From: M Taylor <mctaylor@privacy.nb.ca>
Date: Mon, 24 Aug 1998 12:25:38 -0700 (PDT)
To: cryptography@c2.net
Subject: summary of recent meeting with top Mondex officials (fwd)
Message-ID: <Pine.LNX.3.95.980824162535.18129E-100000@privacy.nb.ca>
MIME-Version: 1.0
Content-Type: text/plain



---------- Forwarded message ----------
Sender: efc-talk-owner@insight.cas.mcmaster.ca
Subject: summary of recent meeting with top Mondex officials
Date: Mon, 24 Aug 1998 14:07:40 -0400 (EDT)
To: efc-talk@insight.cas.mcmaster.ca
From: David Jones <djones@insight.cas.mcmaster.ca>

	Mondex meeting

I would like to give a brief synopsis of the meeting
that I attended two Fridays ago (August 14th) in Toronto.
Present were:

 Joanne De Laurentiis,  President & CEO, Mondex Canada
 David Phillips,  Vice-President, General Counsel, Mondex Canada
 Deen Farouk,  Director, Mondex Canada
 Mark Tonnesen,  Executive Vice-President, Card Services, Royal Bank
 David Braidwood,  Senior Manager, Standards and Security, Royal Bank
 Martyn Cooper,  Senior Manager, Smart Card Industry, Royal Bank
 Ann Cavoukian,  Privacy Commissioner of Ontario
 Carol Markusoff,  Policy Analyst, Ontario Privacy Commission
 Peter Hope-Tindall,  XL Consulting, Special Advisor to Privacy Commissioner
 David Jones, President,  Electronic Frontier Canada


The purpose of the meeting was to have an open discussion
about privacy and security of the Mondex electronic payment system.
As most of you probably know, Mondex value can be transfered between
smart-cards to make purchases and new value can be downloaded onto the
cards from bank ATMs or over the phone.

For some (highly critical) background, please see:
   "Mondex: A House of Smart-Cards?"
      http://www.efc.ca/pages/media/convergence.12jul97.html

What actually prompted the meeting was an article that appeared
this summer in the June issue of the Financial Post Magazine.

   "Mondo Mondex"
      http://www.efc.ca/pages/media/financial-post-magazine.01jun98.html

The meeting got off to an amusing start as two bankers remarked
that I wasn't wearing a tie, although I must say I thought I was
dressed quite fashionably, ... for a professor.  I made some remark
about "casual Fridays", but it didn't seem to help.  The fact that
I had taken a *bus* in from Hamilton that morning also seemed to be
another clear indication to all present that I didn't hang around in the
same circles as these senior bankers.  I must say, it was a very cordial,
informative, and interesting meeting.  Everyone was quite charming and
clearly expert in their own fields.

They outlined the different roles that the banks and Mondex play
in the system, including a separate corporate entity called the
"Mondex Canada Originator" that actually "prints money", in the
sense that it issues *new* value on Mondex cards.  This is the only
place this occurs: the banks, merchants, and consumers merely push
value around in the system, from card to card.

Interestingly, the "Mondex Canada Originator" is not recognized as a bank,
and is not even recognized as a financial institution by Canadian authorities.
The "float", the account holding real Canadian dollars to back up "value"
stored on cards, is invested to earn a profit, but is *not* backed up
by any federal deposit insurance.

The current implementation of the Mondex system uses a well-known
"symmetric" encryption algorithm for security, implemented on a
Hitachi H8/3102 chip.  Interestingly, the value of transactions
is transferred "in the clear" between cards.  Encryption is used
for digital signatures.  Each card has a transaction log that
stores the following information about up to 10 transactions:

   PID,AMT,NAR,AMT,CUR,TIM,SEQ1,SEQ2

   PID = purse ID of the *other* card
   NAR = 12 characters of "narrative" information (e.g. customer/vendor name)
   AMT = amount of value transferred
   CUR = currency used
   TIM = timestamp (from retail machine or consumer wallet, may be inaccurate)
   SEQ1= unique transaction sequence number for *this* purse
   SEQ2= unique transaction sequence number for the *other* purse

It's at this point that the privacy commissioner, Ann Cavoukian,
started asking questions about how this transaction data gets used.
Although merchant terminals are able to capture all of this information,
and even have a modem to transmit it back to banks, we were told that
this is not done in Guelph, in part because there is not (yet) any software
on the bank end to process the data.  There was also the suggestion that,
in the future, Mondex might choose to rely on contractual limitations
on the use of the data to prevent some vendors (e.g., Walmart) from using
the information for data mining.  I am fairly willing to accept that there
are not any terrible privacy problems with Mondex in Guelph *today*,
but it is much more murky when we look to the future and imagine
how the system may eventually be used.

