A decision by a US government agency may have forced Mondex's electronic cash system into a low-value model whether the company likes it or not.
The Federal Deposit Insurance Corporation has ruled that e-cash not tied to a deposit account will not be insurable - putting Mondex in the category of such alternative forms of money as phone cards, transport passes and travellers' cheques.
Meanwhile, Mondex International's security chief has vowed to Computerworld that the company has the ability, systems and strategy to stay ahead of counterfeiters in the "arms race" of smartcard fraud.
While the FDIC decision does not necessarily present an obstacle to the deployment of the Mondex system in the US, it makes Mondex's proposals for its use in high-value exchanges of funds - such as house purchasing or large exchanges of cash between businesses - appear unlikely, at least within the next few years.
The FDIC, which insures deposits against the risk of banks failing to meet their obligations, has no equivalent in this country, but Reserve Bank spokesman Peter Ledingham says he was informed of the ruling during a recent visit to the US.
"The US does have quite an issue about extending the safety net as it applies to bank deposits into a whole raft of other areas, of which e-cash is only one. But they have set out some rules about what is going to be insured and what isn't. The guts of it is that if there's a clear linkage through to a deposit account, it will be insured, if there isn't, it won't be.
"So effectively they were just taking whatever their definition of a deposit was and trying to make it operational within an electronic context. And they reached a fairly obvious kind of answer; that if it is tied back to a bank account it's like a debit card and it's an insured deposit. But if it's something at a greater distance, it's not treated as an insured deposit of a bank."
Ledingham says the uninsured status of forms of "money" such as phone and travel cards is "not an issue is that most people have very small balances tied up with those things. So if Telecom or your local bus company went under, you're only out of pocket a few bucks, so nobody cares too much.
"The issue only becomes important, I think, where high values start to be used on these systems, and while it remains to be seen how high Mondex will go, my impression is that most of the promoters are going to start fairly small, with limits on cards and so on. The situation with Internet operations is less clear but I don't expect there'll be much in the way of high-value movements on those systems for a while, until people really learn to trust them. You're not going to buy a house on the Internet tomorrow."
Meanwhile Mondex International's head of security, John Beric, has outlined to Computerworld the company's security strategy, both in terms of forward planning and response to an attack on the system.
If Mondex's system of statistical sampling and analysis suggests anomalies in the system, the issuer can send out calls to "wind down" several parameters stored in the cards. For instance the level at which a cardholder (typically a merchant) is forced to "come online" could be cut from, say, $10,000 to $2500, meaning transaction logs are fresher and the issuer collects more of them. The maximum allowed level of a transcation between two cards can be similarly altered.
If ingress to the system is still not detected or prevented, says beric, Mondex can "flip a migration", meaning all cards are instructed on contact with an ATM or merchant terminal to switch over to a backup encryption system, with fresh keys, already stored on the cards themselves.
"If that doesn't do enough, ultimately the coup de grace is a cut-off," says Beric, meaning the system is frozen and upgraded wholesale to an entirely new chip. Options two and three would apply globally, and would no doubt cause problems of their own.
"So it's a finely balanced judgement as to how and when you do things. But we do have mechanisms to say, ultimately, we freeze the system and bring it up in a different incarnation. That's the meltdown."
Beric says Mondex is, in any case, committed to chip upgrades every two years or so, because "the best chips age. So I wouldn't use a chip that was designed six years ago today. So what you need in your strategy is a renewal strategy. So what you've got to be doing is looking ahead to the next design. So what we do is use labs all over the world, with the aim of finding out what are the weakest attack points today, then go to the suppliers and say 'fix this in the next generation'.
"But because I'm using the very best chips available, the best attack techniques don't get them. But I know the best attack techniques are moving forward, and it's it bit like, if you're a cliff, the sea's going to erode you. So if I use the same circuitry, it's going to get beat - of course it's going to get beaten."
Beric also suggests that the vendors of other e-cash systems which, unlike Mondex, claim to fully account transcations may not be able to live up to their claims.
"If you scratch beneath the surface you might find that they're not as diligent as they might be in collecting all transactions. We live in a very competitive world, and people are trying position themselves contra-Mondex. Many years ago I was involved in electronic purse standardisation in Europe. And in the first meeting all the designers said that their plan was to truncate data. So in this game there's convergence.
"Watch this space - I think a lot of people are setting themselves up to be different from Mondex and are saying, 'we fully account'. Okay, they might collect all the data. But where does it go, how is it truncated? We can argue that we're fully accounted, because in every transaction, the two people who are involved have a full audit trail of their account history. So it's all playing with words - and the final analysis is, is the system robust, will it work, is it economic?"
John Beric is interviewed at length in this week's @IDG Friday Fry-Up, at www.idg.co.nz