FINT B338F

E-payment Systems, Cryptocurrencies and Cyber Security

Specimen Exam Sample Answers

Important:
These suggested key points serve solely as an illustration of the possible answers for the questions in
the Specimen Exam Paper. They are designed for your easy reference only. In the actual examination,
complete answers/descriptions/explanations/discussions are expected.

© Hong Kong Metropolitan University

SECTION A

Question 1

(a) Classify STEP2 based on the six attributes of payment systems. Briefly
explain your answer.

1. Operator: private payment system

2. Settlement method: net settlement
3. Frequency & timing: designated time
4. Value: small value
5. Settlement date: same day
6. Settlement asset: central bank money via TARGET2
Further explanation for each attribute is required.

(b) Describe the guidelines for writing a security policy for STEP2.

Some of the guidelines are listed below:

• The security policy should cover the most likely threats to the
network of STEP2 and best ways to minimize it.
• Must cover any laws / regulations that are applicable to STEP2.
• Include clearly defined roles and responsibilities.
• Involve management in the creation of the policy
• A high level document, understandable by all staff
• Write technology specific procedures based on the security policy.
• Include Acceptable Use Policy (AUP) in security policy.

(c) Discuss how hashing can be used to ensure the data integrity for STEP2
transaction records. Suggest two commonly used hashing algorithms.

A hash value is a numeric value of a fixed length that uniquely identifies

data. Hash values represent large amounts of data as much smaller
numeric values, so they are used with digital signatures. One can sign a
hash value more efficiently than signing the larger value. Hash values are
useful for verifying the integrity of data sent through insecure channels.
The hash value of received data can be compared to the hash value of data
as it was sent to determine whether the data was altered. Secure Hash
Algorithm version 1 (SHA1) and Message Digest version 5 (MD5) are
two commonly used hashing algorithms.

[END OF SECTION A]

FINT B338F Specimen Exam Sample Answers Page 2 of 6

SECTION B

Question 2

Octopus is an electronic payment system using a contactless smart card. Octopus cards can be
used to make payments on public transport and at a wide range of retailers and facilities. Users
simply hold their Octopus cards over a reader, and the correct amount will be deducted from
their Octopus automatically without the hassle of cash. For some residential and commercial
buildings, Octopus is also used as access control.

(a) Illustrate four advantages of using Octopus cards versus cash from the
merchant’s point of view.

From the merchant’s point of view, Octopus cards has the advantages over
the cash in the following areas:

• Convenient and fast: eliminates the need to carry cash or exact

fares.
• Efficient and accurate. Simplifies day-end cash counting
activities, reducing human counting errors as well as time required
for bank reconciliations.
• Cost saving. Lowers cash handling cost.
• Discounts / Loyalty programmes. Merchants may offer their own
discounts / loyalty programmes for their customers.

Other plausible answers will be accepted.

(b) Describe the components of Octopus cards.

Octopus cards are supported by FeliCa technology with the following

components:

Shell - The shell of the FeliCa card is of the same size as a conventional
credit card. The material used is polyethylene terephthalate plastic.

RF Antenna - The RF antenna of the FeliCa card is a film antenna that

operates at the frequency of 13.56 MHz. It allows wireless data transfer
at the rate of 212 kbps.

IC Chip - The IC chip is an 8-bit SONY reduced instruction set

computer (RISC) CPU. It is specifically designed for encryption and
random number generation purposes. The memory of the chip provides
both volatile and non-volatile memory. Most notably, it has a 4KB
EEPROM where user information, such as money value or identification
information, is stored.

(c) The emergence of mobile payments in Hong Kong poses challenges to

Octopus. Discuss the strengths and weaknesses of Octopus cards
comparing with mobile payments in Hong Kong.

FINT B338F Specimen Exam Sample Answers Page 3 of 6

 Some suggested points below (not exhaustive):

Strengths:
• Widely used in Hong Kong
• Fast transaction
• Additional functions such as access control

Weaknesses:
• Reader device is required
• Not real time transactions
• Higher cost compared with mobile payments
• No online or P2P payment

Question 3

Suppose Bank of China is considering employing either iris or retinal recognition for its new
biometric ATM system to replace the plastic bank card.

