... securities trader and Dmitry the money launderer etc

1
The Security of Financial Transactions

• Introduction the security purpose of money
• More about the history of money
• Double entry bookkeeping
• Banking records and data processing
• The Clark-Wilson integrity model
• The purpose of audit
• Financial Transaction network protocols
• Cryptographically anonymised money
• Limits of digital anonymous money

2
The security purpose of money

• One way to look at money is as a security
  construct. Alice has one more camel than she
  needs which Bob wants. How is Alice going to
  ensure that Bob values it at least as much as she
  does and that she can obtain something of value
  to her in return ?
• In an ideal world where people would always
  respect property and provide others with what
  they needed, money would not be required because
  Alice would know that Bob would look after the
  camel well and that she is as likely to receive
  from others what she needs as Bob would in being
  able to use and look after the camel. Money is
  needed because people are not always honest,
  generous, economical and willing to help.

3
Origin of banking

• Direct barter, e.g. getting a lump of valuable
  metal in return isn't always practical. So
  Mallory, who has a strongroom, acts as banker to
  Alice keeping the piece of gold Bob gave for the
  camel, giving her a piece of paper to indicate
  the deposit. Mallory soon discovers that the gold
  stays in his strongroom to the extent that he can
  issue 7 notes for every measure of gold with
  little risk. One banknote goes to Alice and the
  other six are either lent out by Mallory at
  interest or perhaps he might invest them himself
  by building houses for rent. If Mallory's notes
  have serial numbers on them this makes it more
  possible to trace thieves who steal them from
  Alice or forgers who make copies of them.

4
Money as information

• Nowadays 97 of the money in circulation in the
  UK is in the form of chequable and electronically
  transferrable deposits and credit card limits.
  The world still contains our cast of characters
  intent on attacking the system, such as Joe
  Semtex the bank robber, Ethel the bent securities
  trader and Dmitry the money launderer etc. But
  with less cash moving around and more of the
  electronic equivalent, Joe's audacious armed
  raids on security vans are netting fewer returns
  for greater risks while Dmitry and Ethel's
  criminal activities are expanding. The increasing
  complexity of the system has given our cast of
  criminal misfits more possible modes of attack.

5
Security services or protection racket ?

• The job of the financial security engineer in
  closing the increasing number of holes isn't
  getting easier. Considering the rewards Mallory
  obtained from the construction of the strongroom
  in which Alice kept her gold, we shouldn't forget
  the price that everyone else has ended up paying
  those who succeed in the task of providing
  various kinds of security or persuading those who
  thought they didn't need this that they do.
• George Bernard Shaw "every profession is a
  conspiracy against the laity".
• Andrew Carlan "The third law of politics is that
  power abhors a vacuum". The difference between
  lawful and unlawful security services depends
  upon who makes the laws.

6
Early history of money

• Various histories (e.g. Adam Smith, "The Wealth
  of Nations") suggest that money started out as
  lumps of valuable metal. The earliest metal coins
  date from around 650 BC. If recent archaelogical
  discoveries concerning ancient forms of
  accounting are correctly interpreted, earlier
  money may have taken the more abstract form of of
  clay warehouse receipts representing the goods
  concerned 3000 years before coins were first made.

7
Did tax accounting precede writing ?

• "The immediate precursor of cuneiform writing was
  a system of tokens. These small clay objects of
  many shapes--cones, spheres, disks, cylinders,
  etc.--served as counters in the prehistoric Near
  East and can be traced to the Neolithic period,
  starting about 8000 B.C. They evolved to meet the
  needs of the economy, at first keeping track of
  the products of farming, then expanding in the
  urban age to keep track of goods manufactured in
  workshops. The development of tokens was tied to
  the rise of social structures, emerging with rank
  leadership and coming to a climax with state
  formation.
• Also, corresponding to the increase in
  bureaucracy, methods of storing tokens in
  archives were devised. One of these storage
  methods employed clay envelopes, simple hollow
  clay balls in which the tokens were placed and
  sealed. A drawback of the envelopes was that they
  hid the enclosed tokens. Accountants eventually
  resolved the problem by imprinting the shapes of
  the tokens on the surface of the envelopes prior
  to enclosing them. The number of units of goods
  was still expressed by a corresponding number of
  markings. An envelope containing seven ovoids,
  for example, bore seven oval markings."
• Denise Schmandt-Besserat

