The Convergence
Saturday, July 12, 1997

Mondex: A house of smart-cards?

With e-cash, privacy is illusory and security is questionable

by David Jones,

Mondex International has already conceded that its electronic cash isn't really as private as they once claimed. Now critics are questioning whether their security is all it's cracked up to be. If crooks managed to create counterfeit cyber-cash, and if Mondex failed to detect it quickly enough, the deposits backing up the electronic currency could be drained dry, leaving customers out of pocket -- unable to redeem the "value" on their cards. Do participating banks have any contingency plans for what Mondex calls its "meltdown scenario"?

- Show me the Mondex money -

Mondex has developed an electronic payment system based on smart-cards that store and exchange value. It's new, it's high-tech, and it's being pitched as a convenient alternative to the kind of cash that jingles in your pocket.

In pilot programs currently under way in a few small communities, such as Guelph, Ontario, customers load value onto their Mondex cards at an Automatic Teller Machine (ATM) of a participating bank. The value can then be spent at various retailers, at public telephones, and on city buses.

What distinguishes Mondex from competing e-cash systems is the ability to make card-to-card transfers. When you buy your groceries using your debit card, the store needs to communicate with the bank's computer to complete the transaction. Unlike a magnetic-stripe debit card, the Mondex card contains an embedded microprocessor, with sophisticated encryption methods and tamper-proof hardware that Mondex claims protect them from hackers.

Mondex's ability to do offline transactions means they are less dependent on an expensive network infrastructure, and the cost per transaction is reduced.

- Mondex Momentum? or Mond-X Mania? -

It's a system that has attracted many large financial backers, including MasterCard International, which now owns 51% of Mondex. Corporate participants in the Guelph pilot include Royal Bank of Canada, Canadian Imperial Bank of Commerce, and Bell Canada.

There's been very little critical reporting on Mondex in the mainstream media. Most articles have been enthusiastic puff pieces about the novelty and convenience of e-cash and the imminent demise of paper money. Mondex is clearly a "golden" opportunity.

Mondex recently announced that almost all Canadian banks have jumped on the Mond-X bandwagon, including: Scotiabank, Bank of Montreal, Canada Trust, Le Mouvement des caisses Desjardins, Toronto Dominion Bank, and National Bank of Canada. And just this week, CANARIE, a federal government and industry led consortium that develops 'Information Highway' technologies, has agreed to fund a $1.2 million project that will use the Mondex card system as the basis for secure electronic commerce over the Internet.

With so many respectable banks and organizations getting in on the action, how could investing in Mondex possibly go wrong?

Mondex's runaway success may remind some Canadian business analysts of the recent Bre-X fiasco, in which gold-mining stocks soared to ludicrous heights and then collapsed like a house of cards when it was revealed that claims of billion dollar gold deposits were bogus.

But Mondex isn't making any bogus claims, are they?

- Privacy? Mondo Zero -

People value the ability to make some of their purchases using 'cash', with no record of the transaction, as a way to safeguard their privacy. Mondex is fully aware of this, and that's why, during their test launch in Swindon, U.K., they initially advertised their system as "anonymous, just like cash". Mondex was later forced to clarify their advertising following a formal complaint made by Privacy International.

The problem was that Mondex transactions simply aren't anonymous. Each card has a unique identification number that is linked to the individual person to whom the card was issued at the bank. Unlike pre-paid phone cards, which are also based on smart-cards, you can't buy a Mondex card without revealing your identity.

Offline transactions may seem anonymous, but they get recorded in the digital memory of the card's microprocessor and are available to be retrieved the next time the card visits an ATM, or as soon as the retailer uploads his value and his transaction data to the bank computer.

In Guelph, the Canadian Imperial Bank of Commerce (CIBC) was apparently looking forward to using this transaction data to build up valuable marketing profiles of Mondex card users, but an internal memo reveals that they quickly reconsidered once it seemed likely the public might learn that transactions were being logged.

"Given the current situation in Guelph", warned the CIBC memo, "it's a significant risk that if any of these [privacy] groups discover that Mondex transactional data is being collected from merchant logs they would use and create every opportunity possible to stir negative headlines with 'Big Brother' accusations."

In stark contrast to their reticence when talking to privacy-conscious consumers, Mondex does an about face and starts boasting about their extensive transaction logs when government departments and law enforcement officials start raising concerns about tax collection or money laundering.

"The Mondex card system is fully auditable. There is an electronic record of the time, date, amount, and participants of each transaction", said Janet Crane, president and CEO of Mondex, when speaking in Los Angeles earlier this year.

Mondex has since been accused of leading a "double life" for sending out these mixed messages, each apparently designed to be just what the intended audience wants to hear.

In practice, Mondex isn't a fully audited system either. Unusually high numbers of transactions can overflow the limited memory in the Mondex smart-cards, meaning the data is lost before Mondex can retrieve it. Critics say this loss of data is a critical design flaw that makes it very difficult for Mondex to reliably detect fraud.

Cynics say Mondex's incomplete audit trail is intentional -- it means governments can't check their books. If a Mondex card is lost or damaged, the value will never be redeemed, leading to winfall profits for Mondex.

- Turn back the clock -

With their reluctance to provide clear and accurate answers when questions were raised about the privacy of Mondex transactions, it's little wonder that some people remain skeptical when Mondex gives reassurances that their cards are secure.