(a) Compare the suitability of both biometric measures (iris and retinal) for
the new ATM system in terms of accuracy, cost, intrusiveness and
security level.

A general comparison of both biometric measures is listed below:

Iris recognition Retinal recognition
Accuracy High Very high
Cost Low: only camera is High: special device
required required
Intrusiveness Medium High
Ease of use Medium Low

A brief explanation for each point is expected.

(b) Explain the technical differences between iris and retinal recognition.

Iris recognition:
• The iris is the colored area between the white of the eye and the
pupil, with a texture that is an individual characteristic that
remains constant for many years.
• During image acquisition, the person merely faces a camera
connected to computer about 1m away.
• Iris scanning software can be downloaded to smartphones.
• Some precautions need to be respected during image capture,
particularly to avoid reflections by ensuring uniform lighting.
• Iris recognition is typically used as a secondary identifier in
addition to fingerprint imaging.

Retinal recognition:
• The retina is a special tissue of the eye that responds to light pulses
by generating proportional electrical discharges to the optical

FINT B338F Specimen Exam Sample Answers Page 4 of 6

 nerve.
• It is supplied by a network of blood vessels according to a
configuration that is characteristic of each individual and that is
stable throughout life. The retina can even distinguish among
twins.
• The equipment used is relatively large and costly, and image
acquisition requires the cooperation of the subject. It entails
looking through an eyepiece and concentration on an object while
a low-power laser beam is injected into the eye.

(c) Discuss under what conditions deep learning should be used to implement
the above biometric ATM system.
• Deep learning outperforms other techniques if the data size is
large. With small data size, traditional machine
learning algorithms are preferable.
• Deep learning techniques need to have high end infrastructure to
train in reasonable time.
• When there is lack of domain understanding for feature
introspection, deep learning techniques outshines others as you
have to worry less about feature engineering.
• Deep learning works well when it comes to complex problems
such as image classification, natural language processing, and
speech recognition.

Question 4

(a) Compare the differences between banks and Bitcoin in terms of account and
identity management, service, record management and trust.

Account and
Record
identity Service Trust
management
management
Banks Links personal Transfers Updates and Provides services by
information to money and tracks account professionals under
bank account and redeems balance regulations of
verifies ownership money government
Bitcoin Give users Send funds Updates every Provides trusted
autonomously between node, which protocol which
created and peers directly keeps its own incentivizes actors
managed identities (P2P) ledger to behave honestly

(b) Explain the four key concepts of bank (i.e., identity, transaction, record
keeping, and consensus) that can fit into Bitcoin’s architecture.

Identity: nodes use public keys to make transactions and use private keys to
spend bitcoins.

Transactions: nodes transfer ownership of UTXOs.

Record keeping: mining nodes keep record of transactions by updating their

own blockchain and broadcast their version of ledger to the network.

FINT B338F Specimen Exam Sample Answers Page 5 of 6

 Consensus: the network agrees on a single version of history (or transaction
record / blockchain) through proof-of-work.

(c) Discuss the differences between symmetric encryption and asymmetric

encryption.

Differences between symmetric and asymmetric encryption:

• Symmetric encryption uses a single key that needs to be shared among
the people who need to receive the message while asymmetrical
encryption uses a pair of public key and a private key to encrypt and
decrypt messages when communicating.
• Symmetric encryption is an old technique while asymmetric
encryption is relatively new.
• Asymmetric encryption was introduced to complement the inherent
problem of the need to share the key in symmetrical encryption model,
eliminating the need to share the key by using a pair of public-private
keys.
• Asymmetric encryption takes relatively more time than the symmetric
encryption.

[END OF SECTION B]
[END OF EXAMINATION PAPER]

FINT B338F Specimen Exam Sample Answers Page 6 of 6