When discussing security and the potential for "hackers" to create
counterfeit Mondex value, it became apparent that the banks themselves
are doing nothing at all to deal with security.  It seems to me that a
good analogy could be made with how banks deal with credit cards:
They depend on the credit card company to worry about security and fraud.
With Mondex, the banks are relying on the chip's use of encryption
and their "tamper-resistance" (meaning they are supposed to lock up
if you mess around with them).  Only the "Mondex Canada Originator"
has a "crude" risk management system, which monitors that balance of funds
sitting in the "float" account and monitors uploads and downloads
between banks and merchants/customers.  If usage patterns deviates
outside normal fluctuations, on the order of 3-4%, then an alarm is
raised to investigate.  In the Guelph pilot, this alarm has gone off
"about 5 times", (false alarms, since there has not been any fraud).

In the "unlikely" scenario, that counterfeit Mondex value is created,
the system is supposed to be able to contain the flow of fraudulent
value and limit the damage that might occur.  It is surrounding this
point that there seems to be a great deal of confusion and contradictory
information coming from Mondex.  For instance, on their web site, Mondex says:

    Detection: On-Chip Security
    The Mondex chip has its own risk management measures, built-in to
    the chip itself.  The chips are programmed to automatically react
    to 'unusual' card behaviour, such as very high levels of value
    redemption and temporarily close down.

    URL= http://www.mondex.com/mondex/cgi-bin/...
         .../printpage.pl?fname=../documents/detection.txt&doctype=genp

Well, as far as I can tell, based on what I heard at the meeting,
the statement above is not correct.

On a related page, Mondex says:

    Recovery: Rogue Cards
    Naturally cards identified as being unauthorised, reported stolen,
    or potentially fraudulent can delinked immediately from the
    banking system.

    URL= http://www.mondex.com/mondex/cgi-bin/...
         .../printpage.pl?fname=../documents/recovery.txt&doctype=genp

It turns out this statement, as far as I can tell, is also not correct.
The "Mondex Canada Originator" has no authority and no technical ability
to "delink" a card.  The Banks also seem to lack the ability to
remotely deactivate cards through their ATMs.  I asked how many times
cards in Guelph had been locked out because of suspicious behaviour.
I was told "zero times".

On an interesting technical note, we were told that Mondex cards use
a seven-step protocol to transfer value from one card to another.
It is not possible to "create" value by interrupting a transaction,
but it is possible to "destroy" value, if one card has debited its value
records before the other has credited its value.  In such a case,
the card is supposed to keep a record of this "exception", so the bank
can later re-imburse the consumer for the lost value.  We were told that
approximately $4,600 has been paid out to customers for such failed
transactions.  To put this in context, so far about $2 million has been
issued on Mondex cards in the 18 month pilot study, so this means
roughly 0.25% of value gets destroyed by errant transactions.

The discussion about security explored various "scenarios" about
how someone might try to extract value from the system, assuming that
it was even possible to "hack" a Mondex card.  This so exasperated
the Exec VP with the Royal Bank, Mark Tonnesen, that he turned to me
and said, "Look, I'll pay you $100,000 if you can create fake Mondex value".

Hmmm, maybe I'll just take him up on his offer.  ;-) ;-)

-- David Jones

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Prof. David G. Jones			president, Electronic Frontier Canada
McMaster University			email:  djones@efc.ca
Dept of Computer Science		web:	http://www.efc.ca/
1280 Main St West			office: +1 (905) 525-9140 ext. 24689
Hamilton, ON, Canada  L8S 4K1		fax:    +1 (905) 546-9995
-----------------------------------------------------------------------------