John Beric joined Mondex in August, 1995, and is now their top security man. Previously, he was head of security with the U.K.'s Association of Payment Clearing Services (APACS), which includes major British banks among its members. APACS deals with the security of automated banking machines transactions.

In the early 1990's, under Beric's reign, numerous customers started to become concerned about "phantom withdrawals" that started appearing on their bank statements. When they complained to their banks that someone must be fraudulently withdrawing money from their accounts, they were accused of lying.

Barclays Bank, like other APACS members, fiercely defended the security and integrity of its cash machines, but in 1992, the matter landed in court when hundreds of bank customers filed a class action suit to recover damages from 9 banks.

Under the scrutiny of experts hired to investigate the matter, it became apparent that ATM security had some serious holes in it. For instance, in the wee hours of the morning when bank computers were down for maintenance, ATMs were unable to properly verify the Personal Identification Numbers (PINs) entered by customers. Instead, ATMs were programmed to secretly take advantage of a special property of valid PINs assigned to bank-issued debit cards, such as the sum of the first and third digits being equal to the sum of the second and fourth digits. Once a few crooks learned that there were "magic" PINs, like 4455, that would work on any bank card between 1am and 3am, a flood of phantom withdrawals began.

There were other glaring security flaws as well.

By the fall of 1993, APACS admitted that they had routinely lied to customers and the police about the security of their ATMs, out of fear that they would be buried in an avalanche of bogus claims.

-Fast Forward -

Ross Anderson, computer science professor at Cambridge University, and expert in cryptography and secure banking systems, says he isn't convinced by Mondex's claim their cards are secure. Anderson has been doing research in the area since the mid 1980's and has spent the past several years studying "how security systems fail in real life".

In a recent interview, Anderson expressed the opinion that, at an estimated cost of $100,000, Mondex cards based on the "tamper-resistant" Hitachi-3101 or -3109 chips could be cracked by sophisticated reverse-engineering methods. With the possibility of producing counterfeit millions, that's not a bad return on investment.

Anderson is also dismissive of Mondex's claims that they could detect the presence of counterfeit value through sophisticated statistical analysis of transaction logs.

This same concern is raised in a report prepared for the Australian banks. Although analysis of transaction data was recognized as "crucial for the detection of [fraudulent] value being added" to the system, the security team was "unable to obtain any proof of the efficiency of the risk management database".

Belgium-based Banksys, whose competing Proton system has been adopted by American Express, is highly critical of what it calls "the Mondex fraud detection enigma" and claims that flaws in Mondex security, principally it's incomplete audit trail, "will eventually lead to the crime of all time".

- Three lines of defence -

In a recent, lengthy interview, John Beric explained the Mondex security strategy of prevention, detection, and recovery.

"The barriers to penetrating our system are the tamper-resistance and the cryptography", says Beric in describing Mondex's first line of defence. If that fails, Beric explains, "statistical sampling" of transaction data, "looking for statistical signals that someone, somewhere is behaving out of kilter", provide the next line of defence. If counterfeiting is occurring, "what happens is that money washes up somewhere and it sends a statistical sample to us that something is not right in the Mondex economy." Mondex even has a final line of defence for fraud that goes undetected. "If there's a real meltdown -- mass counterfeiting of chip-cards -- what we'd do is what's called a cut-off. We'd bring down that particular generation of Mondex and in parallel bring up a new generation, with completely different silicon and completely different cryptography."

Beric says that Mondex will be so profitable that minor incidence of fraud won't matter. "Let's be honest -- no system is fraud-proof. If I were to claim Mondex is fraud-proof, you'd say I was an idiot. And you'd be right. We don't claim that. The system has to be built to tolerate a loss. If you don't design your system like that, you've had it. We've designed a system that will tolerate loss."

It would be interesting to learn whether Canadian banks have evaluated the size of "loss" they are willing to "tolerate" and whether they have their own contingency plan for a Mondex economy, with several millions of dollars flowing through it, suffering a "meltdown".

It's also unclear whether people using Mondex cards are aware of how they can be manipulated like puppets. "If we think something is going wrong", explains Beric, "the recover mechanisms are to turn up the heat on the data that's being collected, and to wind down the activity limits that cause people to come back to the bank."

So perfectly honest people using Mondex cards can suddenly be left stranded, unable to use the value on their Mondex cards without returning to the bank to be scrutinized. According to Murphy's law, Mondex will wind down your activity limit at the most inconvenient moment: when you're standing at the door in your pijamas, trying to pay the pizza delivery guy; when you've just been driven home from a bar late at night by an impatient taxi driver; or when you're a student rushing to get on campus to write a final exam and the bus driver says, "sorry, your Mondex card doesn't seem to want to pay the fare".

- Whom do you trust? -

Mondex says their electronic payment system is secure. They say critics are mistaken and misinformed. But with Mondex keeping the real details of their security plan secret, the truth is, it comes down to a matter of trust.

When the American Federal Deposit Insurance Corporation (FDIC) held a public hearing to consider the question of whether systems like Mondex should qualify for deposit insurance, the answer was a resounding 'No', and participating banks were later notified to "clearly and conspicuously disclose to customers the non-insured status of the stored-value cards they offer to the public."

In Canada too, if there's a Mondex meltdown, you're on your own.

David Jones is a computer science professor at McMaster University,
and president of Electronic Frontier Canada.

Copyright © 1997 by David Jones. All Rights Reserved. Reprinted with permission.