twimbit-gif

Recent Issues in cyber-domain pertinent to Fintech

Session 6: Cyber- Security and Intelligence

4:15 pm – 5:00 pm GMT

Keynote Talk

Bimal Roy (Indian Statistical Institute, Kolkata) – Recent Issues in cyber-domain pertinent to Fintech

To watch the video on YouTube, click the ‘YouTube’ button above.

Transcript:-

Silvia Sanchez Ramon

We have the talk of Professor Bimal Roy of the Indian statistical Institute in in Kolkata. Professor Roy has a main research focus on combinatorics and optimization. So there the title of the talk is recent issues in cyber domain pertinent to fintech the forest yours, sir.

Bimal Roy

Okay. Thank you. Thank you, Silvia. And let me thank Anindya and Sheri, for inviting me. Because in this forum, you know, I’m very, basically a very unlearned man, because I have no idea about the domain that you have expertise in, I work basically in cryptography, and initially agreed to be part of this, this conference on in the first me is that I want to learn myself, this, this new domain, and where I could possibly use some sort of my cryptographic ledger system research says topics in this domain. And just to be a little bit say, right now, I do have a project from the Royal Society of the British Royal Society jointly with Professor Fen how at the University of Warwick, and we have been trying to use Well, Blockchain different applications, we’re trying to use it for elections importing. And now we are trying to just started working on distributive finance, as in this context, me and Fang, both are learning what is finance, and then only you can think of distributed finance. And Royal society has convinced us that we are capable of learning this and really do some, some work in this area. And I want to talk in every different way. And this, because I thought, well, I’ll be physically interacting with these people respond group, and we have 30 people. And that would have been my major objective. But in this platform, we’re helpless, we have to use this platform. And I was trying to make a presentation. But meanwhile, I try to hold on in there and Sheri that I had some family debacle in just two days. Three of my family members out of four sent me their a COVID infected and I’m the only fit person in the house. And the joke is that I am okay, not isolated this year moving around in the house, because this year, I decided to take a load of them now, our houses are sealed, as I said Rule of, of the city, houses sealed. So leave somebody gives me some supplies at the door I collected. And on top of that few days back, I lost my mother in that. So I mean, we told them at one point of time to withdraw myself, but I then I thought maybe I shouldn’t do it. I should give a different approach. And I’ll try to tell you just four different stories. Okay, because I’m and then at the end of the first, this four stories, I’ll tell what are the issues I foresee in this FinTech domain. Okay, the stories are very elementary, and it comes from my own experience his story. So my own experience from my childhood. The first story goes like this, and after a story, I’ll bring out what are the issues, but in the FinTech domain, when I was very young, I remember my my parents don’t know the history of India many of you know you know, India got independence from British in 1947. But at the same time, our state Bengal got divided. So the one part became part of Pakistan other part became part of India. And there we’ll get to what I think border and movement currency every everything become different. So my parents moved to this part of Calcutta but the Indian part, but he had his brother or other cousins left another set. So in one of the wedding of one of my cousin, long back, he said, I was very young, I still I still remember the story. He was trying to send a gift for the wedding. Now, the regulations you know, in Britain, you know, I I’ve learned that the British people are so bureaucratic I handling this royal society project for last three, four years. I understand the bureaucracy of British I was always cursing the Indian bureaucracy. But in without a bureaucracy says that if if he has to send even even little money, he has to play the central bank, the Reserve Bank of India In India he has to get a permission and then you could probably get a conversion to British pound or in US dollars to lose money at that and then you can send that dollar upon to then East Pakistan and the other person has to then convert it to the Pakistani rupee the Pakistani money and this takes anything in between two to six months, such a bureaucratic process and when it came to know that that his niece is going to get married, and then he found it very quickly, the quickest way I think everybody would have know it.