8
Double-Entry Bookkeeping

• Early systems of accounting had to deal with the
  occasional corrupt insider. When business became
  too complex to trust record keeping to one person
  in one place, double-entry bookkeeping was
  invented. This still doesn't seem obvious, but
  the principle is that every transaction has to be
  recorded in one book or ledger as an asset and in
  another book as a liability. For example, a
  customer of a bank makes a cash deposit. From the
  bank's point of view, the contents of the cash
  till represents an asset, and the customer's
  deposit account is the bank's liability. It is
  obvious that the bank needs to keep score in
  terms of the deposit account. Double entry
  accounting extends to each bank branch - not just
  the business as a whole.

9
DEB FAQs 1

• Q. Why keep a seperate record on what goes in and
  out of the cash till as well as deposit accounts
  ?
• A. This means that the ledger recording money in
  and out of the till should correspond with the
  amount of cash in the till. Otherwise if the
  amount of money in the till is incorrect the
  discrepancy could not so easily be traced.

10
DEB FAQs 2

• Q. But isn't a business supposed to make a
  profit and isn't this an asset ?
• A. Yes but the profit a business makes belongs to
  its shareholders. If a bank has cash in the vault
  or owns deposits elsewhere which result from
  higher earnings than costs (i.e. profit) these
  will appear in the books as assets. Any profits
  that have been made are also immediately a
  liability that the business has to its owners the
  moment the profit is made, so if the book
  recording profits which the business owes to
  shareholders is kept up to date then all the
  books should still balance.

11
DEB FAQs 3

• Q. What happens if a business makes a loss ?
• A. To start with, a business needs investment.
  This asset is capital the business can use to
  launch operations before it starts making a
  profit. In the liabilities book this is what the
  business owes to its owners and creditors.
• A business becomes insolvent when its liabilities
  exceed assets to the extent creditors have to
  reduce expectations of what the business can pay
  back, so after these adjustments are made the
  books still balance.

12
Banking records and data processing 1

• Accounting master file
• This will contain each customers current balance,
  previous transactions over a certain period, and
  a carry forward amount for the start of this
  period.
• Ledgers
• These track assets such as cash on their way
  through the system.

13
Banking records and data processing 2

• Journals
• These track transaction inputs from check
  sorters, cash machines etc. not yet input into
  ledgers.
• Audit trail
• This records which member of staff did what and
  when.

14
Banking records and data processing 3

• Batch Processing
• A set of programs runs in sequence at the end of
  a day's business, to input data from the various
  journals to update the relevant ledgers. An
  example might be a cash deposit by a customer
  into a savings account. The relevant journals
  should include deposits into savings accounts and
  cash in and out of the till. After all the inputs
  have been used to update the ledgers, all the
  asset and liability ledgers should still balance.
  If they don't this indicates an error which is
  investigated.
• The order in which batch programs are run can
  influence the outcome, e.g. making payments into
  accounts occur before payments out of them
  reduces the risk of overdrafts.

15
Banking records and data processing 4

• Transaction Processing
• The reason for having seperate journals and
  ledgers is that this enables a batch to be rerun
  based on the same starting state if a failure
  occurs prior to batch completion. Backup copies
  of all files have to be taken before a batch job
  is started, and these files determining the
  starting state of the system will be restored
  prior to a rerun.
• Software engineers describe the approach to data
  processing where a set of related updates either
  complete as a unit or are rewound to the starting
  state as transaction processing. Preventing
  accidental discrepancies and maintaining the
  security of the system are intimately connected
  concerns.

16
Seperation of Duties

• If double entry books are kept by different
  clerks, or computers, or sandboxed processes,
  containers or virtual machines under the control
  of different administrators, this leads to a
  situation where fraud requires the collusion of 2
  or more members of staff, otherwise known as
  "shared control".
• This principle is extended in banking to ensure
  that one member of staff doesn't have too much
  influence over the systems that keep track of
  what they do. Giving Nick Leeson management
  control over the Barings Bank Singapore dealing
  room and back office operations at the same time
  violated this principle. The events leading up to
  this and the consequent collapse of Barings Bank
  was described in the film "Rogue Trader".

