We distinguish between two major kinds of attackers: the abusers and the spoilers. Abusers try to get some specific advantage, such as get coins without properly paying for them; forge or steal coins; etc. Spoilers do not seek any advantage per se; they just try to disrupt the system. An example of a spoiler attack is to replay a coin purchase request in an attempt to make an unnecessary transfer of funds (from the withdrawer's bank to the issuer). Another example is the denial of service attack in which the attacker tries to tie up issuer resources.
Attackers may be external (e.g., on the Internet lines), or they may be parties themselves (for example, a malicious payee or withdrawer trying to get some money for free), or they may be insiders (such as an employee at the issuer).
Active attackers are the main problem. Pure eavesdroppers only try to learn information, such as the nature of a transaction. Our protocols will be designed to resist active attacks.
We do not discuss error handling or denial of service attacks. An adversary can always interrupt a flow and thus disrupt a protocol. It is assumed that standard re-transmission and time-out procedures underly the transmission of protocol flows and address these attacks as well as possible.