I remember I was my holding my father’s hand and going to a near railway station, there is a small grocery store. So you went there and he told that, you know, I want to send my brother who is in this little town of East Pakistan, and I want to send this or Indian monies 100 rupees, which is pretty large in an early 1960s. And then so Okay, good. So he’s he just gave a piece of paper, scribbled something illegible. My father didn’t understand I didn’t understand he says you want to send 100 rupees, so give me 120 rupees. So, my father 120 rupees in exchange he got this scribble small piece of paper makes no sense to me, no makes no sense to my father either. And then he said you ask her send this to your brother and ask your brother to go and meet a similar grocery store near in his town Okay, so, my brother my father acts a letter in an envelope, putting this little piece of paper and says go and visit that grocery store Okay, and the envelope is melt and then as I understand that he actually got the money from the other grocery store in the other country. So, this is what is learned letter on Hawala but this was very secured and not a not a single person complained that they lost their money okay, such a physical communication very secured transaction. Now if I am a regulator, how can I stop this? Number one, there could be intelligence people who could identify that these these shops are getting into this business. Okay, that’s one way but that’s in place, that’s not science. The other way could be what we call a brute force attack, track each and every letter which is going from this country other country, open that read it and find something not explainable okay and then you try to catch the two persons for input and here you can actually identify the persons who is the sender with the receiver. Okay, but that is the brute force attack. So, millions of mails are going from this to that country. Now exploring all the males opening the envelops, checking it, the kind of manpower you need, the time you need is impractical. And probably the intelligence was not that prompt. So the process went on very slow. Okay, so this article brute force attack, but today what happens? Okay, now, I want to make it more secured. I’m talking about sites, there’s one flaw there, because in that system, the sender and the receiver both could be identified from this letter. So that is a point of weakness. So, if I think of I want to send this money exchange very smooth, I have to somehow get rid of this if you if you can get hold of this communication the state and the police should not understand who is sending home safer and more secure then I have to understand and make sure that by no means the sender and the receivers identity is not revealed by this Okay, so so this is the and this is what we call cryptocurrency these days. Okay, so one of the things they have achieved in this one is that even if you track all the communications in the net, okay, if we go to all the mails scan it by another computer program, it’s almost impossible to find out who is sending whom. The identity is is really being kind of secured. So this is my first story. And this this this pertains to I think anything Fintech.

Sheri Markose

I just need a clarification, right? You’re right about the identity but people know we would be able to say who the wallets are from right because that is public information.

Bimal Roy

No, no, no, no, I’ll comae to that later on, the next time next time can make Next Story, because my stories are given one by one. They’re all in string. So your concern will be taken care in a second story. Okay, so this is a, this is one of the my favorite play that I read the play in my own language Bengali written by one of our greatest writer Rabindranath Tagore, the name of the place the red, Oleander, the flower. So I saw this play, three-four times I read this play a couple of times, and one of my most favorite one, and it goes like this I’ll tell the story a little bit to understand the essence of cryptography there. I didn’t know that Tagore knew his cryptography. Okay. But what he knew some sense, okay, so. So that is it in this industrial revolution. So the industries are coming up in India, also, the British government is setting up industries, now see industrial Labor’s under no supply of Labor’s that time, but they’re not no dearth of Nepal, Indian farmers, they’re the agents, I think the same thing happens here also, even today also, agents will find out the poor farmers and they will promise them job in an industry in a city or little suburb of the city, and people will yield and come and join this industry that work and ultimately they become slaves. So, what is the process of the indictment, there will be something what he calls HR, this, the person will ask this, this poor farmer, your name, your father’s name, your address, and blah, blah, all your personal history, okay? And then depending on history, then he will assign he or she will assign a unit number to that labor, okay. And henceforth, this person is identified by that number, all the identities are gone. So, this person is referred as this number, that number. So, years go by, and basically slaves, they cannot go back home, they have to slog there, they hardly get paid in a food. It’s just like a slavery, it went on, I think Tagore was trying to produce this industrial slavery. But then I thought, you know, what table must be something beyond that, just not punish the injustice, everybody’s must be talking to something more human there, something much more human there. And then comes the ultimate. So one slave, one worker is talking to others other work, he says, Hey, do you remember your father’s name? He says, oh, no, no, no, no, I don’t remember my father’s name. Because my identity is now only this number. And then the others, the guy says, Do you remember the name of your village? He said, No, for 10 years, I’m being used by this number only, I can’t remember the name of my village. So that identity has been completely destroyed Okay, by this putting a number to this side. And this is what we call this the hash function. Okay, so what is the hash? Hash is basically you take any big text and try to map it to a shorter string glyph certain properties for the properties number one, it should be easily computable. Okay, one person cannot have two different hashes. And the most difficult most, most important point is that from the hash value, you cannot come back to the actual original original information. So that was the problem with those neighbors. Because they are being used by the hash value all the time, they could not go back to the original file, and could retrieve their father’s name, what their village is completed, this is called a one minus. So from the hash value, they could not get back to the actual file. And the other thing is that we record that it’s very difficult to find two individuals being mapped to the same hash file. And it’s very obvious, because if I think of the file of the input size of the input file, this is very large compared to the output one, which is very small. So if we think of any function, which is injective, a large large domain and very small range, there has to be conditions, there has to be No, this cannot be one one. There has to be many, many, many to one. But then the