17
The Clark-Wilson integrity model

• This is based on an analysis of the procedures
  adopted by the banking industry based upon the
  concepts described above, formulated into a set
  of rules.
• The Bell-La Padua model relevant to Multi-Level
  Security is primarily concerned with information
  confidentiality. The Clark Wilson model (CWM) is
  concerned with information integrity.

18
Clark Wilson model terms UDI, CDI, TP

• UDI - Unconstrained Data Item, e.g. an input to
  the system prior to authentication and
  validation.
• CDI - Constrained Data Item e.g. a validated and
  authenticated input the processing of which
  maintains accounting balance.
• TP - Transformation Procedure. A means of
  transforming input data to output CDI which
  maintains the integrity of CDIs and which write
  enough information to an append-only CDI (audit
  trail) to enable the transaction to be
  reconstructed.

19
Clark Wilson model terms IVP, user, triple

• IVP - Integrity Verification Procedure - a
  procedure used to check the validity of a CDI
  e.g. that books balance.
• user - a subject or an agent such as a bank
  clerk, ATM engineer, forex dealer systems
  programmer, security officer, typically having
  insider access.
• triple - Access control is by means of triples
  (user,TP,CDI) so that shared control is enforced.

20
Clark Wilson rules C1, C2source
http//en.wikipedia.org/wiki/Clark-Wilson_model

• The model consists of two sets of rules
  Certification Rules (C) and Enforcement Rules
  (E). The nine rules ensure the external and
  internal integrity of the data items. To
  paraphrase these
• C1 - When an IVP is executed, it must ensure
  the CDIs are valid.
• C2 - For some associated set of CDIs, a TP
  must transform those CDIs from one valid state to
  another.

21
Clark Wilson rules E1, E2source
http//en.wikipedia.org/wiki/Clark-Wilson_model

• Since we must make sure that these TPs are
  certified to operate on a particular CDI, we must
  have E1 and E2.
• E1 - System must maintain a list of certified
  relations and ensure only TPs certified to run on
  a CDI change that CDI.
• E2 - System must associate a user with each
  TP and set of CDIs. The TP may access the CDI on
  behalf of the user if it is "legal".

22
Clark Wilson rules C3, E3source
http//en.wikipedia.org/wiki/Clark-Wilson_model

• This requires keeping track of triples (user, TP,
  CDIs) called "allowed relations".
• C3 - Allowed relations must meet the
  requirements of "separation of duty".
• We need authentication to keep track of this.
• E3 - System must authenticate every user
  attempting a TP. Note that this is per TP
  request, not per login.

23
Clark Wilson rules C4,C5source
http//en.wikipedia.org/wiki/Clark-Wilson_model

• For security purposes, a log should be kept.
• C4 - All TPs must append to a log enough
  information to reconstruct the operation.
• When information enters the system it need not be
  trusted or constrained (i.e. can be a UDI). We
  must deal with this appropriately.
• C5 - Any TP that takes a UDI as input may
  only perform valid transactions for all possible
  values of the UDI. The TP will either accept
  (convert to CDI) or reject the UDI.

24
Clark Wilson rules E4source http//en.wikipedia.
org/wiki/Clark-Wilson_model

• Finally, to prevent people from gaining access by
  changing qualifications of a TP
• E4 - Only the certifier of a TP may change
  the list of entities associated with that TP.

25
Limitations of Clark-Wilson 1

• This policy formulation only goes so far in
  protecting a system against dishonest insiders.
  Rule C3 requires a "seperation of duties" but
  doesn't specify what this means.
• Another problem referred to by Ross Anderson in
  "Security Engineering", Wiley 2001 is that some
  transactions require more than one TP in order to
  be fully validated, e.g. a chequing account that
  requires 2 signatures. This can result in a
  pending transactions file, where there would
  normally be an expectation that entries in this
  ledger are completed or removed within a limited
  period of time, e.g. 3 days.

