Computerworld News Wire
(New Zealand)
Monday, May 5, 1997

Security expert claims e-cash system fatally flawed

Mondex suppresses information about system vulnerability, says consultant

by Russell Brown

AUCKLAND -- A card security consultant hired by one of the New Zealand banks which have franchised the Mondex electronic cash system has broken ranks to claim that Mondex has "unfixable design errors" and that its UK parent company is suppressing important information about the vulnerability of its system.

Tom Trusty, research director of Interfraud, a card security firm which consults and holds seminars here and in Australia, says that "unless something is done about auditability and fraud detection [in Mondex], the system will be broken."

Trusty describes the UK-based Mondex's approach to security issues as "disgusting ... when any problem is raised with Mondex architecture, the UK PR firm Shandwick and Co. simply briefs the Mondex business managers in the banks on what to say. Of course, what Mondex should be doing is responding with some good, solid, substantiated facts, rather than putting out negative press about anyone who dares to speak the truth."

Trusty was hired last year, after the BNZ, ANZ, Westpac, ASB, and National banks agreed to franchise the Mondex system in June. He says the key problem with Mondex "is a complete absence of any fraud detection, other than a very crude comparison of how much money has been spent."

"While you have a dozen transactions a day, it's easy to say that an increase to, say, 20 transactions day might indicate unusual activity. But once you have hundreds of of thousands of transcations in the system, with no fraud detection, you're relying on statistical analysis beyond the wildest dreams of economists. Unless this is assessed, there will never be any way to determine if fraud is underway until it is too late.

"Because money is effectively created with each transaction through a Mondex wallet, it is possible to introduce value into the system. If transactions are not accounted, value being introduced into the system will not be picked up."

Trusty says he bases his claim on information he gathered himself, and that he was not invited to important Mondex security briefings. Bank staff who did attend were told they could not take notes or ask questions. He says he has since obtained results of two risk reports commissioned by Mondex. The existence of these reports has been confirmed by others, but their results have not been released.

"Mondex went to two different chip-testing labs, and they both assessed a very small amount of time and money [would be] required to break the current chips. On that basis, Mondex is saying this is an outright lie.

"The figure that I was given is that it would take one month and US$200,000 to break the chip. That doesn't sound like something you'd risk a whole economy on."

Questions about the viability of Mondex have also been raised by a Mondex competitor, the Belgian-based Banksys, whose Proton SVC system has been adopted by American Express. Banksys has released a report claiming to show that "the lack of an audit trail [in Mondex] will eventually lead to the crime of all time."

NatWest, one of the banks behind Mondex in the UK, said it would sue Banksys over the Belgian company's claims about faults in a Mondex protocol last year, but never filed any action.

Computerworld has also spoken to a civil servant who says some senior executives at the member banks are becoming concerned at the potential risks of Mondex. Because Mondex is an entirely offline system, fraud might not become apparent until the real-money "float" put into the system had been exhausted, but customers still had e-cash to be redeemed, putting value issuers at a huge risk.

Most problematic for Mondex have been two reports prepared in the past year by Cambridge University crypto specialist Ross Anderson: Tamper Resistance - A Cautionary Note, and Low-cost Attacks on Tamper-Resistant Devices, both which which list many potential attacks on specialist security processors and smartcards. In researching the first paper, Anderson and his assistant Markus Kuhn compromised the Dallas 502 security chip, using basic university lab equipment. Some observers claim the Dallas had been slated for use in the production version of the Mondex merchant terminals.

Although he and Kuhn, however, at no stage sought to break the Hitachi chip, Anderson concluded that "floating systems" such as Mondex were probably not viable given that they embodied all the conditions necessary for their encryption key material to be retrieved - including multiple instances of the device, unhindered access to it and huge financial incentive. If key information could be retrieved, value could be added to the card at will.

The National Banks's Mondex business manager Simon Dixie says that "I haven't seen a press statement that specifically refutes [Anderson's work], but I am aware of Mondex saying that they're not concerned and that as far as they're concerned the chip has not been cracked."

University of Auckland encryption expert Peter Gutman says he is not a banking systems specialist, but "knowing Ross's reputation and the fact that in the past few years he's demonstrated lots of security problems and holes and that he has a long history of research in this area, I would say his conclusions are pretty sound. And Markus Kuhn has probably done more work on breaking smartcards than anyone else in the world."

Ian Murgatroyd, who, as head of the Mondex Steering Committe, conducted the due diligence - including security assessment - before the franchise was bought, has since left Trust Bank and set up his own consultancy, Murgatroyd, Carr and Associates. He told Computerworld he was unable to comment, but says he has seen both the risk reports commissioned by Mondex and a rebuttal of Anderson's work issued by Mondex.

Computerworld was unable to reach Mondex New Zealand chairman Jeremy Deane for comment, despite repeated calls.

Copyright © 1997 by IDG Communications Ltd. All Rights Reserved. Reprinted with permission.