I think the catch is that it’s very difficult to find two individuals which have been mapped to the same one. There is the hash function. So that’s what we talk about. So now, if Sheri I take all your personal things, and I get a good hash function, What are the good hashtags? These days? I think the current FINDEX use I think MD four, which is not good. I think they must change everything to what we call the SHA three, the US government, NIST had a public competition. Because MD four MD five did not seem to be that safe. So they wanted new proposals from all over the world. To make a new standard. It went through lots of process of examinations and analysis, and they finally can zero down to one. One function is called This is SHA three. No, my first thing that everything’s replaced by SHA three, and I see all the FinTech applications, they still use MD four and MD five. And these are not safe enough. And there are attacks on that. So probably, I could even impersonate what is meant by impersonation, that I could create another person who will map to the same hash value. So I become the same person. Okay, so this is and so if your identity was down to your hash value, and we communicate using our hash values, what people would know from the communications, this has failed that husband. Okay, and from the hash value, you don’t know who the person is. So, the problem that I had with my father’s hawala system, that name to name this receiver and sender identifiable, these are is now very difficult to identify. Because we are going to map all of identity, like Tagore said only under to a number for the number no one can actually easily go back to the original one. And if we have a strong hash function, nobody can impersonate which is very important in the financial domain, that if I could impersonate Sheri, I could take all her money or I could just no take take all the jobs when somebody is getting some tenders and so on so forth in all Fintech domain, this impersonation is a huge problem. And he was of hash function is very important to stop this. This impersonation, and that is done with good hash functions. And my recommendation would be that all FinTech applications do not use any more MD four MD five, we are ecologist we have studied those things that are not safe enough, as of today. So we will go back to we should go back to SHA 3. Or maybe something as good as shattering. I know in government, they are very skeptical in using public domain algorithms. So that was a tweak SHA three, probably, you can get a tip to experts, and you can tweak SHA three to the extent that it is not SHA three. But you can prove that the secret level of SHA three and your algorithm is going to be more or less same. So this kind of research that we have been doing. So this is to stop impersonation is my second story. Okay, so the third story is for the communication, I remember. And this is a , it has a strong moral idea. And the story is, again, in my own language, a very short story. It postman.

Sheri Markose

So can I ask you a question about SHA Three, and all that, you know, in lots of places in lots and lots of instances, you know, there isn’t this what you call it completely unbreakable code, right? Yes, all codes can be broken,

Bimal Roy

Everything broken.