26
Limitations of Clark-Wilson 2

• Anderson describes an attack where a bank clerk
  siphoned money out of the system into a friend's
  account from a suspense account into which new
  transactions were continually input to cover the
  imbalance. Eventually the clerk responsible for
  the fraud became unable to keep track of the
  growing number of transactions. Having a rule
  where every bank employee has to take at least
  one week's holiday every 6 months reduces the
  risk of someone being able to maintain this kind
  of juggling act without being noticed for very
  long.

27
The purpose of Audit

• It's one thing for an organisation to keep books
  and records. It's another for these records to
  pass muster by an independant and experienced
  professional who comes in unannounced at any time
  to check them and confirm whether or not the
  records correspond to reality. Banks do this more
  frequently using internal auditors, but accounts
  of all organisations over a certain size will
  have to be externally audited once a year. In
  practice auditors will tend to check samples of
  activity. The purpose of an audit isn't to prove
  that a system contains no errors, but to carry
  out spot checks which help encourage participants
  to stay honest and alert, by risking detection of
  any dishonesty or sloppy oversight through audit

28
Financial Transaction network protocols

• In any protocol that involves a sequence of
  messages between the initiator (client), and the
  responder, (server) it is possible for the last
  message in the protocol to be lost. The sender
  and receiver of this last message are now in
  different states concerning the same transaction.
• For some purposes, e.g. sending an email, the
  client might simply resend later. This can result
  in the same email being sent once but received 1
  or more times.
• Financial protocols have to be stateful, to avoid
  missed or duplicate payments. The final message
  can be re-requested later until both initiator
  and respondent are in certain and compatible
  states concerning an identified transaction.

29
Anonymous money 1

• Probably the most useful form of anonymous money
  currently is conventional cash. You don't have to
  know who is spending it to authenticate it when
  you accept it, and you don't have to say who you
  are when you spend it.
• But cash isn't used for Internet purchases. In
  the early 1990ies, a number of libertarians
  designed, developed and campaigned for the
  concept of digital anonymous cash. This digital
  money was cryptographically "blinded" so as to
  prevent the bank knowing who was paying how much
  for what, while including protocols preventing
  double spending of digital tokens.

30
Anonymous money 2

• One reason why anonymous digital cash may be less
  neccessary than advocates including Hettinga and
  Chaum suggested is due to data protection laws
  preventing unwarranted use by banks of customer
  records. Another factor concerns the improved
  security the bank customer obtains precisely from
  the accounting carried out by the bank.
  Sacrificing this for anonymity is likely to be
  something few will feel the need to do other than
  for small payments.

31
The Bitcoin network

• This involves cryptographic discovery and signing
  of special numbers or 'Bitcoins' which results in
  proof of work. Initial and earlier 'mining'
  efforts were more productive of new valid
  Bitcoins than later as there exist a finite
  amount to be discovered. Validation of the next
  transaction block results in knowledge of which
  cryptography keys control which identified
  Bitcoins. This involves network 'consensus'
  between those engaged, so security depends upon
  no single party or conspiracy being able to
  establish a majority vote.
• Accepting and spending these in a genuinely
  'anonymous' way seems difficult, as is securing a
  wallet. Dealers between Bitcoins and other
  currencies are at risk of conventional payment
  repudiation unless contract terms enforce use of
  cleared funds only. Some have likened this
  network to a Ponzi scheme as holder belief in
  value and lack of underwriting creates similar
  financial characteristics.

32
Limits of anonymous finance

• Electronic cash can probably never provide
  absolute anonymity because this conflicts with
  Carlan's third law of politics, that "power
  abhors a vacuum". The state would use any means
  at its disposal to close down those visibly
  underwriting a financial system sufficiently
  anonymous to be usable for an assassination
  market, because the latter would directly
  conflict with a primary purpose of the state. If
  the network were not underwritten, the state
  would pursue those advertising acceptance of
  anonymous payments.
• This doesn't prevent development of useful
  payment systems e.g. based upon the London Oyster
  Card where the recipient of small amounts of
  money can't identify the person making the
  payment.