Olsen became aware of the issue while educating customers in the use of JP Morgan's varied sites and trading platforms. In many cases, customers were not able to log on to the system. "They said they didn't have any problems with other sites and we found that the problem is that they're using non 128-bit technology," he says.
40-bit secure socket layer (SSL) is the encryption standard for the internet pioneered by Netscape. The more advanced 128-bit technology emerged in the mid-1990s, but its uptake has been made difficult by the US position on the export of strong encryption technology.
Because of the widespread use of 40-bit encryption when the internet first took off it didn't take long for the hackers to test its strength. The encryption was first cracked in 1995 by a French graduate student using 120 Unix machines networked together. It took him eight days. But according to Seamus Phan, CIO of consultancy firm McGallen and Bolden in Singapore, decoding 40-bit encryption now takes even less time. "Using tools freely available on the Internet, a hacker with an average Pentium class computer can now crack 40-bit encryption in a matter of hours," he says.
Many companies have had to work at incredible speed in the race to get online, and Olsen says some took shortcuts in their architecture and security. Because they didn't want to completely replace their existing systems, which were designed only to handle general information content, new transaction functionality is operating with the lower security of the legacy system.
"I think the companies with a large retail pool have probably had longer to get this right," says Olsen. "But the bigger problem is with the more institutionally focused financial companies ... Within the space of institutionally directed online underwriting tools, we encountered lots of problems."
Banks in trouble too
Phan says that in the Asian region the problem isn't just confined to online services aimed at other institutions. Although he's reluctant to name names, he says there are quite a few Asian banks still using 40-bit technology for their online retail operations.
But even if a company does use 128-bit encryption, it will only be secure if those using 40-bit technology are denied access to the service. Encryption technology is a two-way street, with traffic between the client and server. If one user successfully connects using 40-bit technology, that will become the encryption level for whole system, even if others have connected at 128-bit.
"The prominent banks, in Singapore for example UOB and DBS, are aware of this and are using 128-bit encryption as minimum, says Phan. "But in some other Asian countries they might not be aware of the relaxing of the munitions laws in the US."
Since World War II, the US government has classified cryptography as a munition, and tightly controlled the export of any product containing certain levels of cryptographic function. Up until a few years ago the export of products containing encryption stronger than 40-bit was totally banned. This included web browsers and server technology. The strategy of most software vendors, including Netscape and Microsoft, was to release domestic versions of their products with strong encryption and export versions with the weaker 40-bit.
Due to increasing pressure from the domestic IT industry and with other parts of the world commercializing 128-bit technology, the US Congress has gradually eased parts of the export ban. In July 1999 it passed the H.R. 850 bill, which finally lifted licensing requirements for all products with encryption up to 128-bit. This has allowed it to finally become the global standard for e-commerce encryption.