Sheri Markose

But that’s the whole point. Axiomatic hacking will take place, right? So, so that it’s only a question of like, we have OTP you know, you just keep changing things and keep changing things because there is no hack free systems. That that is the whole point. Because, you know, they give precision, but it has to be defended to the nail. And there is no fine that that that phrase never goes on and on and on. Right. You’re only one step ahead. So what is your view about that?

Bimal Roy

And obviously, I do something, say nothing. See all this notion of security privacy. These are very abstract concepts. It’s like God, you believe it is there you don’t believe it’s not there. Okay, so I make a joke like this. Now. No, no, no, no, no, no. What do you mean by perfect secured thing. So I actually employees to can, we can actually no map to anything. What do you think is a perfectly secret thing? I can map it down to some like this experiment, that if I had an unbiased coin I don’t know whether anybody can claim has your shield and best con, I don’t even know how to manufacture and best one, I don’t know if the external investment but if that’s the abstract concept if I had an unrest one, and if I could go on tossing it independently, I don’t know how to make independent offs is all abstract concepts. If I could go on tossing this unwashed can independently and right one, if I get head judge zero if I can now generate infinite sequences of zeros and ones. Okay, that is what is called Shannon’s notion, zero information sequence, zero entropy, maximum entropy sequence, and all the notion of security I can, I can bring it down mathematically to this one. Now, since this is an abstract concept, we don’t know whether it’s real or not. So no system is fullproof, everything is vulnerable. So all you try to do, if I can map if it was something, I try to map it to this particular very basic experiment of tossing a coin independently, and try to see how close again close within the input we are, to this abstract experiment, the closure will probably feel a bit safer. But again, since I don’t know how to make the sequence, so the notion of security and privacy is only abstract. And I say, and then I make the joke, if you believe it is there, like God, if you don’t believe it’s not there, okay, but But what everything is valid. So this is the bottom line, everything is vulnerable. Okay, even if I had infinite number of machines, if, in fact, I don’t have time in fiat money, I could break any system. But again, that is another another thing going on there. Which I also tell the FinTech people. Now, see, if if a thief comes and try to get some money from me to get five, five pounds? Will he or she be able to spend 15 pounds? No that. So what is the cost? So if that person tries to cheat me or test to know, get something or a complaint by security, and if his gain is five pound, and if he has to spend more than five pounds, then he’s not going to attempt that one. So our security comes to that level. The loss with this for this breach of security and the cost.

Sheri Markose

So you’re saying it’s just economic incentives?

Bimal Roy

Yes, yes, yes. And actually, I say I would meet all these people physically and we’re trying to use some game theory there. Some some game theory this kind of setup some students working on this area now because this is Royal society project I’ve been involved with two three students what we can also in my ISI Kolkata were working in this is a basically incentive systems and so on, so forth. And in a talk, I cannot really talk like this too much further than if I had a glass of beer with me and spent one hour we probably can talk much, much more on that maybe I’m looking forward to that in the near future, but we are not going to make that happen. Real drink and have a discussion on this one. So this is my Okay, okay. My third study I didn’t even start the third study was we have to be very careful, I think it’s the same lineup or Sheri was telling nothing is very secure. And this is again from one of my very favorite short stories in Bengali, Bengali would not wonderful is one of my favorite very favorite writers. So a postman but had this capability of identifying this hand writing he has to be an hand writing expert. And my all my respect to all ladies and he wanted to find out what does this young ladies write in their letter and he knew from the top of the envelop from the name that whether this is written by a male or a female, if it is a female, the age group, little child or a youngest girl or the old girl, and he was only interested in trying to read the letters written by younger girls say 18 to 30 or so. Okay, so on so forth. But how would you do that because all these envelops are very similar and said you have this gum sinner in his old time. So we have this he put the gum very hard gum and sell it and then it goes to the posters. And the posters person will give it to the peon who will distribute it to the postman to the houses. It’s very difficult. The gum is very, very strong going to try it. There is an ocean of security were using there. Now what this postman finds out that in that post office is a small heater and a kettle of water. Because, you know, in our culture, we learned it from British to drink tea sizing to eight to 10 times a day. So we have a kettle, water will be boiling. And then whenever I drink, I like to drink water in the post f is this this postman people, they will just boil the water and make some tea with that boild water, and then what you observed. This is the crucial part that everybody has to be aware of. Well, I’m pretty sure the writer didn’t know all these things. This is my my own discovery from the story that he discovered that when the steam comes off the nozzle of this kettle, if you hold the end of the envelop sealed with the gum like this, the gum loosens. The envelope doesn’t get damaged, the gum loosens. Okay, and then he can actually open that envelope. Take that letter out. Okay, read it, put it back again, put the gum back. So he has the intrusion into the security system. And that you know, some 80 years back and Bengali author could, realize that no system is secure. So, the moral of the story is that no system is secure. I don’t tell tell you the last part of the story, maybe I should get it because it’s a different mode of conference. The last part of story, there has to be a twist the punch line in the story. So one day, he opens the youngest lady right hand reading, he opens it, it’s the letter that he’s writing to someone that is impossible to stay any any longer with this whole bomb. Just take me out of this displace, and who send it his wife. Okay. So this was this was the stories but but what is the moral there that nothing is secured. Even those her gums could be losing by steam coming out of the nozzle of the kettle.

