempts to steal consumer or merchant devices, to create fraudulent devices or messages that are accepted as genuine, to alter data stored on or contained in messages transmitted between devices, or to alter the software functions of a product. Security attacks would most likely be for financial gain, but could also aim to disrupt the system. Security breaches essentially fall into three categories: breaches with serious criminal intent (e.g. fraud, theft of commercially sensitive or financial information), breaches by ‘casual hackers?(e.g. defacement of web sites or ‘denial of service?- causing web sites to crash), and flaws in systems design and/or set up leading to security breaches (e.g. genuine users seeing / being able to transact on other users?accounts). All of these threats have potentially serious financial, legal and reputational implications.
Therefore, it is crucial important to assess whether the institution's proposed system is sound and the service provided through the Internet will have adequate security. Surely there no absolute security exists in either the electronic or physical world of banking. However, the level of security should be "fit for purpose". The fundamental objectives that security arrangements of e-money products should try to achieve are to:
a. restrict access to the system to those users who are authorised; b. authenticate the identity and authority of the parties concerned to ensure the enforceability of transactions conducted through the internet; c. maintain the secrecy of information while it is in passage over the communications network; d. ensure that the data has not been modified either accidentally or fraudulently while in passage over the network; and e. prevent unauthorised access to the bank's central computer system and database.
There are specific security features available to protect e-money products, which are perceived to lie in the use of encryption, electronic signatures and, in some cases, in certificates issued by third parties, known as Trusted Third Parties (TTPs). A key safeguard for card-based schemes is to make the microchip embedded in the card tamper-resistant. A critical safeguard for both card-based and software-based schemes is the encryption technology used to authenticate e-money devices and messages and to protect data on the devices from unauthorised alteration. Maximum limits on the amount that can be held on e-money devices and on the transaction value can play an important role in containing losses in the event of a security breach.
The use of all kinds of security tools can provide security that is comparable to that offered in physical transactions. However, as with a physical transaction, the effectiveness of such measures is largely dependent on their proper implementation and the establishment of a set of comprehensive policies and procedures that are rigorously enforced. Continuing developments in security technology are required to maintain the effectiveness of security measures on an ongoing basis as new threats to existing systems arise over time. Banks should accordingly be responsible for ensuring that they keep up with such developments on a continuing basis. Unless they do this, their existing security measures may quickly become obsolete. If security breaches arise from this, it would not only expose the banks to risk of loss, but also more generally undermine the confidence of their customers. All the evidence suggests that security is very much at the forefront of customers' minds in deciding whether to use this new medium.
2. Privacy
As mentioned above, sound practice requires the ability to track and verify that the proper exchanges occur which ensuring that only authenticated parties and payment mechanisms are involved in the exchange, and that they exchange only those items for which they are authorized. However, consumers may fear that their financial, credit and spending information derived from e-money transactions or products could be used without their knowledge or permission. And these fears will be widespread and strongly held when e-banking and the use of e-money becomes more widespread. With the growth of e-money, the spread of crime is likely to accompany the vastly increased storage and transmission of customer financial information. Therefore, many parties want the option of anonymous financial transactions. However, it is difficult to be widely accepted due to security concerns and money laundering. Even so, to achieve widespread confidence, all participants in the system such as banks, other issuers, consumers and merchants, must have certain basic information about the rules governing the use of e-money products. The consumer must be guaranteed that any information exchanged will be transmitted only to properly authenticated parties and only to the extent to which they are authorized to receive the information.
3. Legal risks
Other than the above-said security and privacy concerns, there are also some legal risks surrounding e-money. Legal risk arises from violation of laws, regulations or prescribed practices, such as money laundering, customer disclosures, privacy protection, etc. Legal risk may also arise when the legal rights and obligations of parties are not well established. The contractual and legal relationships between consumers, retailers, issuers and operators might be complex. Schemes differ as to when payment is final and also as to whether the consumer or the merchant bears the credit, settlement and other risks until settlement has occurred. A major concern is whether the rights and obligations of all the parties involved are certain and transparent. For example, issues could arise regarding liability in the event of fraud, counterfeiting, accident or the default of one or more of the participants. [首页][上一页][下一页][末页]
(本文作者:杨春宝律师,来自:法律桥,引用及经许可转载时均应注明出处)
