There is much to admire about Mondex International. In only seven years it has grown from the dream of two UK NatWest Bank executives to become one of the leading forces in the emerging world of electronic cash.
Mondex is now 51% owned by MasterCard International, and provides the meat in MasterCard’s “Future of Money” slogan. The remainder of the equity lies with 19 banks — including six in New Zealand. Its technology is, subject to its ability to follow the smartcard world’s shift to Java, as good as — or better than — anyone else’s.
But it is less Mondex’s technology than its marketing which has put it where it is today. The Mondex brand has been aggressively and successfully promoted to key decision-makers worldwide. There’s nothing wrong with that, but there is a fine line between developing the brand and obscuring the issues inherent in the epochal shift to electronic currencies. The material obtained by Computerworld suggests that Mondex has crossed that line.
Why pick on Mondex? Because, by supporting off-line, unaccounted transfers of value Mondex is presenting a far greater wager than any of the other contenders in the e-cash market.
The same offline model also means that, after years in trials, Mondex still cannot state a policy for value refunds claimed on broken smart-cards. Value on lost cards is, like cash, gone for good. In this respect, Mondex’s competitor Visa seems to offer more robust day-to-day -protection.
There may well be merit in Mondex’s argument that fully accounting even the smallest transactions — as Visa proposes — would be unwieldly and expensive in a “mature market” of between 100 million and 500 million cards worldwide. Esteemed security experts such as AT&T’ Labs’ David Maher may indeed be correct when they argue that Mondex’s risk is manageable and the systems are strong enough to prevent wholesale fraud.
But even Maher states that “if it is successful, Mondex will be broken”. Mon-dex’s ability to contain risk by constantly improving the physical security of its chipcards, and detect it by abstracting cashflows, is the subject of great controversy. Cambridge University’s Ross Anderson has declared the system unfit for its purpose.
Our material indicates that Mondex itself has misgivings about the two final measures outlined to Computerworld earlier this year by Mondex’s head of security, John Beric. The meltdown scenario — a scheme shutdown and reissue of all cards — would probably mean the end of the scheme.
And the “migration” option, where an authenticated virus would “cascade” through the system, flipping all cards over to a back-up encryption scheme, “has not been evaluated in detail, either from a technical perspective, or from an assessment of the commercial proposition,” according to our documents.
It is also revealed that Mondex currently has neither the systems to detect and cut off a “short, hard attack” by organised crminals within a single day, nor a way to conduct global surveillance across national borders. Planning for these abilities is under way. With the prospect of an economy of half a billion cards all able to transfer value across the Internet, one would hope so.
Mondex will argue that its systems will develop in line with the scheme’s growth, and that it can keep the cost of breaching its security beyond the practical reach of criminals. Maybe so. But it, or its issuing banks, must back up their arguments by accepting the final risk. If that unnerves the shareholders, then so be it.
It appears that individual liability structures will be established in each Mondex territory.
Mondex New Zealand consortium chairman Jeremy Dean recently told Computerworld that subject to a business proposition the Mondex consortium is preparing for member banks’ approval, the local banks “will honour the value issued on cards” and will “honour legitimate Mondex value”.
Unless they promise to redeem unused value held on cards, the banks are only committing themselves to pay back the real cash they originally took from consumers, less fees deducted.
In other words, if a successful scheme incursion resulted in an inflation of the original $100 million issued by, say, $30 million, the banks would redeem only the $100 million it issued. So would $30 million of Mondex value, which might be perfectly legitimate, simply be dishonoured by the banks?
The local banks have consistently said they would not endanger their customers. It’s time for them to prove it.
There is a precedent — in Ontario, where the Royal Bank of Canada and the Canadian Imperial Bank (Mondex’s Canadian owners) were pressured into standing unequivocally behind card balances in their trial in the town of Guelph. That needs to happen here. And, beyond that, the debate must continue. We welcome a response.