Okay, so my high school math teacher, he told me the story, he told us the story. And I read it also say you know, the English job examinations and class test, etc. And he will write down the scores and then fill it in envelop. And he will send it to the headmaster there, or we call it principal of the school. Okay, but in this context, he was telling the story. And then the peon who takes this envelope from me, the headmaster, he can reach into this entire security system, like this story. So I have designed a new method of securing things. And I wish he could write this in some form, it would have been very rich by now. But he did anything but I remember his solution. He said, You know, I’ll make a small attache case. Tragic so there would be a two locks at the both the ends. Okay, if you have to, in order to open that you have to open both the locks, two different keys. He says I’ve designed it small attache case one key is left with me. And one case left to the headmaster, the principal of the school. It’s what I do, I put your mark sheet inside the attache case block my site and I ask the peon take it to the principal the principal cannot open it. So the principal does the principal locks his site since the pure taking back to the Teacher Okay, now it comes to the teacher and what does he do? He opens his site and tells the peon take it back to the principal. And then the principal opens his site and he gets a document. Okay, no. So what he has achieved, not only secured but he’s also authenticated is authenticated that the headmaster visible and only he can open this one, nobody has scan. And at the same time, the principal also is insured that is this teacher only He has sent the mark sheet, nobody else really not only

Sheri Markose

coming to the end of the conference, okay, so this is the public and private keys.

Bimal Roy

Yes, yes. Do the public and private keys so I learned it from my school teacher, when this even concept didn’t exist at all. Okay, so this example. This is exactly. And so what happens, you know, in all these things, you generate private keys and public keys, public subnet public domain private key by yourself and public keys actually could be in bitcoins, the public key is actually your identity. And what is employee proven that from the public key you can not drive the public, private key of mine. Okay. So and it is not, is not compromised?

Sheri Markose

I mean, to my mind, I mean, the, we’ll just have a couple of questions that there are in the blockchain, the man made blockchain is relatively new, right, bitcoin ,Ninth Circuit, Nakamoto, and so on. I mean, it’s a phenomenal invention. I mean, I know the Bitcoin itself is hugely, you know, energy intensive, because to crack the, we call it the, the hashing that you have to do make many attempts, right. So that costs a lot. But nevertheless, the whole concept of, of securing software based accounting systems, the fact that you can go back immutable history of the past, and no inconsistent or No, fraudulent, new blocks can be added. I mean, it’s a phenomenal concept, is it not?

Bimal Roy

it? It is, it is, it is it is? But but you know, this is nothing nothing very new to do very honest. To very honest. Yes, because in the in the blockchain, what they use as the primitives are basically some tree structures and, and hash functions. So Nakamoto, we don’t we don’t know who is who, who is he or she. But he puts these things in a very nice fashion. And I think in most of the applications I’ve seen, you may not need blockchain. Just just simple hash functions of the purpose because all you want to make sure the integrity part, data integrity, and data integrity, and I’ve seen you have a blockchain. So using this, the overhead is huge, the cost is huge. And you can actually if I wanted to understand the actual application that they will use the blockchain for. And I say to person because you don’t need the blockchain.

Sheri Markose

yes, Blockchain is if you only want to carry the ledger forward in time,

Bimal Roy

but But you could pass it could possibly do it by much simpler way. Because integrity is basically that your your concern, and it would be achieved by good hash functions. And you did not have such a complicated over it. And I if I could talk to somebody, I’ve talked to many people here. Even Even when I come to work, almost every year only for last two years, I couldn’t come. And we have seen most of the applications, the FinTech people do, you don’t get into the blockchain where you are overusing it, you could do him much simpler, much cheaper solution using the hash function. So this is one thing I want to warn you are but what is the what is important for me with this, this cryptocurrency is mat matter of the finance people. What I don’t understand, see, the way I learned I don’t know much economics or finance, but the basic thing I understand that the currency we have running in the economy has something to do with the economic activity of the nation late. So it is the goods and services produced in the nation, but that is directly responsible for how much currency is being minted. So here you are minding currency has nothing to do with the economic activity of the country. This is what ordinary person I feel very scared. I mean, I think will will be yes, yes. This is my concern is the minting part. No, you mint currency, it looks like almost like a stock market price goes up and down, price goes up and up and up. So suddenly, you have so much money in the in the economy, nothing to do with the economic activity of the country. We can bring to stop it here because this is my my concern. I want to understand from you guys. How do we answer this question? Is the minting money without any economic activity? Is that not going to be damaging the economy? In the long run? That’s what is my concern? Okay, I’ll stop here probably will go for discussion. So I changed my entire mode of presentation in a different way. I want to put my consent so I

Sheri Markose

think I think most people will remember your stories. I am by the headmaster.

Bimal Roy

Yeah. Okay.

Sheri Markose

Do you want to say anything about Bitcoin and bimal’s concerns about how it isn’t representing GDP?

Bimal Roy

Yes, yes. If suddenly GDP goes up with the money flows Yes.

Willem Buiter

I’m a great fan of the of the blockchain, I think as the mechanism for conceptualizing and updating self referential mechanism.

Bimal Roy

I’m also a big fan I was a good fan No, no.

Willem Buiter

But cryptocurrencies based on blockchain, I have pure speculative bubble, it’s an asset without intrinsic fundamental value. So, if it would be crazy to put public faith in that and I hope very much that they will be regulated or legislated out of existence, I see many applications of blockchain in finance, especially me birth a much more inclusive financial system not dependent on the ability to access the complex and often distant financial intermediaries, but cryptocurrencies, I think I definitely the wave of the past.

Bimal Roy

Okay. Now, actually, we have been working on E-auctions. Okay, we have been using blockchains for E-auctions.

Willem Buiter

Yes, indeed. Yes.

Bimal Roy

This is so my my my my current project is off. This is the Royal society project with the So what are we handling all these things with a blockchain using E 14 E auction, destroyed finance and etc, etc. So, also good support, but my concern is that many of the applications may not need blockchain such a heavy thing could do that.

Willem Buiter

Because it’s very computationally intensive.

Bimal Roy

Yes, yes, yes, yes.

Shyam Sundar

Well, it seems to me that we need to separate blockchain as a record keeping system and cryptocurrency as a form of money. And I’ll say a few things about money. Money has always been a symbol. Even though we started out with curries and seashells and loaves of bread, or dried fish as money 1000s of years ago, and they took the coin form or paper currency form, but the essence of money is

share
fintech

Channel